email security - columbia universitysmb/classes/s09/l11.pdf · email security. secure email secure...
TRANSCRIPT
![Page 1: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/1.jpg)
1 / 43
Email Security
![Page 2: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/2.jpg)
Secure Email
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
2 / 43
![Page 3: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/3.jpg)
General Strategy
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
3 / 43
■ Basic scheme is pretty straight-forward■ Encrypt the message body with a symmetric
cipher, using a randomly-generated traffic key■ Use public key cryptography to encrypt the
traffic key to all recipients■ Digitally sign a hash of the message■ But there are many details
![Page 4: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/4.jpg)
Some Details
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
4 / 43
■ Obvious ones: which symmetric, public key,and hash algorithms to use?
■ More subtle: which algorithms do therecipients understand?
■ Where do certificates come from?■ Do you sign the plaintext or the ciphertext?■ How do you handle BCC?■ Will the ciphertext survive transit intact?■ How are header lines protected?■ What about attachments?■ Many possible answers to all of these questions
![Page 5: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/5.jpg)
Transit Issues
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
5 / 43
■ Not all mail systems accept all characters■ Very few are 8-bit clean■ Cryptographic transforms won’t survive even
minor changes■ EBCDIC vs. ASCII? Unicode? Tabs versus
blanks?■ Solution: encode all email in base 64, using
characters all systems accept: A-Za-z0-9+/■ Use 4 bytes to represent 3; overhead is 33%■ For padding, use = sign (see RFC 3548)■ Only those characters matter; everything else
is deleted on receipt, including white space
![Page 6: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/6.jpg)
Signing
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
6 / 43
■ If you sign the plaintext and then encrypt, thesender’s identity is hidden from all except theproper recipients
■ If you sign the ciphertext, a gateway can verifysignatures and present mail accordingly —perhaps better for anti-spam and anti-phishing
![Page 7: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/7.jpg)
Headers
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
7 / 43
■ Headers change in transit■ Obvious example: Received: lines are added■ Less-obvious example: Email addresses are
often rewritten to hide internal machines, andpresent clearer addresses to the outside:[email protected] → [email protected]
■ Consequence: headers are not protected bysecure email schemes
■ But — users look at (and search on) theheaders
![Page 8: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/8.jpg)
General Flow
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
8 / 43
■ Collect input message■ Put in canonical form■ Encrypt and sign, or sign and encrypt■ Add metadata: encrypted traffic key, your
certificate, algorithm identifiers, etc.■ Convert to transit form■ Embed in email message
![Page 9: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/9.jpg)
Securing Transit
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
9 / 43
■ Many pieces — but we can usually use TLS■ POP, IMAP, connection to submission server:
all are by prearrangement■ Protect content; more important, protect
passwords■ Problem area: road warriors vs. firewalls and
anti-spam
![Page 10: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/10.jpg)
Mail Steps
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
10 / 43
1. Normal process: user composes mail on MUA;submits it to local submission server.
2. Optional internal hops3. Outbound MTA contacts recipient’s MTA —
interorganizational hop4. Optional internal hops to recipient’s mail
server (IMAP or POP)5. IMAP or POP retrieval6. How do we protect Step 3?
![Page 11: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/11.jpg)
MTA to MTA Security
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
11 / 43
■ Do we need to protect it at all?■ These are hard-to-tap links: phone company
fiber, ISP backbones, etc.■ What about government wiretaps?■ Can use TLS — but what is the other side’s
key? No PKI for Internet email!■ One answer: don’t worry; it’s still better than
cleartext against passive eavesdroppers■ But — what about routing attacks?
![Page 12: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/12.jpg)
Traffic Analysis
Secure Email
General Strategy
Some Details
Transit Issues
Signing
Headers
General Flow
Securing Transit
Mail Steps
MTA to MTASecurity
Traffic Analysis
PGP and S/MIME
Spam
Phishing
12 / 43
■ Another reason to secure transit: trafficanalysis
■ Protect against traffic analysis — who istalking to whom
■ Also: length, timing■ In practice, extremely valuable for law
enforcement and intelligence agencies■ Less protected by US law
![Page 13: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/13.jpg)
PGP and S/MIME
Secure Email
PGP and S/MIME
Approaches toProtecting Content
Certificate Style
Web of TrustDoes the Web ofTrust Work?
