email security - uio
TRANSCRIPT
Learning Goals
⚫ Foundations of email technologies
⚫ Security issues of emails
⚫ Measures for protecting emails and email architectures
4
History of Electronic Mail
⚫ 1960s: Host-based electronic mail
⚫ 1971: Ray Tomlinson− First network email in the ARPANET
− First use of the “@” symbol for separation of user and host name
⚫ 1976: 75% of ARPANET traffic is email communication
⚫ 1982: First standards for Internet email:− RFC 821: Simple Mail Transfer Protocol (SMTP)
− RFC 822: Internet Message Format
⚫ 1984: Post Office Protocol (POP)
⚫ 1986: Internet Message Access Protocol (IMAP)
⚫ 1998: S/MIME7
Imag
e S
ou
rce:
Wik
iped
ia
Ray Tomlinson
Message Transport System
8
UA UA
MTA
MDAMTA
MTAMTA
MTA
MTAMTA
Sender Receiver
IMAP / POP3
SMTP
SMTPSMTPSMTP
Message Transport System
⚫ User Agent (UA)− End user program for sending and receiving emails (e.g. Thunderbird)
⚫ Message Transfer Agent (MTA)− System for sending and receiving mail between systems
⚫ Mail Delivery Agent (MDA)− System for delivering email to the end user (e.g. via IMAP or local
delivery)
9
Email Structure (simplified)
Received: from mail-ex12.exprod.uio.no (2001:700:100:120::74) by
mail-ex03.exprod.uio.no (2001:700:100:52::6) with Microsoft SMTP Server (TLS)
id 15.0.1497.2 via Mailbox Transport; Tue, 3 Sep 2019 20:50:10 +0200
...
Received: from easychair.org (m2635.contabo.net [213.136.76.235])
by easychair.org (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x83Io91i008601
for <[email protected]>; Tue, 3 Sep 2019 20:50:09 +0200
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 3 Sep 2019 20:50:09 +0200
From: "NordSec 2019" <[email protected]>
To: XXX XXX <[email protected]>
Subject: NordSec 2019 paper assignment
Sender: [email protected]
MIME-Version: 1.0
Dear XXX,
Please find below the list of papers assigned to you
for reviewing.
Best regards,
The NordSec 2019 Team.
11
MT
As
Header
Body
Full MTA Path
Received: from mail-ex12.exprod.uio.no (2001:700:100:120::74) by
mail-ex03.exprod.uio.no (2001:700:100:52::6) with Microsoft SMTP Server (TLS)
id 15.0.1497.2 via Mailbox Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-ex11.exprod.uio.no (2001:700:100:120::73) by
mail-ex12.exprod.uio.no (2001:700:100:120::74) with Microsoft SMTP Server
(TLS) id 15.0.1497.2; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-mx03.uio.no (129.240.169.59) by mail-ex11.exprod.uio.no
(129.240.120.73) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from easychair.org ([213.136.76.235])
by mail-mx03.uio.no with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92)
(envelope-from <[email protected]>)
id 1i5DsY-00049g-3U
for [email protected]; Tue, 03 Sep 2019 20:50:10 +0200
Received: from easychair.org (m2635.contabo.net [213.136.76.235])
by easychair.org (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x83Io91i008601
for <[email protected]>; Tue, 3 Sep 2019 20:50:09 +0200
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 3 Sep 2019 20:50:09 +0200
...
12
Email and DNS
⚫ How does an MTA know the destination server?
⚫ Example: − Mail address: [email protected]
⚫ DNS contains a resource record for mail transfer: MX
⚫ Example:− Domain: example.com
− DNS MX response:
▪ mail.example.com
13
$ORIGIN example.com.
$TTL 2d
@ IN SOA < some parameters >
IN NS ns1.example.com.
IN NS ns2.example.com.
