isqs 6342 email server attacks presented by deven patel
TRANSCRIPT
ISQS 6342Email server attacks
Presented by
Deven Patel
Common types of email abuse
Eavesdropping Mail-bombing Impersonating someone else Propagating viruses Sending Hoaxes or Chain letters Hijacking email server
Email agents
Message Transfer Agent (MTA)
Message Delivery Agent (MDA)
MTAs
Simple Mail Transfer Protocol (SMTP)
Unix to Unix Copy Program (UUCP)
SMTP
Sendmail Postfix Qmail Exim
Email Architecture: SMTP Gateways and DMZ Networks
Internet
Internet
DMZ net
End user workstations SMTP and other internal servers
Router Firewall
Switch
Internal net
SMTP Gateway
Public FTP
Public Web
Server
SMTP attacks Buffer Overflow attacks
http://www.cert.org/advisories/CA-1997-05.html
Relaying Unsolicited Commercial Email
http://www.cert.org/incident_notes/IN-2001-02.html
Leaking User and System information to prospective intruders ftp://ftp.isi.edu/in-notes/rfc2821.txt VRFY & EXPN
Unsolicited Commercial Email
Network availability
Server performance and
Bandwidth optimization.
Remedies
Blacklist http://mail-abuse.org/rbl
SpamAssasin http://www.spamassassin.org
Some SMTP troubleshooting commands Helo Mail from Rcpt to Data Subject Quit
Sendmail
Pros Huge user community, as a result its easy to find
both free and commercial support for it, not to mention a wealth of electronic and print publications.
Sendmail
ConsLayers of old code resulting in a reputation of being insecure and bloated.
Monolithic i.e. a vulnerability in one portion of its functionality results in the compromise of the entire application.
Complex application.
Two modes of Operation
Invoked on the fly
Persistent Background Daemon
Configuring Sendmail1. Enable needed features and tweak settings in sendmail.mc2. Set up domain name masquerading, if needed, in sendmail.mc3. Run m4 to generate sendmail.cf from sendmail.mc4. Configure delivery rules by editing the mailertable.5. Configure relaying rules by editing access.6. Configure multiple-domain handling rules by editing virtusers.7. Define local user-aliases in aliases.8. Convert mailertable, access, virtusers, and aliases to databases.9. Define all valid hostnames of the local system in the file local-host-
names.10. (Re-)start sendmail.
Excert from an /etc/mail/sendmail.mc file
Excert from an /etc/mail/sendmail.mc file (contd)
Feature directives
Feature directives FEATURE(‘access_db’,’hash|dbm|btree [-o]
/path/access.db’)dnl This is a modularizing feature which creates an
access database providing a convenient way to maintain a list of both allowed and explicitly denied relaying hosts and domains.
FEATURE(‘dnsbl’,’blackhole.list.provider’)dnl Use a special DNS look-up to check all senders
hostnames against a “black hole list” of known sources of UCE. If ommited, the name of the blackhole.list.provider defaults to blackholes.mail-abuse.org. This is a subscription-based service: mail-abuse.org charges a yearly fee for nonpersonal use.
http://mail-abuse.org/rbl
FEATURE(‘blacklist_recipients’)dnl Check recipient addresses of incoming mail
against the access database to block mail to selected usernames.
FEATURE(‘use_cw_file’)dnl This feature causes sendmail to use the file
/etc/mail/local-host-names to determine valid local names – i.e. names that, if used to the right of the “@” in an email address, will cause that mail to be delivered locally. This is part of Sendmail’s anti-SPAM-relaying functionality.
Sendmail and SMTP AUTH SMTP AUTH is a badly needed extension
to the SMTP protocol: it describes a flexible authentication mechanism that can be used to authenticate relaying. SMTP AUTH allows a password shared by two hosts (or stored by one host for its local users) to be used to validate email senders.
ftp://ftp.isi.edu/in-notes/rfc2554.txt
Sendmail and STARTTLS Beginning with version 8.11, sendmail
supports the Extended SMTP command STARTTLS. When this command is issued at the beginning of an ESMTP session, it initiates an encrypted TLS tunnel that protects the rest of the session from eavesdropping.
ftp://ftp.isi.edu/in-notes/rfc2487.txt
Sendmail and STARTTLS TLS and SSL use x.509 digital certificates,
a type of public-key cryptography in which one’s public key is formatted to include certain amount of identification information (besides just your key ID and the public key itself), including the digital signature of a “Certificate Authority” (CA) that vouches for the authenticity of the certificate.
http://www.rsasecurity.com/rsalabs/faq
Postfix Postfix is simpler in design, more modular,
and easier to configure and administer. Postfix is designed with scalability,
reliability, and security as fundamental requirements.
Postfix consists of a suite of Daemons and helper applications, whereas sendmail is essentially monolithic.
Postfix Postfix separates functions across different
processes which is a big factor in postfix’s speed and stability.
Also Postfix handles the mails intelligently by processing mails in four different queues rather than a single big queue as sendmail does.
Postfix’s four different queues Maildrop queue Incoming queue Active queue Deferred queue
References
http://www.cert.org/incident_notes/IN-2001-02.html http://www.cert.org/advisories/CA-1997-05.html ftp://ftp.isi.edu/in-notes/rfc2821.txt http://mail-abuse.org/rbl http://www.spamassassin.org http://mail-abuse.org/rbl ftp://ftp.isi.edu/in-notes/rfc2554.txt ftp://ftp.isi.edu/in-notes/rfc2487.txt http://www.rsasecurity.com/rsalabs/faq Bauer, Michael D. (2002). Building Secure Servers with
Linux. O’reilly, CA