Spam, Phishing and Email Security
Email: Security, Spam and Phishing
© Prof. Amir Herzberg Computer Science Department, Bar Ilan University http://AmirHerzberg.com
Introduction
Email: refresh, goals, threats, tools
Phishing and spam; tragedy, legal
Basic defenses
Port blocking
Content Filtering
White/Blacklists/Greylisting
Sending-domain Validation
SMTP-Sender Authorization (SPF, SIDF)
Signed Email (DKIM)
DMARC
Future? [Reputation, Accreditation, Penalties…]
And : phishing in social networks
Mail Servers
Why Study Email Security?
Email: vulnerable application
Spam, spoofed mail, phishing, scams…
Confidentiality, Integrity, Authenticaton, …
All easier on social networks… why email?
Answer: interoperability, use, openness, trust
Spear-phishing: still #1 way to attack enterprises!
Still… Least hot part of course
Toward end: phishing in social networks
User Agent submits (sends) via Mail Submit Agent (MSA)
User’s mailbox kept on Mail Delivery Agent (MDA)
Relaying by Mail Transfer Agents (MTA)
[RFC 821, 1821, 2821, 5321]
Over TCP Initiated by sending agent, called SMTP-client SMTP-server listens on port 25, receives email
MUA (Mail User Agent) to MTA (Mail Transfer Agent) Or: MTA to MTA
Three phases: handshake (greeting) transfer of (one or more) messages
Default: one message at a time (to 1 recipients) Pipelining: only supported by extension, see RFC 2920
1
But TCP still pipelines packets!
closure ASCII command/response interaction
MTA B
Internet MSA
MDA
Alice's MUA
Bob's MUA
Domain a.com
Domain b.com
Next (or skip): refresh on email
SMTP: Simple Mail Transfer Protocol
MTA A
SMTP Phases
Handshake (greeting)
TCP Connection Setup: SMTP-server rejects if overloaded Server hello: sends 220 B.com
Client hello: sends HELO A.com
Server may delay hello (until ready)
Or EHLO (extended hello: supports options)
Transfer of one or more messages:
Envelope:
MAIL FROM: sender email (for error report) RCPT TO: recipient that Receiver-SMTP should deliver to Multiple recipient by multiple RCPT TO commands
Message: RFC822 message (and headers), then terminator
SMTP closure: C: QUIT, S: 221 TCP connection closure (initiated by SMTP-client)
Closure
MAIL FROM:
[email protected]
RCPT TO:
[email protected]
MAIL FROM:
[email protected]
Repeat for more recipients
RCPT TO:
[email protected] m
DATA
Mail envelope: MAIL FROM:, RCPT TO: addresses SMTP uses these fields to route / reject messages
Accept only mail to known users
More on this later
Distinct from “similar” Email message headers (RFC 822, 2822, 5322)
Multiple recipients, BCC S: C: S: C: S: C: S: C: S: C: S: C: C: C: C: C: S: C: S:
220 sponge.com HELO A.com Notice also 250 OK multiple RCPT TO MAIL FROM:
(one per recipient, 250 OK all in same domain) RCPT TO: [email protected] 250 OK RCPT TO: [email protected] 250 OK DATA 354 Enter mail, end with "." on a line by itself from: [email protected] to: [email protected] I _still_ did not receive the goods you promised . 250 OK QUIT 221 b.com closing connection
Envelope
Message
SMTP delivers each message by the sequence:
Close
SMTP Envelope
Handshake
SMTP Phases and Envelope
– E.g.: Hex encoding (x’A3’”A3”); usually use base64 (~20% extra)
• Identify in header: MIME version, encoding, data type, subtype – Types: Text, Image, Audio, Video, Application, Multipart MIME version method used to encode data Data type/subtype encoded data
From: [email protected] To: [email protected] Subject: Picture of yummy crepe. MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Type: image/jpeg base64 encoded data ..... ......................... ......base64 encoded data
Multipart: multiple parts (with separators defined in header)
2
[SYN] [SYN+ACK] [ACK, no data] 220 B.com Server (S:) B.com (Bob’s) HELO a.com Sender (client) MTA: a.com (Alice’s) 250 OK MAIL FROM: Inform [email protected] of 250 OK delivery error (`bounce`) RCPT TO: [email protected] 250 OK DATA 354 Enter mail, end with "." on a line by itself from: [email protected] to: [email protected], [email protected]
RFC822/2822/5322
Email Message Syntax what a wonderful message . 250 OK QUIT [+FIN] 221 b.com closing connection [+FIN] [ACK, no data]
Mail message format (RFC 822/2822/5322) • Header lines, e.g., – – – – –