Finding Public Keys
Which Style isBetter?
Spam
Phishing
13 / 43
![Page 14: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/14.jpg)
Approaches to Protecting Content
Secure Email
PGP and S/MIME
Approaches toProtecting Content
Certificate Style
Web of TrustDoes the Web ofTrust Work?
Finding Public Keys
Which Style isBetter?
Spam
Phishing
14 / 43
■ Two major standards, PGP and S/MIME■ Many minor syntactic differences■ Major split by audience: computer scientists
like PGP; mainstream users use S/MIME■ Biggest technical difference: how certificates
are signed
![Page 15: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/15.jpg)
Certificate Style
Secure Email
PGP and S/MIME
Approaches toProtecting Content
Certificate Style
Web of TrustDoes the Web ofTrust Work?
Finding Public Keys
Which Style isBetter?
Spam
Phishing
15 / 43
■ S/MIME uses standard X.509 certificateformat
■ More importantly, X.509 certificates form atraditional PKI, with a root and a hierarchicalstructure
■ Works well within an organization■ Between organizations, can work if it’s easy to
find that organization’s root■ CU has no PKI — what is the PKI under
which you’d find my cert? Why should youtrust its root?
![Page 16: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/16.jpg)
Web of Trust
Secure Email
PGP and S/MIME
Approaches toProtecting Content
Certificate Style
Web of TrustDoes the Web ofTrust Work?
Finding Public Keys
Which Style isBetter?
Spam
Phishing
16 / 43
■ PGP use a “web of trust” — rather than atree, certificates form an arbitrary graph
■ Anyone can sign a certificate■ Most people have more than one signature —
I have 65 signatures on my primary PGP key■ Do you know and trust any of my signers?■ See my key at
http://www.cs.columbia.edu/~smb/smbpgp.txt
![Page 17: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/17.jpg)
Does the Web of Trust Work?
Secure Email
PGP and S/MIME
Approaches toProtecting Content
Certificate Style
Web of TrustDoes the Web ofTrust Work?
Finding Public Keys
Which Style isBetter?
Spam
Phishing
17 / 43
■ Number of signatures alone is meaningless; Ican create lots of identities if I want
■ I can even forge names — is the “AngelosKeromytis” who signed my key the same onewho’s a professor here? How do you know?
■ There are at least six PGP keys purporting tobelong to “George W. Bush”. One is signed by“Yes, it’s really Bush!”
■ You have to define your own set of trustanchors, as well as policies on how long asignature chain is too long
![Page 18: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/18.jpg)
Finding Public Keys
Secure Email
PGP and S/MIME
Approaches toProtecting Content
Certificate Style
Web of TrustDoes the Web ofTrust Work?
Finding Public Keys
Which Style isBetter?
Spam
Phishing
18 / 43
■ Many mailers cache received certificates■ Some organizations list people’s certificates in
an LDAP database■ Some people have them on their web site■ For PGP, there are public key servers —
anyone can upload keys■ Is that safe? Sure — the security of a
certificate derives from the signature, not fromwhere you found it
![Page 19: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/19.jpg)
Which Style is Better?
Secure Email
PGP and S/MIME
Approaches toProtecting Content
Certificate Style
Web of TrustDoes the Web ofTrust Work?
Finding Public Keys
Which Style isBetter?
Spam
Phishing
19 / 43
■ PGP was easier to start — it doesn’t need aninfrastructure
■ Many security and network conferences have“PGP key-signing parties”
■ S/MIME is better for official use — it makes itclearer when someone is speaking in anorganizational role, since the organizationissued the certificate.
