Let’s say I want to send some spoofed email to a friend of mine to help him test his MTA and I have authorization to do so. I need to do recon and prepare some things before I start sending emails.

The first thing is a PTR record for my mailserver. This is needed because pretty much every MTA queries to see if you have a PTR record for the IP that matches the A record of of the sending server.

dig -x WW.XX.YY.ZZ  ; IP of the sending server

; <<>> DiG  <<>> -x WW.XX.YY.ZZ
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;ZZ.YY.XX.WW.in-addr.arpa. IN PTR

;; ANSWER SECTION:
ZZ.YY.XX.WW.in-addr.arpa. 3571 IN PTR mail.mydomain.com.

Now I know mail won’t be rejected due to the lack of a PTR record.

Next step is to check MX, SPF, DMARC and DKIM for the receiving domain. I’m using a made up one of “hisdomain.com” for this post, but the results are from a the real domain and I just swapped out the names to protect the innocent. Later on in the post, I’ll set these up for my domain as well. Some of these aren’t necessary unless you’re trying to send mail on behalf of a certain domain.

-MX lookup:

dig MX hisdomain.com

; <<>> MX hisdomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45384
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;hisdomain.com. IN MX

;; ANSWER SECTION:
hisdomain.com. 1800 IN MX 0 hisdomain-com.mail.protection.outlook.com.

This shows where mail destined to “hisdomain.com” is delivered.

-SPF lookup:

dig TXT hisdomain.com

; <<>> TXT hisdomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59679
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;hisdomain.com. IN TXT

;; ANSWER SECTION:
hisdomain.com. 1800 IN TXT "v=spf1 mx include:spf.something.net include:spf.somethingelse.net include:_spf.google.com ?all"

The “v=” is the version of SPF, mx shows 3 mailservers that can send on behalf of hisdomain.com, and the “?all” at the end means mail will be accepted even if it’s a forgery. I know I said I wouldn’t just send emails, but it’s the easiest way to find some things out.  So, I send an email to an address that’s sure to bounce to see what I get back.

550 5.4.1 [canigetabouncefuhdis@hisdomain.com]: Recipient address rejected: Access denied [XXXXXXX.eop-nam01.prod.protection.outlook.com]

From that, I can confirm that his mail is hosted at o365, and I can tell that his company uses a different SMTP sending server. And, due to the “?all”, they don’t care if someone sends email from their domain on some random server. But I don’t want to start posing as his boss just yet.

To check for a DMARC record:

dig TXT _dmarc.hisdomain.com

; <<>> DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc27 <<>> TXT _dmarc.hisdomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7566

He doesn’t have one, but I need to check some more things.

DKIM usually doesn’t have that wide of an adoption because some MTA’s require additional software to make it work, and you have to configure a certificate and host the public key in DNS. For DKIM verification, you’d have to look at the email headers of an email sent from “hisdomain.com”. To confirm, I happen to have an email from him and I can see that mail is passed through one of the servers in the SPF and then through Office 365. There are DKIM headers for “hisdomain.onmicrosoft.com” but it’s set to relaxed, so I can get around that.

From this information, I know I can send him email even if it’s spoofed if I have all these things setup. And SPAM rating will most likely be low. It could still be caught by AV, but there are many ways around that too.

Finally, I was playing around with Mailsploit and was able to send him emails from something@microsoft.com and they made it through. With a few config changes, we can prevent certain types of spoofed email. Below, I configure SPF, DMARC, and DKIM for “mydomain.com”.

1. SPF

– Created a strict SPF TXT record.

mydomain.com. 299 IN TXT "v=spf1 ip4:X.X.X.X/32 ip4:Y.Y.Y.Y/32 ip4:Z.Z.Z.Z/32 mx -all"

The “-all” means only allow mail that matches one of the parameters (IPv4, MX, etc) in the record.

 

2. DMARC

– Created a strict DMARC record.

_dmarc.mydomain.com. 299 IN TXT "v=DMARC1; p=reject; sp=reject; fo=1; ri=3600; rua=mailto:root@mydomain.com; ruf=mailto:root@mydomain.com; adkim=s; aspf=s; rf=afrf"

The “v=” is the version of DMARC.

“p=reject” is the policy which means reject mail if DKIM OR SPF fails.

“sp=reject” is similar to the previous attribute but for subdomains.

“fo=1” means generate reports if DKIM OR SPF fails and mail the reports to the rua address.

“ri=3600” is the reporting interval.

“rua=” is the reporting email address.

“ruf=” is the forensic reporting email address.

“adkim=s” means strict matching of the sender address and the domain of “d=sendingdomain.com” in the DKIM header.

“aspf=s” means strict matching of  “MAIL FROM” in the SMTP header and “FROM” in the email itself.

“rf=afrf” is the reporting format of RFC 5965 “Abuse Reporting Format”

 

3. In Ironport ESA, I did the following.

-For SPF, create a content filter that says “If SPF fails, quarantine the message”.

-For DKIM, create signing keys.The Cisco appliance can generate its own keys. In the appliance, select Mail Policies –> Domain Keys –> Signing Keys and click Add Key. Enter a name, select key number of bits and click Submit. A key pair is now created. You can use the view option under Public Key to copy the public key. Create a DKIM record in DNS.

 

dig TXT dkim._domainkey.mydomain.com

; <<>> DiG <<>> TXT dkim._domainkey.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55940
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dkim._domainkey.mydomain.com. IN TXT

;; ANSWER SECTION:
dkim._domainkey.mydomain.com. 299 IN TXT "v=DKIM1; p=PUBLICKeYPUBLICKeYPUBLICKeYPUBLICKeYPUBLICKeY;"

-Create a Domain Profile. This is where the sending domain is associated with the signing key. To create a domain profile, select Mail Policies –> Signing Profiles and click the Add Profile button. Enter a name and in the drop-down box select DKIM. The window will expand and you can enter DKIM specific information like the domain name, the selector, the private key that was created in the previous step, canonicalization, which headers to use etc.

-Enable DKIM signing on an outgoing profile. Select Mail Policies / Mail Flow Policies (under Host Access Table) and select the Outgoing Mail policy. Click the policy, scroll down to the Security Features section and in the Domain Key/DKIM Signing field select On.

-Enable SPF, DKIM, and DMARC verification for inbound. Go to Mail Policies –> Mail flow policy and select the Incoming Mail policy. Scroll down to the Security Features section and select the On radio buttons for SPF,  DKIM Verification, and DMARC.

Now when I send an email from someone@microsoft.com to me, I can see it being verified as it shows the activity associated with SPF, DKIM, and DMARC in the mail headers.

Categories: Security

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *