Is this legitimate email or not? Message Security Is this legitimate email or not? Jaap Wesselius Consultant

Agenda Anti-spam technologies SPF, DKIM and DMARC DNSSEC DANE

Introduction

Whoami.exe Jaap Wesselius Independent consultant, based in The Netherlands Originally an (on-premises) Exchange consultant Still Exchange, but lots of cloud stuff, security, privacy Consultant, Trainer (sometimes), writer, blogger, presenter, biker, dad... www.jaapwesselius.com @jaapwess

What’s this session about? It’s all about anti-spam (and thus security) How do I make sure email is legitimate? What’s my email reputation on the Internet? In this talk… I will focus on on-premises Exchange solutions (but hey, that’s my job) But also 3rd party and cloud based solutions Or both (hybrid solutions)

Problem statement 91% of hacking attacks begin with (spear) phishing Spear phishing messages appear to come from a trusted source How do you protect against phishing? How do you protect your outbound mail? How do you protect against misuse of your email addresses?

Anti-spam technologies

Reverse DNS Not Exchange specific, but some Email servers check for reverse DNS A record points to IP address IP address should point to A record Pitfall: Edge is configured with non-existing TLD eg. smtphost.exchangelabs.local Check with tool like http://misk.com/tools

Filtering in Exchange Filtering (in Exchange) happens on multiple layers Connection Filtering is 1st step Here the message is accepted (or not of course) Sender/Recipient Filtering Content Filtering Attachment Filtering

Connection filtering IP allow list IP Block list Connections from this IP are always accepted SCL=-1, no further processing IP Block list Connections from this IP are always blocked Real-time Block List (RBL) Connections are blocked if IP is on Block List Tons of RBL, e.g. SpamHaus, Spamcop, Sorbs, BarracudaCentral etc.

Real-time blocklist (RBL) Remote server sets up TCP Connection on port 25 EHLO Mail From: Mr.Exchange@hotmail.com Rcpt To: J.Wesselius@Exchangelabs.nl Exchange server queries RBL <ipaddress>.sbl-xbl.spamhaus.org Server accepts, rejects or tags message Results are logged in Agent Log

Configure RBL in Exchange Exchange PowerShell: Add-IPBlockListProvider -Name SpamHaus -LookupDomain zen.spamhaus.org -Enabled $true -BitmaskMatch $null -IPAddressesMatch @() -Priority 1 -AnyMatch $true -RejectionResponse “Message blocked due to black listing”

Show the filtering

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\ Edge\AgentLog

Sender Policy Framework (SPF) SPF is very similar to Microsoft’s SenderID (obsolete) SPF is validation process Is the sending server allowed to send email on behalf of the sender’s domain? Organizations register information in public DNS about sending email servers (in SPF Records) Receiving servers checks and compares information

Basic email message structure RFC5321 - Simple Mail Transfer Protocol SMTP transports a mail object, a mail object contains an envelope and content EHLO mail.bigcommunications.com MAIL FROM: oceanic.airlines@bigcommunications.com RCPT TO: J.Wesselius@Exchangelabs.nl DATA Hello World . Envelope Content

Envelope content RFC5321.From RFC5322.From EHLO mail.bigcommunications.com MAIL FROM: oceanic.airlines@bigcommunications.com RCPT TO: J.Wesselius@Exchangelabs.nl DATA MIME-Version: 1.0 From: oceanic.airlines@bigcommunications.com Sender: <Send on behalf of> Reply-To: Oceanic Airlines <oceanic@news.oceanicairlines.com> Date: Tue, 20 Jul 2016 15:33:13 +0100 Subject: Exclusive Offer To: J.Wesselius@Exchangelabs.nl Content-Type: multipart/alternative; boundary=001a11c383bef8ccfb04f327d9b5 --001a11c383bef8ccfb04f327d9b5 Content-Type: text/plain; charset=ISO-8859-1 Hello World --001a11c383bef8ccfb04f327d9b5-- . RFC5321.From Envelope RFC5322.From content

SPF process Mail server receives SMTP Connection Check RFC5321.MailFrom (domain name) Retrieve SPF record Compare SPF record against source IP address Pass = ok Fail = stamp header, quarantine, junk mail folder or block message

SPF DNS entries SPF entries start with “v=spf1” Followed by sending mail server information ip4, ip6, A or MX And followed by qualifier pass (+), fail (-), softfail (~), neutral (?)

Spf dns examples "v=spf1 mx -all“ (allow MX server to send mail, no others) "v=spf1 ip4:192.168.0.1/24 -all“ (allow servers in this range, no others) "v=spf1 a:exchangelabs.nl ~all“ (all A records in this domain, but not sure about others (softfail)

Spf failure

DomainKeys Identified Mail (DKIM) DKIM is about signing and verifying of email messages DKIM consists of two operations: Signing of a message. Can be achieved by sending host or 3rd party service or appliance Verifying of a message. Can be achieved by receiving host or 3rd party service or appliance

DKIM overview User sends email to recipient Mail server signs message header with private key Recipient server checks DNS for public key Recipient server decrypts and validates message Recipient server stamps message header

