Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is this legitimate or not?

Published byShonda Scott Modified over 6 years ago

Similar presentations

Presentation on theme: "Is this legitimate or not?"— Presentation transcript:

1 Is this legitimate email or not?
Message Security Is this legitimate or not? Jaap Wesselius Consultant

2 Agenda Anti-spam technologies SPF, DKIM and DMARC DNSSEC DANE

3 Introduction

4 Whoami.exe Jaap Wesselius
Independent consultant, based in The Netherlands Originally an (on-premises) Exchange consultant Still Exchange, but lots of cloud stuff, security, privacy Consultant, Trainer (sometimes), writer, blogger, presenter, biker, dad... @jaapwess

5

6

7 What’s this session about?
It’s all about anti-spam (and thus security) How do I make sure is legitimate? What’s my reputation on the Internet? In this talk… I will focus on on-premises Exchange solutions (but hey, that’s my job) But also 3rd party and cloud based solutions Or both (hybrid solutions)

8 Problem statement 91% of hacking attacks begin with (spear) phishing
Spear phishing messages appear to come from a trusted source How do you protect against phishing? How do you protect your outbound mail? How do you protect against misuse of your addresses?

9

10

11

12 Anti-spam technologies

13 Reverse DNS Not Exchange specific, but some servers check for reverse DNS A record points to IP address IP address should point to A record Pitfall: Edge is configured with non-existing TLD eg. smtphost.exchangelabs.local Check with tool like

14

15 Filtering in Exchange Filtering (in Exchange) happens on multiple layers Connection Filtering is 1st step Here the message is accepted (or not of course) Sender/Recipient Filtering Content Filtering Attachment Filtering

16

17 Connection filtering IP allow list IP Block list
Connections from this IP are always accepted SCL=-1, no further processing IP Block list Connections from this IP are always blocked Real-time Block List (RBL) Connections are blocked if IP is on Block List Tons of RBL, e.g. SpamHaus, Spamcop, Sorbs, BarracudaCentral etc.

18 Real-time blocklist (RBL)
Remote server sets up TCP Connection on port 25 EHLO Mail From: Rcpt To: Exchange server queries RBL <ipaddress>.sbl-xbl.spamhaus.org Server accepts, rejects or tags message Results are logged in Agent Log

19

20 Configure RBL in Exchange
Exchange PowerShell: Add-IPBlockListProvider -Name SpamHaus -LookupDomain zen.spamhaus.org -Enabled $true -BitmaskMatch $null -Priority 1 -AnyMatch $true -RejectionResponse “Message blocked due to black listing”

21 Show the filtering

22 C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\ Edge\AgentLog

23

24 Sender Policy Framework (SPF)
SPF is very similar to Microsoft’s SenderID (obsolete) SPF is validation process Is the sending server allowed to send on behalf of the sender’s domain? Organizations register information in public DNS about sending servers (in SPF Records) Receiving servers checks and compares information

25 Basic email message structure
RFC Simple Mail Transfer Protocol SMTP transports a mail object, a mail object contains an envelope and content EHLO mail.bigcommunications.com MAIL FROM: RCPT TO: DATA Hello World . Envelope Content

26 Envelope content RFC5321.From RFC5322.From
EHLO mail.bigcommunications.com MAIL FROM: RCPT TO: DATA MIME-Version: 1.0 From: Sender: <Send on behalf of> Reply-To: Oceanic Airlines Date: Tue, 20 Jul :33: Subject: Exclusive Offer To: Content-Type: multipart/alternative; boundary=001a11c383bef8ccfb04f327d9b a11c383bef8ccfb04f327d9b5 Content-Type: text/plain; charset=ISO Hello World --001a11c383bef8ccfb04f327d9b5-- . RFC5321.From Envelope RFC5322.From content

27 SPF process Mail server receives SMTP Connection
Check RFC5321.MailFrom (domain name) Retrieve SPF record Compare SPF record against source IP address Pass = ok Fail = stamp header, quarantine, junk mail folder or block message

28

29 SPF DNS entries SPF entries start with “v=spf1”
Followed by sending mail server information ip4, ip6, A or MX And followed by qualifier pass (+), fail (-), softfail (~), neutral (?)