To: From: Subject: MANY… unknown ignored. IDs may differ from envelope IDs, e.g. forwarding – And: more message IDs: sender, resent-from, …
Header
blank line
Body
• Blank line • Body – Message: printable ASCII chars only – Send non-ASCII chars by encoding (MIME – hidden)
Envelop IDs Message IDs
MIME: multimedia mail extension • How to send non-ASCII data, e.g. picture, program? • Encode: map data bytes to (more) printable-ASCII bytes
C: S: C: S: C: S: C: S: C: S: C: S: C: C: C: C: C: S: C: S: C:
(Alice sent via ISP A.net to [email protected], forward to [email protected])
S: C: S: C: S: C: S: C: S: C: C: C: C: C: S: C: S:
220 B.com Server (S:) B.com (Bob’s current company) HELO acm.org Sender (client) MTA: acm.org (forwarding srvc.) 250 OK MAIL FROM: Inform [email protected] of 250 OK delivery error (`bounce`) RCPT TO: [email protected] 250 OK DATA 354 Enter mail, end with "." on a line by itself from: [email protected] to: [email protected], [email protected]
RFC822/2822
Email Message Syntax what a wonderful message . 250 OK QUIT 221 b.com closing connection
Email Sender Identities
SMTP Error Handling
SMTP-Client, Helo name identify only relaying agent (MTA)
MUA displays only the From: header (usually)
Often unrelated to email sender identity
RFC822 From: asked for message to be sent
To allow transparent mobility But, spoofing email becomes trivial (so some prevent/authenticate) Partial alternate solution: use Reply-To: header
Reliability: Key goal of SMTP
If agent cannot deliver before sending OK:
Most MSAs allow use of any From: identity
Several other sender-related identifiers: Sender: “entered message into email stream” Resent-from, resent-sender:
RFC2822: identifies party (time, etc.) resending message Specifically not intended for use for forwarding (by user or by service) But used, e.g. by sendmail, mailing-lists…
Transient error (4xx): retransmit after reasonable delay
May try alternate route (use secondary mail server)
Send Delivery Status Notifications (DSN) to bounce (mail from) address
DSN has empty MAIL FROM field
Receiving Relay: recipient in the domain
Authorized-sender Relay: from authenticated domain user, or from authenticated MTA / MSA in domain
Or: Direct from sender domain to receiver domain
Assume: Authorized-sender or receiving relaying
Direct from sender domain to receiver domain
Or: Inside sender / receiver domain
Consider traceback (e.g. of spoofed email) No conflict using log files and traceback information, identify “real” source of email Traceback conflict:
From outgoing MTA in sender domain (e.g. a.com)
To incoming MTA in recipient’s domain (e.g. b.com)
If among servers within domain: detect corruption!
Traceable Relaying: Inside (sender/recipient) domain, or direct (sender to receiver domain)
If sender domain denies: may refuse future connections
Caution: Can also be corruption of “our” server or a spoofed connection
Allows responding to traceback conflict
SMTP Traceback
Email Relaying Services
Relaying within domain is fine
Open Relay MTA
MUA to MSA
MSA to MTA
MTA to MDA
Sender-Receiver relaying is fine
From sending MTA
To receiving MTA
Open Relay:
3
Permanent (5xx) or transient (4xx) error codes
Relaying and Traceback Conflict
Usually: Relaying is inside sender / receiver domain
Signal to Sender-SMTP by error code
If agent cannot deliver (after sending OK):
Relaying in SMTP
Recipient not known, sender not allowed, queue full, etc.
On error in transfer to next mail server:
Bounce address to report errors (next topic)
Not in sender and receiver domains
MTA A
MSA
What if bounce address is corrupted?
Solution: Traceback message route
Origin selects, puts unique Message-ID:
Each SMTP-receiver adds header to message
MTA B
MDA
Alice MUA
Bob MUA
Domain a.com
Domain b.com
Delivery Status Notifications (DSN) depend on bounce address (MAIL FROM / Return-Path:)
Possibly intentionally (to hide traces – e.g. spoofed email)
received: from by for ;
, : domain names and IP addresses
SMTP servers maintain logs to confirm / deny received: records
Traceback conflict one of the pair lies
Open Relay Considered Harmful
Open Relay: MTA that relays from and to outside its domain
Email Threats, Goals, Tools Exposure of: content, peers, location
Main tool: encryption (S/MIME, PGP,...)