IN MX 10 mail.example.com.
ns1 IN A 192.168.0.3
ns2 IN A 192.168.0.4
mail IN A 192.168.0.5
Email Protocols
⚫ Internet Message Access Protocol (IMAP)− Protocol to access an email box (from multiple email clients)
− Standard ports:
▪ IMAP: 143
▪ IMAP over TLS: 993
− Has widely replaced the older POP3 protocol
⚫ Simple Mail Transfer Protocol (SMTP)− Protocol for email transmission between UAs, MTAs and MDAs
− Standard ports: 25, 587 (for submission from clients)
− Secure transport typically not via SMTP over TLS, instead opportunistic TLS (see chapter TLS)
14
Example: SMTP
S: 220 smtp.example.com ESMTP PostfixC: HELO relay.example.comS: 250 smtp.example.com, I am glad to meet youC: MAIL FROM:<[email protected]>S: 250 OkC: RCPT TO:<[email protected]>S: 250 OkC: RCPT TO:<[email protected]>S: 250 OkC: DATAS: 354 End data with <CR><LF>.<CR><LF>C: From: "Bob Example" <[email protected]>C: To: Alice Example <[email protected]>C: Cc: [email protected]: Date: Tue, 15 Jan 2008 16:02:43 -0500C: Subject: Test messageC: C: Hello Alice.C: This is a test message with 5 header fields and 4 lines in the message body.C: Your friend, BobC: .S: 250 Ok: queued as 12345C: QUITS: 221 Bye
15
Exam
ple
Sou
rce:
Wik
iped
ia
Extended SMTP (ESMTP)
⚫ Extends the orginal standard with a number of features, e.g. for authentication, unicode encoding, secure transport
⚫ Example (STARTTLS):[establish TCP connection]
S: 220 mail.example.org ESMTP service ready
C: EHLO client.example.org
S: 250 mail.example.org offers a warm hug of welcome
S: 250 STARTTLS
C: STARTTLS
S: 220 Go ahead
[TLS handshake]
C: EHLO client.example.org [TLS secured]
16
Exam
ple
Sou
rce:
Wik
iped
ia
Multipurpose Internet Mail Extensions (MIME)
⚫ The original email standard only permitted 7-bit US ASCII text; thus, no:− (special) letters from non-English languages (e.g. ü, æ, ç, ω, ж)
− graphics, audio or other binary data
⚫ MIME allows definition of:− content types (e.g. text, PNG, html)
− content encoding, e.g.
▪ base64: use Base64 encoding
▪ quoted-printable: non-ASCII characters are replaced by hex value
▪ 8bit: no encoding, direct transmission (only in newer implementation)
⚫ MIME additionally allows transport of multiple message parts
17
Detour: Base64
⚫ Encodes binary data into the following 64 characters:− A ... Z, a ... z, 0 ... 9, +, /
⚫ Takes each 6-bit from binary input and transforms in one character
⚫ If input length (in bytes) is not a multiple of 3 the output is marked with “=“ or “==“
⚫ Example:
18
SourceText (or Binary)
M a n
Bits 0 1 0 0 1 1 0 1 0 1 1 0 0 0 0 1 0 1 1 0 1 1 1 0
Base64encoded
Sextets 19 22 5 46
Character T W F u
Exam
ple
Sou
rce:
Wik
iped
ia
Multipurpose Internet Mail Extensions (MIME)
⚫ Example:Content-Type: multipart/mixed; boundary="------------125573EC27547229E81181E9"
MIME-Version: 1.0
--------------125573EC27547229E81181E9
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
This is the content of the mail.