30 Spf dns examples "v=spf1 mx -all“ (allow MX server to send mail, no others) "v=spf1 ip4: /24 -all“ (allow servers in this range, no others) "v=spf1 a:exchangelabs.nl ~all“ (all A records in this domain, but not sure about others (softfail)

31

32 Spf failure

33 DomainKeys Identified Mail (DKIM)
DKIM is about signing and verifying of messages DKIM consists of two operations: Signing of a message. Can be achieved by sending host or 3rd party service or appliance Verifying of a message. Can be achieved by receiving host or 3rd party service or appliance

34 DKIM overview User sends email to recipient
Mail server signs message header with private key Recipient server checks DNS for public key Recipient server decrypts and validates message Recipient server stamps message header

35 Dkim details What’s in the message header?
DKIM-Signature: v=1; a=rsa-sha256; d=exchangelabs.nl; s=saf ; c=simple/simple; t= ; h=from:subject:to:date:message-id; bh=ih9GsooCW4xx3BKV51CijGLpXY67SCRX7CuIwhjgjDU=; b=JgWhe7U8XS3jz6oyeeM6x2DT+gRHsYdJY27l66SvKv44akuMbJOPHL41/1q/quzel+acGexJtdy p6GW1t0L2WYazMqx87QXX/vvIwCTAFd7tkCq3CtK1CCyIJviX+XX/7EMFJLBOdjFoo4MM15JXqjT1 iOyIifm7X5c4eusAd02Uw/XPQy0QrskhOv6/Ajkauc+Q8aef0zo+6xTaDZAW6lEbeW5rRj5FqYLR4 3Ej20UnSE+vUEggWs0WuD6l38zciOHMZ8axjMBbQbZdpi1qhC+tzk+L2QvaIBS/z2Db0RKscp74l2 FH4zCtTPZymI5NLE/0TSIygxOhFHLQq9HCpA==

36 Dkim details What’s in DNS and how to retrieve this?
‘s’ is the selector key which identifies DNS record S = saf ._domainkeys.exchangelabs.nl B = hash of the selected message headers Bh = hash of the message body

37

38 Dkim details After verification, receiving server stamps with Authentication-Results header Authentication-Results: spf=pass (sender IP is ) smtp.mailfrom=exchangelabs.nl; hotmail.com; dkim=pass (signature was verified) header.d=Exchangelabs.nl;hotmail.com; dmarc=pass action=none header.from=exchangelabs.nl; Received-SPF: Pass (protection.outlook.com: domain of exchangelabs.nl designates as permitted sender) receiver=protection.outlook.com; client-ip= ; helo=AMS-EDGE01.Exchangelabs.nl;

39 Dkim implementation Exchange does not support DKIM natively
Use 3rd party appliance, software or (cloud) service On github.com/Pro/dkim-exchange you can find DKIM signing module for Exchange (I’ll show you) On you can find more deployment partners

40 Dkim public and private keys
Private key is used by sender (and only this sender!) for encryption Public key is used by receiver for decryption and verification How to get a Public and Private key? Online, for example via dkimcore.org (good idea?) OpenSSL Via the 3rd party solution or service

41 Show the encryption module

42

43

44 Domain-based Message Authentication, Reporting & Conformance (DMARC)
DMARC is validation mechanism Implemented on top of SPF and DKIM DMARC is policy based Policy is published in DNS Policy defines what to do if SPF or DKIM check fails Quarantine, reject or none DMARC has reporting availability

45 Dmarc process flow User sends email, mail server inserts DKIM header
Recipient server checks SPF and DKIM record Recipient server retrieves DMARC policy Recipient server applies policy Recipient server sends DMARC report

46 Dmarc process flow

47 Dmarc details Example DNS Record: P= policy, RUA = Reporting URI
P= policy, RUA = Reporting URI Optional: ADKIM = alignment mode for DKIM ASPF = alignment mode for SPF