Years Ago: No DNS Open relaying was critical
Receiver must be able to correctly decrypt
Today: Often abused to send spam
Other tools: unintentional leakage detection, …
Upon traceback, Open Relay claims it got email from xxx
Is xxx bad? Or is the Open Relay lying and faulty?
Tools: digital signatures/MAC (S/MIME, PGP, DKIM…)
Relay only inside domain or from sender’s domain
Many MTAs refuse email from Open Relays
Goals: integrity / authentication / `non-repudiation` (?)
Most MTAs are not Open Relays
Fake email
DKIM: invisible to non-supporting recipients
Spam/phishing: undesirable/malicious (email) msgs
Goals: block / limit / deter (punish)
Our focus
Key Distribution: still a challenge!
End-to-End E-mail Crypto
Encryption: public key, shared key, hybrid (envelop)
Digital signatures and message authentication
End-to-End: Sender & recipient must interoperate Backward-Compatible Crypto (`no harm’) ?
Encryption: absurd
Authentication / signatures ? It depends:
Ignored by non-compatible MUA
Spam: unsolicited, undesirable communication
Lots of it (`bulk')
Without `warning label` (AD: xxx...)
4
Getting certificate is not too difficult or expensive - but few do
In theory, user may edit (remove, add, etc.) – very few do
Security based on that of DNS (or DNSSEC)
PGP: User manages public keys of peers
Peer to peer – “web of trust” model
Each user acts as a certificate authority (CA)
User can accept public keys “certified” by a trusted peer
Messaging apps (e.g. What’s up):
Default: distributed by (trusted??) provider
Rarely used, problematic manual procedure
Why we hate Spam
Spam annoys and wastes time, resources
Spam motivates net-bots
Spam carries:
Mostly: (illegal) ads and phishing
Scams: Pyramid schemes, stock `tips`, …
Phishing: E.g., expose credentials to fake site
Enter (spoofed) website, run malware, etc.
Malware
Spear-phishing: same but targeted to user
Undesired content: e.g. “CP” (child porn)
Phishing: (spam) trying to fool the user:
Predefined list installed in MUA
Spam, Phishing, Spoofing
DKIM: Public key defined in DNS record
DKIM: “transparent” signatures & keys In new email message headers, e.g. DomainKeys-Signature:
S/MIME: List of trusted Certificate Authorities (CAs)
OpenpPGP, S/MIME: Signature as (unknown?) attachment
Identify/authenticate `sender’ [user? Server? Provider?]
May not be `bulk’
Spoofed site: unauthorized mimic of a site
If we all hate it, why providers send it?
The Spam Tragedy
Picture a common pasture, Ok for 105 sheeps
Ten farmers – each has ten sheep – all is fine
Often sent illegally, from Zombies (spambots)
If one farmer adds five sheeps...
Often contains scams, malware, porn, etc.
Other laws – privacy, copyright, minor-protection,...
He will have 11 sheep, and the pasture – 105 – great!
But if ALL farmers do this 150 sheeps!!
Similar: bandwidth, pollution, IP spoofing…
Marketing & commercial Email could be valuable
Spammers often violate many laws
Anti-Spam Legislation
Spam is an example of the tragedy of the commons
But: Costs of sending Email are negligible
Solutions: impose limits or costs
Technical and/or legal
Special anti-spam legislation
Opt-in – mandatory prior consent to Email
Opt-out
Benefits:
Reduced spam by law-abiding entities
Also: opt-out, `ad` labels easier to filter
Blocking Spam/Phishing: Goals
Spam, Phishing and Email Security
Introduction
Basic defenses
Port blocking
Content Filtering
White/Blacklists/Greylisting
SMTP-Sender Authorization (SPF, SIDF)
Signed Email (DKIM)
DMARC
No significant extra delay
Abuse-free, e.g. do not spam others
Esp.: avoid `framing' (Joe-Job)
Block most spam/phishing emails
Acceptable, `minimal' overhead
Applied by recipients or by mail servers
And : phishing in social networks
Avoid false-positives (lost mail)
Future? [Reputation, Accreditation, Penalties…]
Sending-domain Validation
Do no harm
False-negative phishing emails esp. harmful
Basic Spam Blocking Mechanisms
Content-Filtering
Blacklists [By IP/name]
No `open relays`
Send only via MSA, MTA
5
MTA A
Remote submit: port 587
Otherwise, a.com can be blamed (blacklisted) due to corrupt client
MSA
Alice's MUA Domain a.com
Carl's MUA
MDA MTA X
Bob's MUA Domain b.com
Validate senders
Users: auth, quota
Servers: rDNS, SPF,…
© Gila Kaplan (with permission)
Content Filtering: Inspect message contents to categorize, block spam
MTA B Internet
Block pkts to dst port 25
Content Filtering
Incoming and outgoing messages
By rules, statistics, machine learning [see hidden]
Actions:
Allow
Block entire message
Block/change part, e.g. suspect attachment, url
Label, e.g.: X-Spam-Status: No, score=1.7
Spam Content Filtering – Trends
Very effective against ‘simple’ spam
Identifies spam with removal instructions easily – benefit from anti-spam laws Detect “intentional typos”, etc.