--------------125573EC27547229E81181E9
Content-Type: image/png; name="uio-logo.png"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="uio-logo.png"
iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKAQMAAAC3/F3+AAAABlBMVEUAAAD/+l2Z/dAAAACXBI
WXMAAA7EAAAOxAGVKw4bAAAAFUlEQVQImWP4foDhIQz9P8DwGYULAPrNEK/99dAAAAAElFTk==
--------------125573EC27547229E81181E9--
19
Security Issues of Emails
⚫ Phishing− Draw confidential information from victim (e.g. passwords)
⚫ Privacy breach− Sender wants to track email recipients
⚫ SPAM− Unwanted emails (e.g. advertisement)
⚫ Eavesdropping− Disclosure of email contents on servers or during transport between servers
⚫ Spoofing− Faking sender identity
⚫ Malware− Infiltrating malicious programs into recipient’s computer
⚫ Fraud− Contact medium for deception (e.g. financial fraud)
21
Security Issues of Emails
⚫ Phishing− Draw confidential information from victim (e.g. passwords)
⚫ Privacy breach− Sender wants to track email recipients
⚫ SPAM− Unwanted emails (e.g. advertisement)
⚫ Eavesdropping− Disclosure of email content on servers or during transport between servers
⚫ Spoofing− Faking sender identity
⚫ Malware− Infiltrating malicious programs into recipient’s computer
⚫ Fraud− Contact medium for deception (e.g. financial fraud)
22
Phishing
⚫ Phishing = „Password Fishing“− Victim receives email with link to fake Web site and clicks link
− Victim enters confidential data (e.g. passwords) assuming he is on a trusted Web site
− Attacker misuses the entered data
⚫ The tricks …− Sending mass emails is very easy and cheap
− Sender addresses in emails are not authenticated
− Creating Web sites and mails impersonating a trusted source is easy
− Hyperlinks to fake Web sites can be hidden in HTML mails
23
Phishing URLs (1)
⚫ Attacker uses his own domain name, e.g.:
http://www.evil.net/login/
⚫ Other possibility:− generic DNS name (e.g. host.1234.provider.net)
− IP address
⚫ Disadvantage:− Easily detectable for the victim
26
Phishing URLs (2)
⚫ Attacker uses his own domain name, but disguises it with a clever sub domain, e.g.:
http://www.online-bank.com.login.evil.net/
⚫ Advantage:− Simple realization
− Harder detectable for the victim
27
Assume, there is a real bank with the address:www.online-bank.com
Phishing URLs (3)
⚫ The attacker registers a domain like the original domain, e.g.:
http://www.online-bonk.com/login/
⚫ Advantage:− Very hard to detect for the victim
⚫ Disadvantage:− Higher effort (compared to the previous approaches)
28
Phishing URLs (4)
⚫ The attacker registers a domain looking like the original domain, e.g.:
http://www.online-bаnk.com/login/
⚫ Advantage:− Very hard to detect
for the victim
⚫ Disadvantage:− Higher effort (compared to the previous approaches)
− Not possible with modern browsers (see below)
⚫ Most browsers encode non-ASCII characters in “puny code”:
http://www.xn--online-bnk-6qi.net/login/
„a“ from cyrillic (russian) character set!
29
Phishing URLs (5)
⚫ The attacker uses the original domain:
http://www.online-bank.com/login/
⚫ Advantage:− Detection is impossible for the victim
⚫ Disadvantage:− Requires DNS spoofing attack (see DNS chapter) → very high effort
31
Phishing and TLS
⚫ Which of these variants can be combined with TLS?
⚫ https://www.evil.net/login/
⚫ https://www.online-bank.com.login.evil.net/
⚫ https://www.online-bonk.com/login/
⚫ https://www.online-bank.com/login/
32
Phishing – Countermeasures
⚫ Some mail programs check for suspicious content− Example: Masking actual Web address
⚫ Observation of To and From addresses (but can be spoofed)
⚫ Careful observation of Web addresses (plus usage of TLS)
⚫ Most important countermeasure: use of common sense!
