Beat Spam Using The E-mail Security Appliance Nicole Wajer, Consulting Systems Engineer Nicole
Nicole Wajer Consulting Systems Engineer @vlinder_nl EMEAR Agenda
• SMTP Review
• Email Threats - Protecting against SPAM, Viruses, Malware, Phishing
• Spam vs Graymail
• Email Security Appliance (ESA)
• SPF,DKIM and DMARC
• Conclusion We will cover:
• SMTP Review • Email Spam Trends and Threats SMTP Review Email Review: Definitions
Mail Protocols SMTP Sender SMTP Receiver Sending: Simple Mail Transfer 1. Establish TCP 2. Establish TCP Protocol (SMTP) Connection to Connection Send Receiving MTA 220 “Ready” reply • Connection oriented, text based protocol that communicates over TCP port 25 3. Receive “Ready” send “HELO” 4. Receive “HELO” • Client-Server architecture defined originally send 250 OK with in RFC821 in 1982 with the latest revision Extensions 5. Receive “OK” , in 2008, RFC5321 connection open and send from / to and • Uses a series of command and reply extensions sequences to define headers and data to Receive DATA be transmitted Send DATA
• Relies on DNS to determine routing of 6. Send Quit 7. Receive “QUIT”, send goodbye messages from sender to recipient 8. Receive goodbye, close connection One or more Received headers Mail Anatomy showing the servers that are It’s impressive… sending the message Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com. [173.37.142.92]) by mx.google.com with ESMTPS (version=TLSv1 cipher=RC4-SHA bits=128/128); The FROM Header From: “Nicole Wajer(niwajer)"
MIME-Version: 1.0 --_002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Can you please print this? First part of the message, in _002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_ this case, plain text Mail Anatomy Start of the next part There’s more! --_002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_ Content-Type: text/plain; name=list.txt" Attachment details Content-Description: list.txt Content-Disposition: attachment; filename=list.txt"; size=53814; creation-date="Sun, 19 Jan 2014 03:58:56 GMT"; modification-date="Mon, 20 Jan 2014 19:51:37 GMT" Content-Transfer-Encoding: base64 BASE64 Data attached
MS4gV2hpY2ggb2YgdGhlIGZvbGxvd2luZyBzdGF0ZW1lbnRzIGlzIE5PVCB0cnVlIHJlZ2FyZGlu ZyB0aGUgR2VvbG9jYXRpb24gZmVhdHVyZT8gDQpCLiAgVGhlIEdlb2xvY2F0aW9uIGRhdGFiYXNl IG11c3QgYmUgbWFudWFsbHkgaW5zdGFsbGVkIGluaXRpYWxseSANCiAgICAgIA0KMi4gR2VvbG9j YXRpb24gYmxvY2tpbmcgaXMgc3VwcG9ydGVkIG9uIGFsbCBTb3VyY2VmaXJlIGFwcGxpYW5jZSBw bGF0Zm9ybXMuIA0KQi4gIEZhbHNlIA0KICAgICAgDQozLiBXaGljaCBvZiB0aGUgZm9sbG93aW5n IHN0YXRlbWVudHMgaXMgdHJ1ZSByZWdhcmRpbmcgQWNjZXNzIENvbnRyb2wgcG9saWN5IHJ1bGVz ...