Blacklists (DNSBL)
Viagra suspect spam, Viaggra surely spam
Ultra-short spam: “You must see ”
URL-blacklists become critical
Mimic legit mail (keywords,...)- esp. phishing
Learn to circumvent filtering
Efficient distribution – caching by ISPs
Spammers adapt
Most blacklists use DNS (hence DNSBL)
To query if IP address ww.xx.yy.zz is in list EBL.net
DNS “A” query for zz.yy.xx.ww.EBL.net
DNS addresses: right to left
IP addresses: left to right
Response ww.xx.yy.zz in EBL.net Can reply for addr block: xx.ww.EBL.net
Value can be “Type of Abuse”
Spam comment/blog: immediate feedback
Aggressive Blacklisting
May provide details, e.g. via DNS “TXT”
Criticism of Blacklists
Even when blocking entire `suspect IP prefixes’
Example: Spamhaus Block List (SBL): 12%
Imprecise, negligent, obsolete listings Unfair, hidden interests & agendas Collateral damages
Over-zealousness / censorship:
Not much spam is from known sources
Aggressive blacklisting: beyond “known sources”
XBL: Exploit Block List
Open proxies / relays, Open port 25,…
Block Email with URL to spam site
Example: Spamhaus “URL on SBL”
Source: Spamhaus
Some lists block entire countries!
Blocking open relay / proxy before abuse Blocking “spam supporters”
Fail for new spammer's IP
In particular, route-hijacking
Email connection from IP
Black/grey/white lists
Blacklists: known `bad` senders
Block entire `suspect' address blocks
Motivating ISP/companies to block port 25 (SMTP)
Fails if sending from valid acct at legit mail server
Add IP to greylist (after delay) Temporary Failure Invalid
Whitelist of (domain) names: allows flexibility, requires authentication (DKIM) or authorization of IP (SPF)
IP in blacklist
Is IP in one of the lists?
Validate sender Domain (SPF, DKIM,FCrDNS)
IP in whitelist Valid
N/A Domain in whitelist?
Most spammers are `new`, short lived, & do not resend
Whitelists: known `good` senders (by IP or name)
No
IP in greylist
Greylist: recently / already seen senders, blocked emails
Identify (mainly) by IP of sending server
No Opt: add IP to blacklist
Yes
Fail Content-based Classifier
Ok Ok Block
6
Block
Spam, Phishing and Email Security
Spam, Phishing and Email Security
Introduction
Introduction
Basic defenses
Basic defenses
Port blocking
Content Filtering
White/Blacklists/Greylisting
Sending-domain validation
SMTP-Sender Authorization (SPF, SIDF)
Signed Email (DKIM)
DMARC
Future? [Reputation, Accreditation, Penalties…]
Port blocking
White/Blacklists/Greylisting
Content Filtering
DNS-based Authorization
SMTP-Sender Authorization (SPF, SIDF)
Signed Email (DKIM)
Reputation, Accreditation, Penalties
And : phishing in social networks
SMTP-Sender Authorization
Authorization – Which Domain? Policy record: “Our domain users always send via this MTA(s)”
Email Outgoing server Authorization Policy
E.g.: “Our users send only via these mail servers”
Question: Which domain to query?
Receiver uses policy of sending domain
Naive choice: domain of From: address
Identify IP add of domain’s outgoing mail server
Found, valid sending-MTA's IP: Accept
Found, invalid sending-MTA's IP: reject or tag
No policy for sending domain: no indication
Which domain's policy?
From: address is shown to user
Agent (person / program) who wrote the message
But mailing lists keep “from:” address of Email
Mail-From? HELO? `From'???
Authorization – Which Domain?
