Beat Spam Using The E-mail Security Appliance Nicole Wajer, Consulting Systems Engineer Nicole Nicole Wajer Consulting Systems Engineer @vlinder_nl EMEAR Agenda • SMTP Review • Email Threats - Protecting against SPAM, Viruses, Malware, Phishing • Spam vs Graymail • Email Security Appliance (ESA) • SPF,DKIM and DMARC • Conclusion We will cover: • SMTP Review • Email Spam Trends and Threats SMTP Review Email Review: Definitions Mail Protocols SMTP Sender SMTP Receiver Sending: Simple Mail Transfer 1. Establish TCP 2. Establish TCP Protocol (SMTP) Connection to Connection Send Receiving MTA 220 “Ready” reply • Connection oriented, text based protocol that communicates over TCP port 25 3. Receive “Ready” send “HELO” 4. Receive “HELO” • Client-Server architecture defined originally send 250 OK with in RFC821 in 1982 with the latest revision Extensions 5. Receive “OK” , in 2008, RFC5321 connection open and send from / to and • Uses a series of command and reply extensions sequences to define headers and data to Receive DATA be transmitted Send DATA • Relies on DNS to determine routing of 6. Send Quit 7. Receive “QUIT”, send goodbye messages from sender to recipient 8. Receive goodbye, close connection One or more Received headers Mail Anatomy showing the servers that are It’s impressive… sending the message Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com. [173.37.142.92]) by mx.google.com with ESMTPS (version=TLSv1 cipher=RC4-SHA bits=128/128); The FROM Header From: “Nicole Wajer(niwajer)" <[email protected]> The TO, CC and BCC Headers To: “[email protected]" <[email protected]> Subject: Print this Subject Headers Custom Headers Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: MIME Headers specifying x-originating-ip: [10.24.192.221] boundaries for the different parts of the message Content-Type: multipart/mixed; boundary="_002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_" MIME-Version: 1.0 --_002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Can you please print this? First part of the message, in _002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_ this case, plain text Mail Anatomy Start of the next part There’s more! --_002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_ Content-Type: text/plain; name=list.txt" Attachment details Content-Description: list.txt Content-Disposition: attachment; filename=list.txt"; size=53814; creation-date="Sun, 19 Jan 2014 03:58:56 GMT"; modification-date="Mon, 20 Jan 2014 19:51:37 GMT" Content-Transfer-Encoding: base64 BASE64 Data attached MS4gV2hpY2ggb2YgdGhlIGZvbGxvd2luZyBzdGF0ZW1lbnRzIGlzIE5PVCB0cnVlIHJlZ2FyZGlu ZyB0aGUgR2VvbG9jYXRpb24gZmVhdHVyZT8gDQpCLiAgVGhlIEdlb2xvY2F0aW9uIGRhdGFiYXNl IG11c3QgYmUgbWFudWFsbHkgaW5zdGFsbGVkIGluaXRpYWxseSANCiAgICAgIA0KMi4gR2VvbG9j YXRpb24gYmxvY2tpbmcgaXMgc3VwcG9ydGVkIG9uIGFsbCBTb3VyY2VmaXJlIGFwcGxpYW5jZSBw bGF0Zm9ybXMuIA0KQi4gIEZhbHNlIA0KICAgICAgDQozLiBXaGljaCBvZiB0aGUgZm9sbG93aW5n IHN0YXRlbWVudHMgaXMgdHJ1ZSByZWdhcmRpbmcgQWNjZXNzIENvbnRyb2wgcG9saWN5IHJ1bGVz ... --_002_440E600602613146ABEF4739925CE56C2291B80Dxmbalnx04ciscoc_-- End of the MIME attachment Did you get my message? Bounces and Delays • NDR: Non-Delivery Report • Generated by the sending MTA if the there is a lookup error (i.e domain does not exist) • Generated by the receiving MTA (or mailbox server) if the user does not exist or mailbox is full • Errors shown in the NDR is a 500 level error or a permanent failure, no retry Server that sent the bounce message Reason it was bounced back • DSN: Delivery Status Notifications • Generated by sending MTA when destination is down (i.e server unresponsive) • Messages are re-queued and will try to re-deliver after a specified period • DSN is a soft failure, 400 level error message • After a specified amount of time, if it can not deliver, it will fail with a NDR Email Spam Trends and Threats The Nemesis: SPAM SPAM stands for: A) Stupid, Pointless Annoying Message B) Sending Pornography and Abusive Marketing C) Slang name for Unsolicited Commercial Email D) All of the above Types of SPAM • Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM • Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM • Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Gone Phishing • Phish – The impersonation of a party to gain trust of the target and obtain confidential information • Spear Phishing – Attacks against a specific person or companies, with the intent to gain personal information • Whaling (Big Phish) – Targeted to Senior Executives or high profile personnel, with a sophisticated and researched attack • Defence: User education and URL detection on the Cisco Email Security Appliance Types of SPAM • Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM • Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Types of SPAM • Spamvertising • 419 scams • Phishing • Harvest spam • Image spam • Backscatter spam • Snowshoe spam Backscatter Spam • Backscatter attack – the most profitable Email DDoS • Hire a botnet • Spoof millions of messages to non-existent recipients claiming to come from DDoS target • Watch their Email systems go down under the flood of bounce messages from all over the Internet Effective countermeasures from all bounce-based danger SPF, DMARC and BATV (all supported by Cisco Email Security Appliance and Cloud Email Security!) Protecting Against BackScatter • Settings on your ESA can define which keys to use • Use a varying set of keys to sign messages • Assign them to different destinations “Snowshoe” Spam – better evasion techniques • Spam campaigns that use unique text from unique IPs • Short campaigns – morphs fast – constantly changing • Reputation and Content analysis resistant • Offer spam (Micro-category) = Sell goods or services. • Majority of Offer spam uses Snowshoe techniques • Pure content analysis can lead to high false positives – need to have a balance YourUPSorder.exe • 0-Day attacks usually consist of files such as EXE, PDF, ZIP, OFFICE, etc. • Combination of Phishing and Malware payload • Multi-Vector threats hide malware in URL • Advanced techniques uses droppers where a two-stage installer is used Defence in depth using signature AV, 0-day filtering and Advanced Malware Protection. Why Targeted Phishing Works Targeted Phishing • Attacks require criminals to efficiently build appropriate resources and trick victims into revealing valuable private information. • https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-information/phishing Social Engineering Example of Social Engineering • Phishing scams might be the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics: • Seek to obtain personal information, such as names, addresses and social security numbers. • Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate. • Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly. We covered: • SMTP Review • Email Spam Trends and Threats We will cover: • Spam vs Graymail • How does the Email Security Appliance Pipeline looks like? • Protecting your users with Email Security Appliance Spam vs Graymail Spam vs Graymail - 1 • Spam is an email that the recipient didn’t opt to choose (unsolicited) and generally has embedded links, pictures and other documents that may be disguised to look legit, but are actually malicious in nature. Spam emails are intended to fool the recipient and cause harm to the end users environment. For more information on Spam, please refer to the CAN-SPAM Act of 2003. Spam vs Graymail - 2 • In short: Graymail is an email that the recipient “opted” to receive, but don’t really want them in their inbox. A good example is when you go shopping and provide your email address to receive coupons/discounts and other notifications from that vendor. These emails are known as graymail, you opted to receive them, but after a while you grow tired of how much of the annoying emails the vendor sends and thus ends up being reported as spam, which it isn’t at all. Mail Flow ESA Email Pipeline and Definitions SMTP SERVER WORKQUEUE SMTP CLIENT Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption Received Header Masquerading (Table / LDAP) Virtual Gateways Default Domain LDAP Routing Delivery Limits Domain Map Message Filters Received: Header Recipient Access Table (RAT) Anti-Spam Domain-Based Limits Alias Table Anti-Virus Domain-Based Routing LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption Policy Policy Scanning DKIM / SPF Verification Content Filtering - DKIM Signing Per DMARC Verification Outbreak Filtering Bounce Profiles S/MIME Verification DLP Filtering (Outbound) Message Delivery Protect Your Users with ESA Email Security Appliance HAT – Host Access Table • Systems are added to the various Sender Groups manually by adding the sender’s IP address, host name, or partial host name, or they fall into a particular sender group due to their reputation score. MFP – Mail Flow Policy • Check the Mail Flow Policies carefully