--_002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_--
End of the MIME attachment Did you get my message? Bounces and Delays • NDR: Non-Delivery Report • Generated by the sending MTA if the there is a lookup error (i.e domain does not exist) • Generated by the receiving MTA (or mailbox server) if the user does not exist or mailbox is full • Errors shown in the NDR is a 500 level error or a permanent failure, no retry
Server that sent the bounce message
Reason it was bounced back
• DSN: Delivery Status Notifications • Generated by sending MTA when destination is down (i.e server unresponsive) • Messages are re-queued and will try to re-deliver after a specified period • DSN is a soft failure, 400 level error message • After a specified amount of time, if it can not deliver, it will fail with a NDR Email Spam Trends and Threats The Nemesis: SPAM SPAM stands for: A) Stupid, Pointless Annoying Message B) Sending Pornography and Abusive Marketing C) Slang name for Unsolicited Commercial Email D) All of the above Types of SPAM
• Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM
• Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM
• Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Gone Phishing
• Phish – The impersonation of a party to gain trust of the target and obtain confidential information
• Spear Phishing – Attacks against a specific person or companies, with the intent to gain personal information
• Whaling (Big Phish) – Targeted to Senior Executives or high profile personnel, with a sophisticated and researched attack
• Defence: User education and URL detection on the Cisco Email Security Appliance Types of SPAM
• Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM
• Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM
• Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Backscatter Spam
• Backscatter attack – the most profitable Email DDoS • Hire a botnet • Spoof millions of messages to non-existent recipients claiming to come from DDoS target • Watch their Email systems go down under the flood of bounce messages from all over the Internet
Effective countermeasures from all bounce-based danger SPF, DMARC and BATV (all supported by Cisco Email Security Appliance and Cloud Email Security!) Protecting Against BackScatter
• Settings on your ESA can define which keys to use • Use a varying set of keys to sign messages • Assign them to different destinations “Snowshoe” Spam – better evasion techniques
• Spam campaigns that use unique text from unique IPs
• Short campaigns – morphs fast – constantly changing
• Reputation and Content analysis resistant
• Offer spam (Micro-category) = Sell goods or services.
• Majority of Offer spam uses Snowshoe techniques
• Pure content analysis can lead to high false positives – need to have a balance YourUPSorder.exe • 0-Day attacks usually consist of files such as EXE, PDF, ZIP, OFFICE, etc.
• Combination of Phishing and Malware payload
• Multi-Vector threats hide malware in URL
• Advanced techniques uses droppers where a two-stage installer is used
Defence in depth using signature AV, 0-day filtering and Advanced Malware Protection. Why Targeted Phishing Works
Targeted Phishing
• Attacks require criminals to efficiently build appropriate resources and trick victims into revealing valuable private information.
• https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-information/phishing Social Engineering Example of Social Engineering
• Phishing scams might be the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics: • Seek to obtain personal information, such as names, addresses and social security numbers. • Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate. • Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly. We covered:
• SMTP Review • Email Spam Trends and Threats We will cover:
• Spam vs Graymail • How does the Email Security Appliance Pipeline looks like? • Protecting your users with Email Security Appliance Spam vs Graymail Spam vs Graymail - 1
• Spam is an email that the recipient didn’t opt to choose (unsolicited) and generally has embedded links, pictures and other documents that may be disguised to look legit, but are actually malicious in nature. Spam emails are intended to fool the recipient and cause harm to the end users environment. For more information on Spam, please refer to the CAN-SPAM Act of 2003. Spam vs Graymail - 2
• In short: Graymail is an email that the recipient “opted” to receive, but don’t really want them in their inbox. A good example is when you go shopping and provide your email address to receive coupons/discounts and other notifications from that vendor. These emails are known as graymail, you opted to receive them, but after a while you grow tired of how much of the annoying emails the vendor sends and thus ends up being reported as spam, which it isn’t at all. Mail Flow ESA Email Pipeline and Definitions
SMTP SERVER WORKQUEUE SMTP CLIENT
Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption
Received Header Masquerading (Table / LDAP) Virtual Gateways
Default Domain LDAP Routing Delivery Limits
Domain Map Message Filters Received: Header
Recipient Access Table (RAT) Anti-Spam Domain-Based Limits
Alias Table Anti-Virus Domain-Based Routing
LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe
SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption Policy Policy Scanning
DKIM / SPF Verification Content Filtering - DKIM Signing Per DMARC Verification Outbreak Filtering Bounce Profiles
S/MIME Verification DLP Filtering (Outbound) Message Delivery Protect Your Users with ESA Email Security Appliance
HAT – Host Access Table
• Systems are added to the various Sender Groups manually by adding the sender’s IP address, host name, or partial host name, or they fall into a particular sender group due to their reputation score. MFP – Mail Flow Policy
• Check the Mail Flow Policies carefully for each Sender Group.
• Whitelisted senders will have the Trusted Mail Flow Policy, or MFP, applied.
• By default this policy turns off spam detection. • This allows a trusted sender, or a compromised system at a trusted organisation, to send spam that goes straight through the ESA. Messages that flow through the system in this manner will not have the X-IronPort-Anti-Spam-Result header inserted in them: a clear indicator that the message wasn’t scanned by the Anti-Spam engine Sendergroup - Suspect • The THROTTLED MFP can be raised from -1.0 to -0.6 to throttle more senders
• If you are having issues with senders that do not have a SenderBase score, you can change the SUSPECTLIST Sender Group to “Include SBRS Scores of None” to throttle their emails through your ESA devices.
• Email from senders with a misconfigured DNS may generate false positives. • You may want to reduce these by configuring a separate MFP that returns a custom 4xx response indicating the reason for the rejection of messages. Customizing Reputation on the ESA
Default Settings: Moderate Blocking
• Reputation Score determined when connection initiated Custom Settings: Aggressive Throttling • Sender Groups and actions are defined by the administrator • Reputation can block 80-90% connections on the ESA
41 Recipient Validation • Recipient Validation can be used to determine whether the incoming message is destined for a valid user. • LDAP - LDAP queries are configured on the individual Listener interfaces • Recommendation: Allow Mail In to fail open if the LDAP server is unreachable. • SMTP Call-Ahead Anti-Spam Antispam
• Mail Policies -> Incoming Mail Policies Spam Options
• Positively-Identified spam is email that is known spam. • Suspected Spam is email that has characteristics of spam, but has not been confirmed as spam yet. • Emails identified as positively identified spam and suspected spam can be delivered, dropped, sent to spam quarantine, or bounced with an additional option to send to an alternate host.
Cisco IronPort Anti-Spam (IPAS)
Conservative: Unchanged
Moderate: Aggressive:
Positive Spam = 85 Positive Spam = 80
Suspect Spam = 45 Suspect Spam = 39
Always Scan 1.5MB or Less Always Scan 2MB or Less
Never Scan 2MB or More Never Scan 2MB or More Spam Options - Continued • Text can be either prepended or appended to the subject line to indicate to the recipient that the email is known to be spam. The default is [SPAM] for positively identified spam and [SUSPECTED SPAM] for suspected spam.
• The recommended settings are to customise the settings and set the Positively Identified Spam score to and the Suspected Spam score to 43.
• make any adjustments by no more than a count of 5 at a time. Monitor the results for excessive false positives by setting up spam quarantines and testing the settings on a specific group of users Graymail Graymail Graymail
Enable Graymail Dectection Graymail Graymail
• Marketing Message Detection is off by default. • Recommendation for each incoming mail policy, • Mark the message subject line with the text “[MARKETING],” and deliver it to the end user.
• Marketing messages make up a large percentage of the complaints regarding missed spam. Tagging them allows email administrators to do what they feel is best for their organisation: drop, quarantine, or deliver marketing messages. Alternatively, the email administrator could create a rule to place such messages in the user’s Outlook Junk Mail folder or simply allow the end users to create their own rules for handling those messages. Advanced Mallware Protection Advanced Mallware Protection (AMP)
• Advanced Malware Protection is integrated on the ESA
• Provides the ability for File Reputation, File Sandboxing, and File Retrospection
• Combined with native URL filtering ESA provides full malware and phishing detection Web Reputation Filters aka URL Filtering URL Filtering
• Security Services -> Url Filtering
• By default, the URL Filtering goes across all URL, but you have the possibility to “whitelist” certain URL. This can be useful for internal domains and URL, that will of course not have a reputation score or a URL Category URL Rewriting
• Outbreak Filter has the option to “rewrite” a URL. URL is no longer pointing directly to the destination but will now be redirected over the Cisco Cloud Web Security Proxy URL Rewriting - continued
• A rewritten URL is looking like this in the email client URL Rewriting - continued
• It is recommended to rewrite only URLs that are not signed. • If a URL is digitally signed, the rewriting would make the signature no longer valid.