Dkim details What’s in the message header? DKIM-Signature: v=1; a=rsa-sha256; d=exchangelabs.nl; s=safemail; c=simple/simple; t=1508094253; h=from:subject:to:date:message-id; bh=ih9GsooCW4xx3BKV51CijGLpXY67SCRX7CuIwhjgjDU=; b=JgWhe7U8XS3jz6oyeeM6x2DT+gRHsYdJY27l66SvKv44akuMbJOPHL41/1q/quzel+acGexJtdy p6GW1t0L2WYazMqx87QXX/vvIwCTAFd7tkCq3CtK1CCyIJviX+XX/7EMFJLBOdjFoo4MM15JXqjT1 iOyIifm7X5c4eusAd02Uw/XPQy0QrskhOv6/Ajkauc+Q8aef0zo+6xTaDZAW6lEbeW5rRj5FqYLR4 3Ej20UnSE+vUEggWs0WuD6l38zciOHMZ8axjMBbQbZdpi1qhC+tzk+L2QvaIBS/z2Db0RKscp74l2 FH4zCtTPZymI5NLE/0TSIygxOhFHLQq9HCpA==

Dkim details What’s in DNS and how to retrieve this? ‘s’ is the selector key which identifies DNS record S = safemail._domainkeys.exchangelabs.nl B = hash of the selected message headers Bh = hash of the message body

Dkim details After verification, receiving server stamps email with Authentication-Results header Authentication-Results: spf=pass (sender IP is 178.251.192.3) smtp.mailfrom=exchangelabs.nl; hotmail.com; dkim=pass (signature was verified) header.d=Exchangelabs.nl;hotmail.com; dmarc=pass action=none header.from=exchangelabs.nl; Received-SPF: Pass (protection.outlook.com: domain of exchangelabs.nl designates 178.251.192.3 as permitted sender) receiver=protection.outlook.com; client-ip=178.251.192.3; helo=AMS-EDGE01.Exchangelabs.nl;

Dkim implementation Exchange does not support DKIM natively Use 3rd party appliance, software or (cloud) service On github.com/Pro/dkim-exchange you can find DKIM signing module for Exchange (I’ll show you) On http://dkim.org/deploy/index.html you can find more deployment partners

Dkim public and private keys Private key is used by sender (and only this sender!) for encryption Public key is used by receiver for decryption and verification How to get a Public and Private key? Online, for example via dkimcore.org (good idea?) OpenSSL Via the 3rd party solution or service

Show the encryption module

Domain-based Message Authentication, Reporting & Conformance (DMARC) DMARC is email validation mechanism Implemented on top of SPF and DKIM DMARC is policy based Policy is published in DNS Policy defines what to do if SPF or DKIM check fails Quarantine, reject or none DMARC has reporting availability

Dmarc process flow User sends email, mail server inserts DKIM header Recipient server checks SPF and DKIM record Recipient server retrieves DMARC policy Recipient server applies policy Recipient server sends DMARC report

Dmarc process flow

Dmarc details Example DNS Record: P= policy, RUA = Reporting URI v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarcreport@exchangelabs.nl P= policy, RUA = Reporting URI Optional: ADKIM = alignment mode for DKIM ASPF = alignment mode for SPF

Dmarc reports Some platforms return DMARC reports to mailbox mentioned in DMARC DNS Record DMARC Reports are XML files Need service like Dmarcian to analyze DMARC Reports

Show the dmarc

Where to start Start analyzing your reputation Implement DMARC, policy=none, reports to Dmarcian Inventory of your email sources (can be extremely complex) If you have a solid view on your email, implement DKIM and SPF Change DMARC policy (but be careful)

3rd party (cloud) solutions EOP supports SPF, DKIM and DMARC out of the box Turn on DKIM signing in Exchange Admin Center Create DNS Records Same process for other vendors like Trend Micro HES or Symantec Cloud Cisco IronPort has DKIM and DMARC modules

DKIM in Office 365

Other 3rd party vendors Symantec MessageLabs MimeCast ProofPoint IronPort Barracuda TrendMicro More on http://dkim.org/deploy/

Secure DNS (DNSSEC)

Domain Name System Security Extensions DNS maps domain names (FQDN) to individual IP addresses Designed to be a scalable distributed system Did not include any security details DNSSEC adds security, but maintains backwards compatibility DNS answers are digitally signed Prevents manipulated DNS data (DNS cache poisoning) DNSSEC responses are signed, but not encrypted!

DNSSEC DNSSEC only works if entire chain supports it Dutch TLD (.NL) for example supports DNSSEC since 2012 But still…. Not all providers do support this! My provider supports DNSSEC since 2015 Provider has private key Public key is stored with SIDN (manages .NL TLD) Windows DNS supports DNSSEC

DANE DNS-based Authentication of Named Entities

DNS-based Authentication of Named Entities DANE is a proposed standard that binds X.509 certificates to DNS names using DNSSEC DANE challenges the Certificate Authority (CA) system CA's have been subject to critisism (Diginotar disaster) DANE can (will) be used for encrypting SMTP (and HTTPS) traffic Similar process like DKIM signing and verification

DNS-based Authentication of Named Entities TLSA (TLS Authentication) Record in DNS: _25._tcp.mx.contoso.com IN TLSA 3 0 1 00d91fe1cdc6795bf48575eb3ad934b88faf9391f90464e2e518b0354bb22d07 TLSA records can be generated using https://ssl-tools.net/tlsa- generator

Support for dane Windows Server 2016 supports DANE Exchange 2016 – No Support (3rd party CryptoFilter) Exim and Postfix fully support DANE https://www.youtube.com/watch?v=0uc5YjGIcZw

summary

summary 91% of hacking attacks begin with phishing spear phishing messages appear to come from a trusted source (can be internal!) Use SPF, DKIM and DMARC for authentication purposes, both inbound and outbound Use DNSSEC to prevent DNS spoofing issues Follow DANE developments, start investigating DANE

Q&A