PaulDotCom mailing list archives
Spoofing emails
From: johnemiller at gmail.com (John Miller)
Date: Fri, 15 May 2009 20:25:21 -0500
SPF and DomainKeys verification can help prevent spoofed messages from reaching your users. Neither of these technologies is a perfect solution as they require the sending domain to have properly implemented them. Configuring SPF and DomainKeys for domains that you control helps others prevent spoofed messages from your domain reaching them. This is good for both parties, as no spoofed messages means no back scatter. Probably the most important type of spoofed email to prevent are those that feign internal FROM addresses. If you permit spoofed messages from your own domain, it becomes trivial to perform social engineering. When people get an angry email from their boss demanding that they download a patch or make a specific change to the firewall, they tend to perform what ever is asked of them. It often comes up in my audit and assessment work that users are used to receiving requests to perform some technical action, such as installing a patch. Training users in bad habits such as this makes it much easier to for an attacker. Requiring all incomming messages with an internal FROM address to perform some sort of authentication can help to mitigate this threat. In the end, SMTP is flat out broken, security-wise. Any organization should be practicing defense-in-depth when it comes to email. - Keep everything patched, eliminate unnecesasary services. - Use a mail gateway that performs spam and malware filtering, block against black lists, don't have secondary MX records that bypass the gateway - attackers will find that! Ensure the mail server will only receive messages from the gateway. - Implement and check SPF and/or DomainKeys. - Establish strict policies and procedures to prevent users from blindly following instructions send via email. - Perform security awareness training with users to inform them of the threats, follow this up with social engineering pentests to reenforce the lessons. - Ensure users have the least privileges required to perform their job fuctions, reducing the threat of secondary exploitation should they have their workstation compromised. - Have sufficent visibility into the network (via IDS/IPS, firewall alerting, etc) and effective procedures to quickly respond to any detected attack. On Fri, May 15, 2009 at 12:16 PM, natron <natron at invisibledenizen.org>wrote:
On Sat, May 9, 2009 at 9:45 AM, Nathan Sweaney <NSweaney at tulsacash.com> wrote:Other than Core, what's the best way to go about creating spoofed emails?On a related note, what's the generally accepted best way to defend against spoofed emails? SPF? n _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090515/cc3f4494/attachment.htm
Current thread:
- Spoofing emails, (continued)
- Spoofing emails Jason Wood (May 13)
- Spoofing emails Jim Halfpenny (May 14)
- Spoofing emails Robin Wood (May 14)
- Spoofing emails Jason Wood (May 14)
- Spoofing emails Jim Halfpenny (May 14)
- Spoofing emails Sam Buhlig (May 14)
- Spoofing emails d4ncingd4n at gmail.com (May 14)
- Spoofing emails Jim Halfpenny (May 15)
- Spoofing emails Jack Daniel (May 15)
- Spoofing emails John Miller (May 15)
- Spoofing emails natron (May 17)