■ Both have usability issues, though PGP isprobably worse
![Page 20: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/20.jpg)
Spam
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
20 / 43
![Page 21: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/21.jpg)
Spam
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
21 / 43
■ We all know what it is. . .■ Defending against it is very hard■ It is unlikely that the problem will ever go away
![Page 22: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/22.jpg)
Originating Machines
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
22 / 43
■ Originally from the spammer’s own machines— those were blacklisted
■ Next: open relays — those have mostly beenclosed down
■ Now: hacked home machines■ Occasionally: routing attacks to hide source
![Page 23: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/23.jpg)
Effective Defenses
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
23 / 43
?
![Page 24: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/24.jpg)
Today’s Defenses
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
24 / 43
■ Blacklisting■ Especially blacklisting of “non-mail” machines:
dial-ups, home machines, etc.■ Port 25 blocks■ Origin authentication: digital signatures, SPF,
DKIM■ Semantic and keyword filters
![Page 25: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/25.jpg)
Blacklisting
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
25 / 43
■ Mostly works, but. . .■ False positives■ Often, lack of resonsiveness by blacklisting
sites■ Some are trying to dodge lawsuits by
spammers■ Others are trying dodge denial-of-service
attacks. . .■ Affects legitimate but unusual users — home
users who run their own MTA, some travelers,etc.
![Page 26: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/26.jpg)
Port 25 Blocks
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
26 / 43
■ Many ISPs block outbound port 25■ Force all email to go through ISP’s servers■ Monitor for “too much”■ Demand password (but malware steals
passwords anyway)
![Page 27: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/27.jpg)
Origin Authentication
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
27 / 43
■ Concept: prevent spam from forged addresses■ But — most spam isn’t “joe job” spam■ Causes problems with mailing lists■ Causes problems for portable addresses■ SPF — not a standard — especially bad in
this respect■ Origin authentication better used for whitelists
![Page 28: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/28.jpg)
SPF Records
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
28 / 43
■ Columbia’s SPF record (in the DNS):v=spf1 ip4:128.59.28.0/24
ip4:128.59.29.0/24 ip4:128.59.59.0/24
ip4:128.59.62.0/24
ip4:128.59.28.160/27
ip4:128.59.29.0/28 ip4:128.59.31.0/24
ip4:128.59.39.0/24 ~all
■ Those IP addresses, and no others, are allowedto send mail claiming to be [email protected] addresses
■ What if you use your Gmail account with a CUreturn address?
![Page 29: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/29.jpg)
DKIM Authentication
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
29 / 43
■ Digital signature of (some) mail headers andmessage body
■ Being standardized by the IETF■ Generally done at the originating gateway■ Granularity is generally per-site, but per-user
keys are supported (e.g., for laptops for roadwarriors)
■ Public keys are in the DNS, rather than inseparate certificates
■ Doesn’t change the mail body the way thatS/MIME does
■ Intended to be lighter-weight
![Page 30: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/30.jpg)
The Real Issue with Origin
AuthenticationSecure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
30 / 43
■ Most people want to permit email fromunknown parties
■ Knowing that the message really is [email protected]
doesn’t tell me if it’s spam or not■ It prevents “joe jobs”, and it’s good for
whitelisting■ It doesn’t block spam■ We’re seeing the difference between
authentication and authorization
![Page 31: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/31.jpg)
Semantic and Keyword Filters
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
31 / 43
■ Look for keywords, improbable text, etc.■ But — spammers include real text excerpts■ Some spam is in attachments, especially image
attachments■ Other spam changes words slightly: Viagra →
V1agra or V*i*a*g*r*a■ Who has a better polymorphic engine?
![Page 32: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/32.jpg)
Charging for Email
Secure Email
PGP and S/MIME
Spam
Spam
OriginatingMachines
Effective Defenses
Today’s Defenses
Blacklisting
Port 25 BlocksOriginAuthentication
SPF RecordsDKIMAuthenticationThe Real Issue withOriginAuthenticationSemantic andKeyword Filters
Charging for Email
Phishing
32 / 43
■ Some people suggesting charging for email —email “postage”
■ Goal: increase the cost to the spammer■ Lots of reasons it doesn’t work well — the
main one is that the spammers are usinghacked machines to send their email.
