Class 4 ‐ Mail Security - Justin-Boyd/CIT-Class GitHub Wiki

DNS Intro

What Are DNS Records?

  • Store information about every site on the web
  • Before DNS, websites were accessed via host files.
  • DNS records tell DNS servers which domain is associated with which IP.

Where Is DNS Information Stored?

  • The domain name registrar keeps track of domain names and IP assignments.
  • The domain name registry manages and maintains domain names.
  • Domains are not owned but reserved for a limited amount of time.

DNS Queries

  • A request for information from a client to a server
  • MX records point to mail servers.
  • nslookup is used to query domain names and IP addresses.

DNS Records

  • MX Record
  • Name Server (NS)
  • A Record
  • CNAME Record
  • TXT Record

Mail Protocols

Protocol Introduction

  • SMTP (25) - Outgoing mail
  • POP3 (110) - Push mail
  • IMAP (143) - Keep mail on server

How to Connect via CLI

  • Connect and test a mail server via CLI.
  • telnet 25
  • nc 25

Useful Commands for SMTP

  • HELO - Starts an SMTP conversation and identifies the sender to the SMTP server
  • AUTH - Authenticates to the server
  • MAIL FROM - States the source email and starts the email transfer
  • DATA - Starts email content transfer
  • VRFY - Verifies if an email exists
  • QUIT - Terminates an SMTP conversation

Useful Commands for POP3

  • USER - Sends the username to the server
  • PASS - Sends the password to the server
  • LIST # - Shows the message list and size
  • DELE - Deletes the selected message
  • RETR - Retrieves an email message
  • QUIT - Ends the session

DNS Mail Protection

What Is Spoofing?

  • Email Spoofing
    • Forging email headers to fool recipients into trusting the message
  • DNS Spoofing
    • Creating fake DNS records to redirect traffic to a malicious website
  • Spoofing is a method of fabricating a valid-looking, but malicious service, device, or network to perpetrate an attack.

SPF

  • SPF = Sender Policy Framework
  • Email authentication protocol
  • SPF records store information about which IPs can send emails from a domain.
  • Does not work when forwarding emails

DKIM

  • DKIM = DomainKeys Identified Mail
  • Email validation technique
  • Performed on the server level
  • DKIM uses digital signatures

DMARC

  • DMARC = Domain-based Message Authentication, Reporting, and Conformance
  • The following DMARC policies can be used if an email fails a DMARC check: Monitor, Quarantine, Reject.
  • DMARC can generate a report about outgoing emails.

Mail Headers

What Is an Email Header?

  • Contains metadata for the email
  • Sender, recipient, content type, email route, authentication details, and more
  • Always precedes the message body

How to Find the Header

  • Gmail

    • Open an email message.
    • Click the three vertical dots next to the reply button.
    • Select Show Original.
    • A new tab will open with HTML code for the email, including the header.

  • Outlook

    • Open an email message.
    • Click File > Properties.
    • At the bottom of the Properties window, you will see a window called Internet Headers.
    • Copy its contents to a text editor.

Important Header Fields

  1. Date
  2. To
  3. Return-Path
  4. Envelope-To
  5. Subject
  6. DKIM-Signature
  7. DKIM
  8. Message-ID
  9. MIME-Version
  10. Content-Type

Mail Relay Intro

What Is Mail Relay?

  • A server that routes emails to their correct destinations
  • Email clients do not know how to send and deliver mail. They rely on mail relay.
  • Provides a way to guarantee message authenticity

Mail Relay Benefits

  • Protect IP reputation
  • Scan file attachments
  • Spam, phishing, and spoofing protection

Topology Placement

Topology Placement

  • A mail relay server can be placed either in the cloud or on a local network, and mail will be forwarded to it on the way to its destination.

Mail Relay Concepts

Mail Transfer Agent (MTA)

  • The application side of mail servers
  • Responsible for forwarding email to and from MUAs and other MTAs
  • MTAs add tags on top of message headers
  • MUA = Mail User Agents

Mail Delivery Agent (MDA)

  • Sorting and delivery mechanism
  • Receives emails from MTA and delivers them to the recipient’s inbox
  • Some MTAs can also act as MDAs.

Mail Relay Features

Sandbox & File Extension Block List

  • A mail relay sandbox provides a platform for testing email attachments.
  • The sandbox scans the file’s behavior and checks it for indications of malicious intent.
  • If it considers the file malicious, it drops the mail, and the recipient will not receive it.
  • Blocking alone is not enough to prevent malicious files from being received.

Antivirus & CDR

  • Mail Server Antivirus

    • Scans incoming messages before they reach users and outgoing messages before they leave the computer

  • CDR = Content Disarm & Reconstruction

    • Sanitizes files attached to emails