33
https://ecs-org.us14.list-manage.com/track/click?id=37753b9cd9
Security Issues of Emails
⚫ Phishing− Draw confidential information from victim (e.g. passwords)
⚫ Privacy breach− Sender wants to track email recipients
⚫ SPAM− Unwanted emails (e.g. advertisement)
⚫ Eavesdropping− Disclosure of email content on servers or during transport between servers
⚫ Spoofing− Faking sender identity
⚫ Malware− Infiltrating malicious programs into recipient’s computer
⚫ Fraud− Contact medium for deception (e.g. financial fraud)
35
Security Issues of Emails
⚫ Phishing− Draw confidential information from victim (e.g. passwords)
⚫ Privacy breach− Sender wants to track email recipients
⚫ SPAM− Unwanted emails (e.g. advertisement)
⚫ Eavesdropping− Disclosure of email content on servers or during transport between servers
⚫ Spoofing− Faking sender identity
⚫ Malware− Infiltrating malicious programs into recipient’s computer
⚫ Fraud− Contact medium for deception (e.g. financial fraud)
36
Email Tracking
⚫ The sender might want to know: has the recipient received/read the email?
⚫ Possibility 1: explicit request + receipt− user must confirm mail receipt for finishing a business process
− hardly used any more
⚫ Possibility 2: implicit tracking (mainly for SPAM or phishing)− does the email address exist?
− does the email bypass SPAM filters?
− is the recipient viewing the mail (or deleting it)?
37
Email Tracking: Images
⚫ Many newsletters contain HTML content:
This is a multi-part message in MIME format.
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Hvis du ikke kan se HTML-version af nyhedsbrevet, skal du klikke på dette link:
http://rt1-t.autoemail.hm.com/r/?id=t36ae2b3,c895a0b,c895a47
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html style="border:0;margin:0;outline:0;padding:0">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body style="background:#fff;border:0;color:#000;line-height:1;margin:0>
<img src="https://s1-cdn.hm.com/global/assets/1.0.112/images/social/twitter-box.png">
39
Email Tracking: Images
⚫ Many newsletters contain HTML content:
This is a multi-part message in MIME format.
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Hvis du ikke kan se HTML-version af nyhedsbrevet, skal du klikke på dette link:
http://rt1-t.autoemail.hm.com/r/?id=t36ae2b3,c895a0b,c895a47
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html style="border:0;margin:0;outline:0;padding:0">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body style="background:#fff;border:0;color:#000;line-height:1;margin:0>
<img src="https://s1-cdn.hm.com/global/assets/1.0.112/images/social/twitter-box.png">
40
Email Tracking: Images
⚫ Mail program receives email in HTML format
⚫ HTML document contains image tags (located on Web server of the mail sender)− e.g.: <img src="https://cdn.hm.com/logo/hm-logo-light-red.png">
⚫ Mail program downloads the images for rendering the HTML mail
⚫ Web server owner (= mail sender) logs the request and can analyze the URL
41
Email Tracking: Images
⚫ In all newsletters:− https://s1-cdn.hm.com/global/assets/1.0.112/images/social/twitter-
box.png
⚫ Newsletter 1:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://ae
mcomm.hm.com/content/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/desktop.chain]&auth=hash[e5be3db9]
⚫ Newsletter 2:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://ae
mcomm.hm.com/content/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/mobile.chain]&auth=hash[87882c29]
42
Email Tracking: Images
⚫ In all newsletters:− https://s1-cdn.hm.com/global/assets/1.0.112/images/social/twitter-
box.png
⚫ Newsletter 1:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://ae
mcomm.hm.com/content/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/desktop.chain]&auth=hash[e5be3db9]
⚫ Newsletter 2:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://ae
mcomm.hm.com/content/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/mobile.chain]&auth=hash[87882c29]
43
Email Tracking: Links
⚫ Link to „Today‘s Headlines“
⚫ Newsletter 1:− https://nl.nytimes.com/f/a/otsqCtxeBjREdiEiVRSdZA~~/...
⚫ Newsletter 2:− https://nl.nytimes.com/f/a/aKN5MabIovCe_iU3KL9SBw~~/...