Mailing list's MTA not of `From' domain
MTA A
Abe MUA Domain a.com
S: 220 ML.com C: HELO a.com S: 250 OK C: MAIL FROM: [email protected] S: 250 OK C: RCPT TO: [email protected] S: 250 OK C: DATA S: 354 Enter C: from: [email protected] C: to: [email protected] C: C: New to list
ListOut MTA
List Server
AList-In l MTA ListServ Domain ML.com
S: 220 B.com C: HELO ML.com S: 250 OK C: MAIL FROM: [email protected] S: 250 OK C: RCPT TO: [email protected] S: 250 OK C: DATA S: 354 Enter C: from: [email protected] C: to: [email protected] C: sender: [email protected] C: C: New …
MTA B
Policy record: “Our domain users always send via this MTA(s)”
Question: Which domain to query?
Naive choice: domain of From: address
Domain b.com
From: address is shown to user
Agent (person / program) who wrote the message
But mailing lists keep “from:” address of Email
SPF (Sender Policy Framework):
Sender-ID (later): Result of PRA algorithm
7
MAIL FROM address and (optionally) HELO address
DSN and MAIL FROM Address
Recall: if dest (B.com) cannot deliver after sending 250 OK:
DSN: Delivery Status Notification (`bounced mail’)
Mail-From also called bounce address
Use mainly when no MAIL-FROM exists (in a DSN) Details: soon
Persistent failure (DSN or direct): remove [email protected]
Sender Policy Framework (SPF)
Authorizes the Email envelope MAIL-FROM
SPF policy: a DNS record
SPF: who can send with given mail-from addr Mail-from: addr for bounce (DSN)
But: Mail-From is Not visible to recipients
A new SPF DNS record, or format for TXT DNS record
Record is for the domain name (no prefix), e.g. x.com
So, what’s the use??
Whitelist MTA of good sending domains
Other uses, e.g., monitoring sending MTAs
SPF Process
b.org's Incoming MTA
a.com's authoritative DNS server ... [email protected]...
b.org's DNS proxy server
SPF RR of a.com, e.g.: v=spf1 +IP:1.2.3.4 ~all Validate that sending MTA's IP (1.2.3.4) is authorized by policy
Yes: continue accepting email
No: reject (break SMTP connection)
Or wildcard: *.x.com
Plus: can define at top-level domain (not SPF.x.com)
Minus: conflict with other TXT records (try SPF first)
SPF policy records kept in DNS
In TXT and/or SPF records
Define which hosts can be Sender-SMTP for domain
Simple Format, e.g. v=spf1 +IP4:133.3.3.3 –all (version 1, 133.3.3.3 is outgoing MTA, none other)
SPFrecord =“v=spf”version terms
Terms= *( SP (([qualifier] mechanism) / modifier )
SPF RR of a.com
SPF of a.com doesn’t exist? … Ask for TXT instead!
Limit length (<450chars), so DNS response is sent w/ UDP
SPF Policy DNS Record
Request SPF RR of a.com
Request SPF RR of a.com
Or HELO address, when no MAIL-FROM exists (DSN)
Phishing: rfc822.from ≠ Mail-From
Sending MTA IP:1.2.3.4
8
SPF policy: a DNS record
Permanent failure: most lists do not send Delivery Status Notification (DSN) to sender [email protected]
Try alternate routes, retransmit on transient errors
Also the HELO address
DSN itself uses empty MAIL FROM address
The “bounce-to” address Used to send Delivery Status Notifications (DSN)
Do not bounce – can cause loop
Using SPF to…whitelist!
Authorizes the Email envelope MAIL-FROM
If list fails to deliver to b.com:
Most deployed outgoing MTA authorization system
Send DSN to MAIL FROM address: [email protected]
If bounce DSN fails to deliver:
Sender Policy Framework (SPF)
Version={1, 2.0}; version 2.0 is actually sender-ID [later]
qualifier: one of: +, -, ~, ?