• If the user clicks on the URL he will be redirected to the Cloud Web Security Proxy: Outbreak Filters Outbreak Filter Settings Outbreak Filter Settings Outbreak Filter Settings - continued Outbreak Filter
• Best Practice to set Outbreak to Level 3
• Only for more ‘aggressive’ security you can lower to level 2 but that can create more ‘False Positives Cisco Outbreak Filters in action We covered:
• Email Security Appliance Pipeline • HAT and their features • Anti Spam Filter • Anti Virus Filter • Graymail Settings • URL Filtering • AMP • Outbreak Filters SPF, DKIM, and DMARC email verification SMTP: A pleasant conversation
220 smtp.acmewidgets.com SMTP Server Hello, this is smtp.acmewidgets.com HELO relay.example.org HELO, I’m relay.example.org 250 Hello relay.example.org Hi relay.example.org MAIL FROM:
220 smtp.acmewidgets.com SMTP Server Hello, this is smtp.acmewidgets.com HELO mail.cisco.com Hi, I’m mail.cisco.com Easily Spoofed 250 Hello mail.cisco.com Hi mail.cisco.com MAIL FROM:
• Enhanced SMTP (ESMTP) implemented to help extend and secure SMTP
• Enabling the extended commands requires the SMTP conversation to begin with EHLO (vs. HELO)
• Some of the commands implemented as part of ESMTP: • STARTTLS — Transport layer security, RFC 3207 • AUTH — Authenticated SMTP, RFC 4954 • DSN — Delivery status notification, RFC 3461 • HELP — Supply helpful information, RFC 821 • SMTPUTF8 — Allow UTF-8 encoding in mailbox names and header fields, RFC 6531
• Servers must provide a fall back from ESMTP Authenticating Senders with SMTP AUTH
• SMTP Authentication (SMTP AUTH) provides the ability for the sender, typically a end user to pass credentials to the MTA or MSA.
• To secure the user/pass, TLS is used to encrypt the communications
220 smtp.acmewidgets.com ESMTP Server Some examples of authorisation protocols include: EHELO relay.example.org • PLAIN (Uses Base64 encoding.) 250-Hello relay.example.org 250-AUTH GSSAPI DIGEST-MD5 • LOGIN (Uses Base64 encoding.) 250-ENHANCEDSTATUSCODES • GSSAPI (Generic Security Services Application Program Interface) 250 STARTTLS • DIGEST-MD5 (Digest access authentication) STARTTLS • MD5 220 Ready to start TLS • CRAM-MD5 -----CERT SENT----- EHLO relay.example.org 250-Hello relay.example.org 250 AUTH GSSAPI DIGEST-MD5 PLAIN AUTH PLAIN dGVzdAB0ZXN0ADEyMzQ= 235 2.7.0 Authentication successful Authenticating Sending Domains
• SMTP Auth not a viable solution for internet mail
• Domain based authentication uses a combination of source headers and domain record lookups
• Three methods for implementing domain authentication • Sender Policy Framework (SPF) • DomainKeys Identified Mail (DKIM) • Domain-based Message Authentication, Reporting & Conformance (DMARC) SPF Record Semantics
SPF version
ajax.com IN TXT v=spf1 ip4:77.92.66.4 -all
Verification mechanisms How it works: SPF
• Mechanisms: all, ip4, ip6, a, mx, ptr, exists, include
• Qualifiers: "+" Pass, "-" Fail, "~" SoftFail, "?" Neutral
• Modifiers: redirect, modifier
• Examples: • “v=spf1 mx –all” is allow MX to send mail, but no other domain • “v=spf1 +all” Nullifies any usefulness of SPF • “v=spf1 ip4:12.18.0.1/16 –all” Allow any IP address between 12.18.0.1 and 12.18.255.255 • “v=spf1 mx/24 mx:offsite.ajax.com/24 -all” Domain's MX servers receive mail on one IP address, but send mail on a different
75 SPF on the ESA
• When SPF is enabled, the ESA will stamp headers in the message
• Use the results inside message or content filters to determine the action
• PRA identities are evaluated in the message filters only
• SPF vs SIDF, an interesting read: http://www.openspf.org/SPF_vs_Sender_ID
76 SPF Best Practices