44
Security Issues of Emails
⚫ Phishing− Draw confidential information from victim (e.g. passwords)
⚫ Privacy breach− Sender wants to track email recipients
⚫ SPAM− Unwanted emails (e.g. advertisement)
⚫ Eavesdropping− Disclosure of email content on servers or during transport between servers
⚫ Spoofing− Faking sender identity
⚫ Malware− Infiltrating malicious programs into recipient’s computer
⚫ Fraud− Contact medium for deception (e.g. financial fraud)
47
SPAM
⚫ What are the reasons for the huge amount of SPAM?− Sending mass emails is very easy and cheap
− Sender addresses are not authenticated
− Sender domains are not authenticated
− Open relay server accept and forward
50
Message Transport System (original)
51
UA UA
MDAMTA
MTAMTA
Sender ReceiverFrom: [email protected]
From: [email protected]
Open Relay
MTA
Message Transport System (nowadays)
52
UA UA
MDAMTA
Sender ReceiverFrom: [email protected]
Accept mails [email protected] from MTA ofexample.com domain
Message Transport System (nowadays)
Received: from mail-ex12.exprod.uio.no (2001:700:100:120::74) by
mail-ex03.exprod.uio.no (2001:700:100:52::6) with Microsoft SMTP Server (TLS)
id 15.0.1497.2 via Mailbox Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-ex11.exprod.uio.no (2001:700:100:120::73) by
mail-ex12.exprod.uio.no (2001:700:100:120::74) with Microsoft SMTP Server
(TLS) id 15.0.1497.2; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-mx03.uio.no (129.240.169.59) by mail-ex11.exprod.uio.no
(129.240.120.73) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from easychair.org ([213.136.76.235])
by mail-mx03.uio.no with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92)
(envelope-from <[email protected]>)
id 1i5DsY-00049g-3U
for [email protected]; Tue, 03 Sep 2019 20:50:10 +0200
Received: from easychair.org (m2635.contabo.net [213.136.76.235])
by easychair.org (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x83Io91i008601
for <[email protected]>; Tue, 3 Sep 2019 20:50:09 +0200
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 3 Sep 2019 20:50:09 +0200
...
53
Message Transport System (nowadays)
54
UA UA
MTA
Sender ReceiverFrom: [email protected]
I am the MTA of domain
example.com
MTAs must authenticate!
MTA
MTA/MDA
Sender Policy Framework (SPF)
⚫ Every domain defines a list of allowed sending MTAs
⚫ The list is published in the domain’s DNS
⚫ Receiving MTA checks if the sending MTA is on the SPF list
55
MTA MTA
DNS example.com
129.240.10.33129.240.10.34...
From: [email protected]
SPF Example: UiO
⚫ SPF record of uio.no:v=spf1 mx ip4:129.240.10.0/25 ip6:2001:700:100:10::/64 ip6:2001:700:100:8210::/64 include:spf.uio.no ?all
⚫ Envelope of email sent from UiO address:Received: from mail-out02.uio.no (mail-out02.uio.no [129.240.10.71])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
by mx4.xxx.xx (Postfix) with ESMTPS id E4F771F884
for <[email protected]>; Sun, 6 Oct 2019 14:04:50 +0200 (CEST)
⚫ Receiving MTA has checked SPF (result also included in mail header):Authentication-Results: mx4.xxx.xx;
spf=pass (mx4.xxx.xx: domain of [email protected] designates 129.240.10.71 as permitted sender)
56
DomainKeys Identified Mail (DKIM)
⚫ Sending MTA digitally signs (parts of) outgoing emails
⚫ The corresponding public key is published in the domain’s DNS
⚫ Receiving MTA downloads the public key and verify the signature
57
MTA MTA
DNS example.com
k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAO...
