Prevent email spoofing

Table of contents

Securing email servers

Offence: What is email spoofing? "The sender is real after all ..."

Email spoofing or spoofing refers to the actions of, for example, a hacker pretending to send an email on behalf of a company or domain to which they do not belong. A small example: An invoice is sent to companies or private individuals in the name of Telekom.de, but this invoice does not come from Telekom, but from the hacker. However, the domain looks correct on closer inspection. So how can this be? 

Since e-mail is a form of communication that allows messages to be sent and received in a decentralized manner via protocols such as SMTP, there is no central body that can check sent messages for validity. As a result, it is easy to forge sender addresses. This must be thought of as putting a false sender address on a letter. For the recipient, it is not possible to evaluate whether a letter was actually sent by the specified sender without further measures and checks. The situation is fundamentally the same for e-mails.

You want to avoid a successful hacker attack on
your IT system?
Test your IT now with a professional penetration test!
To the penetration test

The technical implementation of email spoofing

For sending e-mails you basically do not need an e-mail server. We use the tool swaks here, for example

				
					swaks --to y.knoll@prosec-networks.com --from spoofuser@spoofdomain.de  --h-From: '"Spoof User" <spoofuser@spoofdomain.de>' --server 104.47.7.138 -p 25 --header "Subject:Titel der E-Mail" --body ‘Guten Tag,\n\ndies ist der Start des Mailtests.\n\nMfg Spoof User’ --ehlo spoofdomain.com
				
			
-toRecipient email address
-fromE-mail address of the sender
-h-FromDisplay name of the sender or spoofed e-mail address
-serverThe mail server of the receiving domain
-headerHeader part of the email can be customized here, primarily it is about the "Subject" field.
-body Here you can define the content of the e-mail
-ehlo Name with which the sender logs on to the receiving mail server.

The recipient of the e-mail will then see it as follows:

Prevent email spoofing
Prevent email spoofing

Technically in the background the sending of the e-mail looks like this:

That simple?

No, it is not quite that simple. There must be certain conditions or misconfigurations so that the hacker's mail does not end up in the spam folder or does not arrive at all.

For this purpose, there are two DNS records that a domain should have stored so that such a spoofing process is not possible. These are the Sender Policy Framework (SPF) record and the DomainKeys Identified Mail (DKIM) record.

What exactly are these records?

The Sender Policy Framework (SPF) is a procedure that allows mail servers to check whether an e-mail received actually originates from an authorized server. This is a fully automatic mechanism that is executed unnoticed by the end user.

Example of an SPF record

 

Hostname

Type

Time to Live

Value

Example.org

TXT

1 hour

v=spf1 ip4:192.0.0.1 ip4:192.0.0.2 -all

Such an entry must be deposited at the DNS server of the sending domain. The first part is the host name. This is the domain or subdomain to which the record applies. Type describes the type of record. SPF records are entered as TXT type. Time to Live instructs the DNS server to keep the DNS record in the cache for a certain time.

The value is the actual SPF syntax. The parameter "v" describes the used SPF version, in this case version 1. After that two IPv4 addresses are named as addresses of mail servers in the example. Other entries could be set here like A or AAAA ("a") mail server records ("mx"). In addition, IP4 or IP6 can be used to specify not only individual IP addresses, but also IP ranges.

The final part of the SPF syntax is a directive that gives recommendations to the checking mail server on how to handle emails that fail an SPF check. In the case of the example, it is recommended that the mail server treat all checked emails that do not meet the criteria of the SPF record as "fail" ("-") and not deliver them at all. There is an additional possibility to define a "Softfail" ("~") "Neutral" ("?") or "Pass" ("+").