■ Requiring postage would mean they’d stealmoney, too. . .
![Page 33: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/33.jpg)
Phishing
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
33 / 43
![Page 34: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/34.jpg)
What is Phishing?
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
34 / 43
■ Spoofed emails, purportedly from a financialinstitution
■ Ask you to login to “reset” or “revalidate”your account
■ Often claim that your account has beensuspended
![Page 35: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/35.jpg)
A Phish
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
35 / 43
From: [email protected]
To: undisclosed-recipients:;
Subject: YOUR ACCOUNT HAS BEEN SUSPENDED !!!
Date: Fri, 29 Sep 2006 09:29:25 -0500
...
If you fail to provide information about your
account you’ll discover that your account has been
automatically deleted from Flagstar Bank database.
Please click on the link below to start the update
process:
https://www.flagstar.com/Signon.cgi?update
Flagstar Bank
![Page 36: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/36.jpg)
What’s Wrong?
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
36 / 43
■ The URL is a booby trap:
■ When I clicked on it, I was actually redirectedto a site in Colombia, via yet anotherindirection. . .
■ The login page appears identical to the realone
■ (One of the web sites I visited seemed to haveseveral variant “bank” pages)
![Page 37: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/37.jpg)
The Login Box
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
37 / 43
![Page 38: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/38.jpg)
The URL Bar
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
38 / 43
![Page 39: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/39.jpg)
They Want Data. . .
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
39 / 43
![Page 40: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/40.jpg)
Some Mail Headers
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
40 / 43
Received: from plesk.salesforcefoundation.org
([198.87.81.9])
by cs.columbia.edu (8.12.10/8.12.10)
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
bits=256 verify=NOT) for <[email protected]>
Received: from adsl-68-20-44-198.dsl.chcgil.ameritech.net
(68.20.44.198) by 198.87.81.11
Where does plesk.salesforcefoundation.org comefrom? It is asserted by the far side. The 198.87.81.9 isderived from the IP header, and is hard to forge (but staytuned for routing attacks, in a few weeks). A DNS lookupon 198.87.81.9 isn’t very helpful; the mapping iscontrolled by the address owner, not the name owner.
![Page 41: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/41.jpg)
Other Issues
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
41 / 43
■ Why is the email fromflagstarbanking2.com?
■ The domain for the bank is flagstar.com —no “ing” and no “2”.
■ That’s legit! — the real web site for theironline service is flagstarbanking2.com
■ We have trained users to accept weird,seemingly gratuitous differences; it can makelife easier for the phisher
![Page 42: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/42.jpg)
Tricks with URLs
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
42 / 43
■ http://[email protected]/foo
cnn.com is a userid■ http://2151288839/foo
2151288839 is 128.58.16.7,cluster.cs.columbia.edu
■
http://rds.yahoo.com/_ylt=A0g...http%3a//www.freebsd.o
So the search engine knows what you clickedon
![Page 43: Email Security - Columbia Universitysmb/classes/s09/l11.pdf · Email Security. Secure Email Secure ... Transit Mail Steps MTA to MTA Security Traffic Analysis PGP and S ... security](https://reader033.vdocuments.us/reader033/viewer/2022052709/5a78a2827f8b9a7b698de38b/html5/thumbnails/43.jpg)
Final Thoughts on Phishing
Secure Email
PGP and S/MIME
Spam
Phishing
What is Phishing?
A Phish
What’s Wrong?
The Login Box
The URL Bar
They Want Data. . .
Some Mail Headers
Other Issues
Tricks with URLsFinal Thoughts onPhishing
43 / 43
■ We have the basic technical mechanisms toauthenticate email and web sites
■ Human interaction with these mechanismsremains a very challenging problem
■ Security is a systems problem