Mechanism: method of identification, e.g. by IP address
mechanism = ( all / include / A / MX / PTR / IP4 / IP6 / exists )
SPF: Basic Mechanisms (Operators)
SPF Qualifiers
Basic SPF example: v=spf1 +IP4:133.3.3.3 ~all (version 1, 133.3.3.3 is outgoing MTA, none other)
Qualifiers:
+ [default] pass: allow use
– fail: forbid use
? don’t know (Neutral)
“all”
“ip4:” ip4addr [“/” length], “ip6”…(same)
“a” [“:” domain-spec] [“/” length]
“mx” [“:” domain-spec] [“/” length]
PTR = “ptr” [“:” domain-spec]
Domain-spec: a domain name, or macro…
E.g. this IP address allowed to send for this domain
Policy not enforced yet (e.g. experimentation phase)
~ probable fail (SoftFail)
Testing phase
SPF domain-spec & other macros
Many mechanism and modifiers can be macros
Complex syntax… simplified here; see ch. 8 of RFC 4408
domain-spec = *(macro / DomainString)
DomainString = *(alphanum / “.”alphanum)
macro = “%{“ macro-letter [*DIGIT] [‘r’] “}”
macro-letter =
“s” :
“l” : local-part of
“d” :
“i” : (in dot-format)
“h” : HELO/EHLO domain
“r” : domain name of host checking
“t” : current timestamp
`r`: reverse, e.g.: =1.2.3.4 %{ir}=4.3.2.1
Number of parts, e.g.: =1.2.3.4 %{2ir}=2.1
IN TXT “v=spf1 include:a.net include:a.org –all”
If result is…
9
Fail/Neutral: no match;
Error: abort with Error
address specified by MX record for domain-spec
Tests if rDNS for points to domain-spec
Tests for existence of domain-spec
Use for:
Check on blacklist: -exists:%{ir}.DNSBL.org
Generate log to identify use of domain in testing phase, e.g.: v=spf1 exists:%{h}.%{l}.%{i}.log.%{d} ?all
Create fine-grained restrictions, e.g. per-user, per-time,…
Limiting SPF's DNS Queries
SPF validation causes DNS queries:
For policy (TXT and SPF)
Due to some (A, MX, PTR, Include,..) mechanisms
Possible abuse for DoS, DNS-poisoning
Spec limits to 10 mech, 10 queries/mech
`pass` (+) - this is match;
address specified by A record for domain-spec
“exists:” domain-spec
Returns result of applying SPF policy of specified domain E.g., if a.com sends mail via a.net or a.org, it may have:
IPv4 / IPv6 address, e.g. +ip4:6.6.6.0/24
“exists:” Mechanism and its Use
include:domain Mechanism
matches everything (at end)
Still: can cause 100 queries by single email
Each query can cause ~10 retransmits (how?)
Other concern: forwarding
Forwarding with SPF
Forwarding retains Mail-From address
To inform sender (Abe) of problems
Hence: (typical) forwarding breaks SPF [hidden]
Don’t use SPF
include:b.edu or “skip SPF if sender-SMTP is b.edu”
Hence – should authorize sender-SMTP
May differ from originator (From:) identity
Function of message header fields, e.g. From:, Sender:
Criticism: modified use of SPF v=1 records
Idea: Authorize use of MUA-visible identity
Requires defining & displaying appropriate identity
Identify party responsible for sender-SMTP
Then look-up appropriate SPF record
PRA: Purported Responsible Address
Does PRA improve security – or degrade security? From [email protected] on behalf of [email protected]
What is secure now (for [email protected] - outlook user)
If SPF/PRA (Sender-ID) was validated by MDA, then we know “last sender” is really [email protected]
User can’t know whether validation was done!
But anyway…Recipient only cares about originator
Bob trusts [email protected]
Will not always be done – mail server decision
Can Bob trust that message was from [email protected] ?
“Hybrid identity” – to be displayed by mail clients
Spam, Phishing and Email Security
PRA: False Sense of Security? (2)
And/or (less common) other message (RFC 822) headers
PRA: False Sense of Security? (1)
Algorithm: in hidden foil
Use SPF records: existing (SPF v=1) or "spf2.0/pra", "spf2.0/mfrom", "spf2.0/mfrom,pra"
E.g. – mailing list identity (usually in “Sender”)
MAIL-FROM (bounce) – in envelope
How senders can get Delivery Status Notifications (DSN)?
Last “entity” responsible for message transfer
HELO/EHLO domain – in greeting
SIDF (Sender ID Framework – by Microsoft)
Change MAIL-FROM to forwarder (b.edu)
PRA: Purported Responsible Address
IP address – in IP header
Change forwarding
Almost all MUAs identify messages using From:
SPF-compatible forwarding (?)
SPF identifiers discussed so far:
Whitelist forwarders in SPF policy or by receiver
Solutions?
SPF vs. SIDF (Sender ID Framework)
Does PRA improve security – or degrade it?
From [email protected] on behalf of [email protected]
Introduction
Email: refresh, goals, threats, tools
Phishing and spam; tragedy, legal
Suppose SPF/PRA validation was done
And: Recipient (Bob) trusts [email protected]
Port blocking
Can he trust message was from [email protected] ?
Content Filtering
No! Would see this also if b.edu got message from:
White/Blacklists/Greylisting
Mailing list (not using SPF/PRA screening)
Another forwarder (not using SPF/PRA screening)
A spammer pretending to be such a list / forwarder
Misleading – false illusion of security?