What is a DomainKeys Identified Mail - DKIM

What is a DomainKeys Identified Mail

DKIM (DomainKeys Identified Mail) is a method of e-mail authentication. DKIM is used to sign e-mails that are sent. A key pair consisting of a public and private key is used for this purpose. The public key is stored as a DNS entry on the DNS server of the sending domain. Receiving mail servers can then use this public key to check whether the signature was made with the corresponding private key. A sender of an e-mail can thus prove that his e-mail is actually a legitimate e-mail from the corresponding domain.

How DKIM works in detail

When an e-mail is sent, DKIM adds a so-called DKIM signature to the header of the e-mail. Here, "headers" of the sent e-mail are signed using the private key. At least the "from" header must be used as the signature; other headers can be added optionally.

When the e-mail is received, the receiving server requests the public key. Only if the sender is in possession of the private key can the signature be validated. The recipient can then check whether the signature matches the checksum. If the match is present, it is proven that the sender is in possession of the private key of the DKIM key pair and is therefore very likely a legitimate sender.

Example DKIM signature:

				
					v=1; a=rsa-sha256; d=example.net; s=brisbane;

     c=relaxed/simple; q=dns/txt; i=foo@eng.example.net;

     t=1117574938; x=1118006938; l=200;

     h=from:to:subject:date:keywords:keywords;

     z=From:foo@eng.example.net|To:joe@example.com|

       Subject:demo=20run|Date:July=205,=202005=203:44:08=20PM=20-0700;

     bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;

     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ

              VoG4ZHRNiYzR
				
			

Source: Wikipedia

Explanation of the structure of the signature

v: Version
a: Signature algorithm, in this case RSA with a SHA 256 hash
d: Domain of the sender
s: Selector. Identification of the corresponding record in the DNS records. This is required if multiple SPF records are published for a domain
c: Canonicalization. Specifies how strict the signature check is. The value "simple" or "relaxed" can be specified here for the header and body options. These potential changes are changes to the e-mail header or body that are made by the e-mail server itself when sending the e-mail. The option "simple" states that almost no changes may be accepted. Even small changes will then cause the signature check to fail. The "relaxed" option allows moderate changes. This can be e.g. a conversion to lower case and a removal of unnecessary whitespace.
q: Query methods. Defines the method by which the public key is queried. Default value is "dns/txt"
i: identity of sender
t: timestamp of signature
x: expiry time of signature
l: Body length count. Describes the number of octets in the body that are part of the signature hash
h: Signed Header Fields. Specifies the header fields for which the signature is formed. These must contain at least the "from" field. Other headers are optional
z: Copied header fields. Copies of the signed headers
bh: The hash of the message body, corresponding to the length specified by "l"
b: The hash formed from the header fields.

Example of a DKIM entry:

Hostname

Type

Time to live

Value

Mail._domainkey.example.com

TXT

1 hour

v=DKIM1; p=76E629F05F70
9EF665853333
EEC3F5ADE69A
2362BECE4065
8267AB2FC3CB
6CBE

 

Under the host name we find an entry that is divided into the selector "Mail", the fixed part "_domainkey" and the domain name "example.com". A receiving server can use this name to request the public key. The entry then represents the actual DKIM syntax. "v=DKIM1; p=76E629F05F709EF665853333EEC3F5ADE69A2362BECE40658267AB2FC3CB6CBE"
splits into the parameter v, which stands for the DKIM version used, and the parameter "p", which specifies the public key. Frequently, DKIM records also contain the parameter k, which specifies the signing method.

DomainKeys Identified Mail

How to protect yourself from email spoofing

  • SPF and DKIM can be used to secure email servers.
  • However, spam is only prevented if a receiving e-mail server also checks the corresponding functions of SPF and DKIM and also reacts accordingly if one or both procedures fail.
  • The shipper can also provide instructions on how to proceed in such a case.
  • This is done with the help of the Domain-based Message Authentication, Reporting and Conformance procedure (DMARC).
Increase the Security of your IT System Now!
You will receive detailed advice from us!
Contact Now
OTHER CONTRIBUTIONS

Table of contents

Do you want to be part of our team?