email security - comp 257
TRANSCRIPT
-
7/31/2019 Email Security - Comp 257
1/14
Email
Security
A Presentation byJonathan
Lomas
-
7/31/2019 Email Security - Comp 257
2/14
What's the Problem?
Forgingor spoofing an email to impersonate a trustedorganization lets scammers go 'phishing' in an attempt to
steal personal information distribute viruses and malware
Scammers even go 'spearphishing' inside a company by
causing it to appear like it came from a co-worker
CIBC Customer Service
Your Account - Urgent
EVL Mail
mail.evil.ru
From:
Subject:
Return-Path:X-Mailer:
-
7/31/2019 Email Security - Comp 257
3/14
Good Ol' Stats
1. http://www.messagelabs.com/mlireport/MessageLabsIntelligence_2010_Annual_Report_FINAL.pdf
According to the MessageLabs Intelligence 2010 Report1...
1,530different organizations
were impersonated in or related to phishing emails
made up
50%of attacks
only
fivecompanies
6.3%of all phishing attacks
were 'spearphishing'
http://www.messagelabs.com/mlireport/MessageLabsIntelligence_2010_Annual_Report_FINAL.pdfhttp://www.messagelabs.com/mlireport/MessageLabsIntelligence_2010_Annual_Report_FINAL.pdfhttp://www.messagelabs.com/mlireport/MessageLabsIntelligence_2010_Annual_Report_FINAL.pdf -
7/31/2019 Email Security - Comp 257
4/14
Phishing Tackle
Social Engineering Lays the foundation for a phishing attack Leverages fear and ignorance to create an urgency in
a susceptible victim
...Jason already talked about this...
Technical Subterfuge Forged elements create feel of 'official' document,
creating trust needed for susceptible victim to act Lax security on mail servers makes it possible Sneaky and evil
..this is what I'm talking about...
-
7/31/2019 Email Security - Comp 257
5/14
tek-ni-kuhlsuhb-ter-fyooj
This seems doable.
Some possible solutions to the phishing problem:
...ya right.
Hope People ChangeUse Your Technology
More Effectively
-
7/31/2019 Email Security - Comp 257
6/14
Forcing Authentication
Port 25 - for Mail Transfer Agents (MTAs) to relayemail to and through each other.
Port 587 - for Mail Submission Agents (MSAs) to
accept email from authenticated users to be sent to anMTA.
*Unless you relay mail. Then you'll have to do something else.
And eat your vegetables.
Soblock port 25*and make clients
authenticate on port 587.
-
7/31/2019 Email Security - Comp 257
7/14
SMTP AUTH on Port 25*
leave port 25 for the MTAsand
use an MSA for user emails
*AKA: something else.
You can make an MTA require authentication on port25 for users to send emails
You shouldn'tdo so if the server is a Mail eXchanger
You should use Transport Layer Security via theSTARTTLS extension to provide encrypted connection
But still...
-
7/31/2019 Email Security - Comp 257
8/14
POP Before SMTP
your POP authentication
allows you (at your IP*)access to the SMTP server
*...Or anyone/anything else - blood or bot - at your IP address.
It goes like this: I authenticate on your POP3 server from my IP and
download my emails [Some] time goes by...
I send my outbound emails to your SMTP serverfrom my IP without authentication
-
7/31/2019 Email Security - Comp 257
9/14
More Magical Solutions
Authentication tells you who is connectingbut not who issending
When it comes to spam, phishing and virusdistribution...
...The sender is what matters.
But how can we be sure the sender is who they claim tobe?
-
7/31/2019 Email Security - Comp 257
10/14
Blacklisting
if it's not on the listit will get through
DNS-based Blackhole Lists (DNSBL) have beenaround since 1997
Dynamic, distributable list of 'bad' IPs to help MTAsfilter out crap
Drops suspect email into a network 'blackhole'
Blacklisting eliminates
mostof the junk but
-
7/31/2019 Email Security - Comp 257
11/14
Sender Policy
Framework (SPF)
example.com. IN SPF "v=spf1 a mx -all"
SPF is a DNS-based framework for email validation
Allows the administrator to specify in the DNS which
hosts are allowed to send mail from their domain
Most MTAs and server-based anti-spam softwareprovide support for SPF
Unfortunately, SPF is not well enough adopted to befully effective
-
7/31/2019 Email Security - Comp 257
12/14
-
7/31/2019 Email Security - Comp 257
13/14
Summary
1. Phishing is bad. And prevalent.
1. Authentication is important - know who's who.
1. Let each Mail Agent do its job, and block ports youdon't need. MTA for mail servers, MSA for clients.
1. Blacklist mail from 'bad' IPs and the battle is almostwon.
1. Use SPF or DKIM to help be sure emails are comingfrom where they say they're from.
-
7/31/2019 Email Security - Comp 257
14/14
I hope you know more about email security
than you did 15 minutes ago!
Questions?