Basic defenses
Sending-domain Validation
SMTP-Sender Authorization (SPF, SIDF)
Signed Email (DKIM)
DMARC
Future? [Reputation, Accreditation, Penalties…]
10
And : phishing in social networks
SMTP connection from IP
Email connection from IP No
Add IP to greylist (after delay) Temporary Failure
Validate sender Domain (SPF, DKIM,FCrDNS)
Temporary Failure
IP in whitelist
IP in greylist
Valid
No/bad signature (and sig required) Domain in whitelist? No
Fail Yes
N/A FCrDNS?
Valid
Check DKIM Signature
Valid
Opt: add IP to blacklist Ok
Fail
Content-based Classifier
Domain Keys Identified Mail (DKIM)
Transparent, compatible with existing MUA
Only adds new headers, e.g. DKIM-Signature:
Ignored by legacy clients & servers
No unknown MIME type no questions!
Email signed by:
Outgoing MTA (usually)
MUA (or intermediate MTA)
But could be any DNS entity
Simple key management
Domain in whitelist? Yes Ok
Example of DKIM Signature, Tags DKIM-Signature: a=rsa-sha1; d=example.net; s=brisbane; q=dns; [email protected]; t=1117574938; x=1118006938; h=from:to:subject:date; z=From:[email protected]|To:[email protected]| Subject:demo%20run b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG
a= algorithm
d= domain
s= selector subdividing namespace for the "d=" (domain) tag
q= key query method(s) (default: dns)
i= `signing address`; email address of the user or agent accountable for message. Domain must be `under` d= domain.
t= Signature creation timestamp
x= Signature Expiration time (default: no expiration time)
h= Signed header fields, z= copied header fields
b= (encoded) signature value
DKIM Key Record
DKIM goal: simple key management
Simple textual, tag-value-list format
Default: fetch public key from DNS (q=dns)
v=; default (and only valid now) is v=DKIM1
Other methods to fetch key are optional (and not specified yet)
DKIM keys stored in “_domainkey” subdomain
DNS records, type: TXT or DKK
DKK: New binary DNS type
Binary – to allow large keys in single DNS UDP packet (<512B)
Try to get first – if fails, get TXT record
g=; local-part of the signing address (i=) specified in the signature
DKIM signatures identify PK by domain (d=) and selector (s=)
Given DKIM-Signature: d=example.net; s=brisbane…, the DNS query will be for brisbane._domainkey.example.com.
Block
Block
DKIM Key Management
11
No
Ok
Block
Block
Pass
N/A
Fail Content-based Classifier Ok
IP in blacklist
Is IP in one of the lists?
Unauthorized IP (SPF hard fail) Domain authorized Yes this IP? (SPF)
N/A
Opt: add IP to blacklist
No
Add IP to greylist (after delay)
IP in whitelist
IP in greylist
Invalid
IP in blacklist
Is IP in one of the lists?
Use * for wildcard, e.g. g=Alice+* (for [email protected]).
Hash and signature algorithms (h=, k=)
p=
(more: hidden foil)
DKIM: DNS Security Issues
DKIM retrieves public key using DNS (if q=dns)
Other methods to fetch key are optional (and not specified yet)
`Domain Policy Records` and Secure DNS
Problem 2: attacker blocks DNS response
How we know a domain uses DKIM?
Problem 1: DNS poisoning (fake response)
`Excuses` (in spec): complex attack, limited damage…
Solution: use Secure DNS (SEC-DNS)
Problem 2: attacker blocks DNS response
How we know a domain uses DKIM?
DKIM ADSP Process a.com's authoritative DNS server
b.org's Incoming MTA
... [email protected]...(no DKIM-Signature)
What if attacker blocks ADSP?? Secure DNS server signs response range: We get proof of no record for Alice, Bob!
DKIM and Email Mangling (1) b.org's DNS proxy server
Request ADSP RR of a.com
Request ADSP RR of a.com ADSP RR of a.com: all my email has DKIM-Signature !
ADSP Reject: email from a.com must have DKIM-Signature
Mail agents may modify (“mangle”) email:
Add header
Insert “white space”, e.g.
Add prefix and/or suffix text (“scanned by…”)
Cryptographic authentication:
Sensitive to any change in content
Validatev(m’, Signs(m)) = False
For any m’m, even m’mangle(m)
Solutions in DKIM [hidden]
Scope limitations
Canonicalization
Spam, Phishing and Email Security
Email: refresh, goals, threats, tools
Phishing and spam; tragedy, legal
Basic defenses
DMARC: Domain-based Message Authentication, Reporting & Conformance Addresses problems with DKIM+SPF:
Port blocking
Content Filtering
SPF fails w/ forwarding, DKIM with mangling…
White/Blacklists/Greylisting
DMARC: do both!
