Spoofing emails

[johnemiller at gmail.com (John Miller)]

SPF and DomainKeys verification can help prevent spoofed messages from
reaching your users. Neither of these technologies is a perfect solution as
they require the sending domain to have properly implemented them.
Configuring SPF and DomainKeys for domains that you control helps others
prevent spoofed messages from your domain reaching them. This is good for
both parties, as no spoofed messages means no back scatter.

Probably the most important type of spoofed email to prevent are those that
feign internal FROM addresses. If you permit spoofed messages from your own
domain, it becomes trivial to perform social engineering. When people get an
angry email from their boss demanding that they download a patch or make a
specific change to the firewall, they tend to perform what ever is asked of
them. It often comes up in my audit and assessment work that users are used
to receiving requests to perform some technical action, such as installing a
patch. Training users in bad habits such as this makes it much easier to for
an attacker. Requiring all incomming messages with an internal FROM address
to perform some sort of authentication can help to mitigate this threat.

In the end, SMTP is flat out broken, security-wise. Any organization should
be practicing defense-in-depth when it comes to email.

   - Keep everything patched, eliminate unnecesasary services.
   - Use a mail gateway that performs spam and malware filtering, block
   against black lists, don't have secondary MX records that bypass the gateway
   - attackers will find that! Ensure the mail server will only receive
   messages from the gateway.
   - Implement and check SPF and/or DomainKeys.
   - Establish strict policies and procedures to prevent users from blindly
   following instructions send via email.
   - Perform security awareness training with users to inform them of the
   threats, follow this up with social engineering pentests to reenforce the
   lessons.
   - Ensure users have the least privileges required to perform their job
   fuctions, reducing the threat of secondary exploitation should they have
   their workstation compromised.
   - Have sufficent visibility into the network (via IDS/IPS, firewall
   alerting, etc) and effective procedures to quickly respond to any detected
   attack.



On Fri, May 15, 2009 at 12:16 PM, natron <natron at invisibledenizen.org>wrote:

> On Sat, May 9, 2009 at 9:45 AM, Nathan Sweaney <NSweaney at tulsacash.com>
> wrote:
> > Other than Core, what's the best way to go about creating spoofed emails?
>
> On a related note, what's the generally accepted best way to defend
> against spoofed emails?  SPF?
>
> n
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090515/cc3f4494/attachment.htm