• Plan to include “-all” in your SPF records • Consider all legitimate servers sending e-mail on your behalf • Make it part of security policy for roaming users to use authenticated SMTP on your gateways for sending outgoing mail
• Add your relay hosts’ HELO/EHLO identity to SPF records
• Create SPF records for all of your subdomains too • Publish null SPF records for domains/hosts that don’t send mail! nomail.domain.com. IN TXT "v=spf1 -all"
• Only include “MX” mechanism if your incoming mail servers also send outgoing mail
• (for now) Publish both TXT and SPF DNS Resource Records with your SPF record data. How it works: DKIM
• Domain Keys Identified Mail, Specified in RFC5585 • Additional RFCRFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment and Operation), RFC5617 (Author Domain Signing Practices (ADSP))
• In a nutshell: Specifies methods for gateway-based cryptographic signing of outgoing messages, embedding verification data in an e-mail header, and ways for recipients to verify integrity of the messages
• Uses DNS TXT records to publish public keys
20120113._domainkey.gmail.com IN TXT “k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabg bFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD 0""7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz 8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/ wIDAQAB” How it works: DMARC
• Both DKIM and SPF have shortcomings, not because of bad design, but because of different nature of each technology
• Thus, DMARC was born: • Leveraging great existing technologies, providing a glue to keep them in sync, and allowing senders to mandate rejection policies and have visibility of offending traffic
• Domain-based Message Authentication, Reporting And Conformance • Defined in draft-kucherawy-dmarc-base-12 (as of Jan 13, 2015) • Provides: • DKIM verification • SPF authentication • Synchronisation between the two • Reporting back to the spoofed entity DMARC Record Structure
TXT Record for Domain amazon.com Version of DMARC Action on Auth Failure % of messages to apply policy
_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\; pct=100\; rua=mailto:[email protected]\; ruf=mailto:dmarc- [email protected]
Aggregate Feedback report URI Forensic Feedback report URI
80 How to Start…
1. Correctly deploy DKIM and SPF
2. Make sure that your identifiers will align 3. Publish a DMARC record with “p=none”, gather rua and ruf reports for a while
4. Analyze the data and modify your mail streams (or DKIM/SPF parameters) 5. Apply “reject” or “quarantine” policy Conclusion Conclusion
• E-mail is mission critical and the front door of your organisation
• Threats are evolving and becoming more targeted, using multiple threat vectors
• SMTP has built-in techniques for authenticating and verifying senders and domains
• Implement a technology that can enforce the built-in security features and provide Anti-Spam, Anti-Malware and 0-day capabilities
Cisco Email Security Appliance: http://cisco.com/go/esa Continue Your Education
• Demos in the World of Solutions – Security Area
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Expert 1:1 meetings • Meet Nicole Wajer • Tweet @vlinder_nl Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. – Directly from your mobile device on the Cisco Live Mobile App – By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/ – Visit any Cisco Live Internet Station located throughout the venue Learn online with Cisco Live! T-Shirts can be collected Friday 11 March Visit us online after the conference for full access to session videos and at Registration presentations. www.CiscoLiveAPAC.com Thank you