Report authentication-failures
Sender policy on handling failures
Reduces false positives usable!!
Sending-domain Validation
SMTP-Sender Authorization (SPF, SIDF)
Signed Email (DKIM)
DMARC
Future? [Reputation, Accreditation, Penalties…]
12
DMARC
Introduction
ADSP says: This domain always uses DKIM (cf. SPF)
Signac.il.s(from=“abe”,fkey=a8us…,to=“carl”,tkey=acjk7 …)
Validation fails… false positive / negative?
Sending MTA IP:1.2.3.4
To ignore unsigned (fake) messages from it ADSP (author domain signing practices) in DNS
Validation fails… false positive / negative?
And : phishing in social networks
Identify attacks & problems, resolve problems
DMARC Policy Yet-another
DNS record: TXT _dmarc.xxx.com
DKIM adoption
Receivers should:
Verify alignment (DKIM signature Ok)
Verify authorized sender (SPF):
From header domain = SMTP MAIL FROM domain
Senderʼs IP address is validated by SPF.
If either true: email Ok by DMARC (`pass’)
If both fail: follow DMARC failure policy
Block, quarantine, report
SPF adoption DMARC adoption
©Lars Eggert Thanks Lars!
Phish-or-Real Classification
Phish-or-Real Classification Content classifiers work well for most ad-spam
Classification to three types:
Keywords, URLs, lots of learning samples,...
Challenge: classify to `Phish' vs. `non-phish`
Phishing messages, sites mimic legit messages, sites
Very different phishing (& legit) styles
Often few samples (esp. `spear phishing')
Identified spam/phishing emails
`PhishOrReal` (of foo.com)
Other emails
Phish/spam
Idea: combine classifier with auth (SPF,DKIM,DMARC...)
classify as `Phish-or-Real' of foo.com, `other'
Phishing: `Phish-or-Real`of foo.com
Block
If `real' foo.com always passes SPF/DKIM/IP
Email: refresh [skip], goals, threats, tools
Phishing and spam
Basic defenses
Port blocking
Content Filtering
White/Blacklists/Greylisting
SMTP-Sender Authorization (SPF, SIDF)
Signed Email (DKIM)
DMARC
Future? [Reputation, Accreditation, Penalties…]
And : phishing in social networks
Add IP to blacklist with prob. p
Yes
foo.com always identified by IP, DKIM or SPF?
No
Sender authentication (DKIM etc.) allows white-list
What about unknown & un-trusted senders?
Reputation and Accreditation:
Authorization, Signing, Policies
Other
Content-based classifier
Display
Beyond Authentication
Introduction
Email not from bank (e.g.: bank always signs)
PhishOrReal from foo.com
Spam, Phishing and Email Security
13
Senders provide certificates (“recommendations”) from trusted authority
Reputation: Based on history of sender
Accreditation: Sender pays or deposits at authority
Cost-based:
Postage: Pay for each message
Penalty: Pay only for spam
Several services, limited deployment / success [hidden foils]
Who is Guarding the Guards?
Can we trust reputation & accreditation services?
Accreditation services charge the senders
Incentive to be permissive
Financial Penalties for Spam
Also some reputation services Allow (some) customers to spam
False positives also possible (if not signed, or by Zombie)
“Denial of reputation” – bad-mouthing attack “I got spam from xxx” - maybe a lie? Or due to spoofing?
Sender/server digitally signs mail and label
Recipient may select content based on labels
Penalize if label is incorrect
In following foils: label {‘OK’, ‘spam’}
Penalties may be:
Interoperable, `open` accreditation services?
Loss of trust / reputation
Solutions:
Financial compensation / fine (money)
Proofs of spamming, not just complaints
Use well-defined spam: Email without “warning” label Compensation to victim
Automated / secure resolution process
Penalty to spammers
Bootstrapping, “do no harm”…
SocNet Spam & Phishing
SocNet: known users, accountabtiliy… but…
~20% of malicious `friend-req’ approved
Most req’ to honey-pot accts from real users!
Great info for targeted spam/phishing
~45% of links posted by `friends’ clicked
Much better than email spam/phishing
Huge vulnerability!!
Conclusions
Challenges:
Spam and phishing are major problems Combine authentication, reputation and classification to filter spam and phishing Appropriate combination can make phishing unprofitable Still very important area
14
Spam mail with incorrect label
With research challenges, too
Proposals [e.g., SeARP – hidden], none deployed
Social Network Malware: KoobFace