From: [email protected]
DKIM Example: Google Mail
⚫ DKIM record of Google Mail:k=rsa; p=MIIBIjAN...YRJQqR" "tqEgSiJ+...DA/QAB
⚫ Envelope sent from Google Mail addresse:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=OdI9XMdK6yLSftJKNtdmXt6Wt+JqJWNfaLu0qvcMd98=;
b=TbjoDJda8/UX3 ... Afy3Yqlg/==
⚫ Receiving MTA has checked DKIM signature (result also included in mail header):Authentication-Results: mx4.xxx.xx;
dkim=pass header.d=gmail.com header.s=20161025 header.b=TbjoDJda;
58
Domain-based Message Authentication, Reporting and Conformance (DMARC)
⚫ Sending MTA specifies which if is support DKIM and/or SPF and what shall happen in case on of the checks fail
⚫ Additionally DMARC forces the “alignment” of mail address domain and authenticated domain
59
MTA MTA
DNS example.com
p=none; pct=100;rua=mailto:[email protected]
From: [email protected]
SPAM
⚫ Still possible to sent SPAM:− Register domain for SPAM purpose
− Sloppy configuration of mail servers
− Sending emails via botnets
⚫ Further SPAM detection mechanisms:− Black- / white-lists of email domains (e.g. dnswl.org)
− Inspection of email content (rule based or using machine learning):
▪ typical ad keywords
▪ suspicious formatting (e.g. white text on white background, using encoding to hide content)
▪ suspicious attachments
60
SPAM
⚫ Most SPAM detection systems calculate a “SPAM score” using a bonus/malus system (based on the mechanisms presented before)
⚫ If the total score exceeds a threshold probably SPAM
61
X-Spam-Report: Content analysis details: (5.8 points)pts rule name description
---- ---------------------- ---------------------------------------------------0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low
trust[212.227.15.19 listed in list.dnswl.org]
5.0 URIBL_HEDBL_SPAM_2 Contains an URL listed in the HEDBL blocklist[URIs: responsys.net]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider0.1 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author'sdomain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid0.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily1.5 THIS_AD "This ad" and variants
Security Issues of Emails
⚫ Phishing− Draw confidential information from victim (e.g. passwords)
⚫ Privacy breach− Sender wants to track email recipients
⚫ SPAM− Unwanted emails (e.g. advertisement)
⚫ Eavesdropping− Disclosure of email content on servers or during transport between servers
⚫ Spoofing− Faking sender identity
⚫ Malware− Infiltrating malicious programs into recipient’s computer
⚫ Fraud− Contact medium for deception (e.g. financial fraud)
62
S/MIME
⚫ Method for encrypting and digital signing email content by the sender
⚫ Advantages:− End-to-end integrity, authenticity and confidentiality
− Supported by most email clients
⚫ Disadvantages:− “Official” certificate required
− Identification to the CA much more complicated then in the Web
− Key management: private key must be installed on all email devices
− Email header (e.g. From and To) are readable
⚫ Current state:− Just used in some enterprises or universities (with own CA)
63
Pretty Good Privacy (PGP)
⚫ Method for encrypting and digital signing
⚫ Used for software integrity (signature) and email security
⚫ Trust model (no “official” CA certificate required):− Direct trust (requires careful check of received certificate) → everyone
can sign a trusted certificate and (re-)publish it
− Web of trust: if there exists a path of direct trust to a certificate you can also trust it (indirect trust)
⚫ Advantage:− No identification
to CA required
64
Imag
e S
ou
rce:
Wik
iped
ia
Pretty Good Privacy (PGP)
⚫ Disadvantages:− Not (natively) supported by major email clients
− Complex key management (“Whom shall I trust?”)
− Many cryptographic and implementation flaws (e.g. EFAIL)
− Publication of certificate with huge number of signatures offers a possibility for DoS attack on PGP clients
⚫ Current state:− For email security just in used in small communities
65
Imag
e S
ou
rce:
vic
e.co
m
Malware
⚫ Email is still the main infection source for malware
⚫ Example: Locky
66
Imag
e S
ou
rce:
mca
fee.
com
Summary
⚫ The email system has many security issues
⚫ Typical security mechanisms:− Confidentiality, integrity:
▪ MTA to MTA: TLS
▪ End to end: (practically) nothing
− Authenticity:
▪ MTA to MTA: DKIM, SPF
▪ End to end: (practically) nothing
− Availability: SPAM detection
− Trustworthy content:
▪ Backend: Virus detection (e.g. email sandboxing)
▪ Client: URL inspection
▪ User: common sense
68