48 Dmarc reports Some platforms return DMARC reports to mailbox mentioned in DMARC DNS Record DMARC Reports are XML files Need service like Dmarcian to analyze DMARC Reports

49 Show the dmarc

50 Where to start Start analyzing your reputation
Implement DMARC, policy=none, reports to Dmarcian Inventory of your sources (can be extremely complex) If you have a solid view on your , implement DKIM and SPF Change DMARC policy (but be careful)

51 3rd party (cloud) solutions
EOP supports SPF, DKIM and DMARC out of the box Turn on DKIM signing in Exchange Admin Center Create DNS Records Same process for other vendors like Trend Micro HES or Symantec Cloud Cisco IronPort has DKIM and DMARC modules

52 DKIM in Office 365

53

54 Other 3rd party vendors Symantec MessageLabs MimeCast ProofPoint
IronPort Barracuda TrendMicro More on

55 Secure DNS (DNSSEC)

56 Domain Name System Security Extensions
DNS maps domain names (FQDN) to individual IP addresses Designed to be a scalable distributed system Did not include any security details DNSSEC adds security, but maintains backwards compatibility DNS answers are digitally signed Prevents manipulated DNS data (DNS cache poisoning) DNSSEC responses are signed, but not encrypted!

57 DNSSEC DNSSEC only works if entire chain supports it
Dutch TLD (.NL) for example supports DNSSEC since 2012 But still…. Not all providers do support this! My provider supports DNSSEC since 2015 Provider has private key Public key is stored with SIDN (manages .NL TLD) Windows DNS supports DNSSEC

58

59

60

61 DANE DNS-based Authentication of Named Entities

62 DNS-based Authentication of Named Entities
DANE is a proposed standard that binds X.509 certificates to DNS names using DNSSEC DANE challenges the Certificate Authority (CA) system CA's have been subject to critisism (Diginotar disaster) DANE can (will) be used for encrypting SMTP (and HTTPS) traffic Similar process like DKIM signing and verification

63 DNS-based Authentication of Named Entities
TLSA (TLS Authentication) Record in DNS: _25._tcp.mx.contoso.com IN TLSA 3 0 1 00d91fe1cdc6795bf48575eb3ad934b88faf9391f90464e2e518b0354bb22d07 TLSA records can be generated using generator

64

65 Support for dane Windows Server 2016 supports DANE
Exchange 2016 – No Support (3rd party CryptoFilter) Exim and Postfix fully support DANE

66 summary

67 summary 91% of hacking attacks begin with phishing
spear phishing messages appear to come from a trusted source (can be internal!) Use SPF, DKIM and DMARC for authentication purposes, both inbound and outbound Use DNSSEC to prevent DNS spoofing issues Follow DANE developments, start investigating DANE

68 Q&A

Download ppt "Is this legitimate or not?"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://
Security challenges Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of emails a day Using Thousands of.

Security challenges Used by many 100,000s of customers Used by many 10,000,000s of users Processing Billions of s a day Using Thousands of.
Message Trace Office 365 May 2013.

Message Trace Office 365 May 2013.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving email–borne viruses.

SIM309. Connection Analysis (IP-based edge blocks) Reputation Analysis Connection Filtering Protect businesses from receiving –borne viruses.
Mail Services.

Mail Services.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.

DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.
Exchange Online Protection. About Speaker Prabhat Nigam Microsoft MVP: Exchange Server MCSE: Messaging 2013, MCITP 2010/2007, MS Ex – Microsoft Exchange.

Exchange Online Protection. About Speaker Prabhat Nigam Microsoft MVP: Exchange Server MCSE: Messaging 2013, MCITP 2010/2007, MS Ex – Microsoft Exchange.
Module 6 Planning and Deploying Messaging Security.

Module 6 Planning and Deploying Messaging Security.
Erik Kangas -

Erik Kangas -

Similar presentations

Ads by Google