Email spoofing and prevention

Lets talk about email spoofing and prevention

Email Crash Course

I am not able to explain email and SMTP in detail end-to-end in the time it would take for this post but there are some core things that need to be understood before we can move on. The best illustration is to use telnet to send an email via an SMTP server (I have indented the server responses to make it more clear:)

EHLO mycomputer.mydomain.com 250- redacted smtp.mydomain.com [10.10.10.10], pleased to meet you MAIL FROM: noreply@mydomain.com 250 2.1.0 noreply@mydomain.com … Sender ok RCPT TO: user@example.com 250 2.1.5 user@example.com … Recipient ok DATA 354 Enter mail, end with “.” on a line by itself From: Bob Smith <bob.smith@mydomain.com> Reply-to: <noreply@mydomain.com> Subject: Hello World Message body contents. . 250 2.0.0 wASDDusO0124297 Message accepted for delivery

The above example is not only how we send messages through SMTP but is how applications and MTAs do it as well. Let’s break it down:

  • HELO/EHLO In the HELO command, the host sending the command identifies itself; the command may be interpreted as saying “Hello, I am <domain>” (and, in the case of EHLO, “and I support service extension requests”)
  • MAIL FROM The “MAIL” command initiates transfer of mail and identifies the sender. The address specified here is where errors are sent and will typically appear in the message source as the ‘return-path’.
  • RCPT TO This identifies the recipient(s) and may be repeated as many times as necessary for multiple recipients. (Cc: or Bcc: would be delineated under “DATA”.)
  • DATA Everything following DATA is considered to be message text until the end of data indicator (. on its own line followed by a blank line.) This is also where header items are specified in accordance with RFC 5322.
    • From: this is the “header from” address and is what will appear in most mail clients like Outlook. It is optional and will be equal to the “MAIL FROM” address if omitted.
    • Reply-to: another optional header item which can direct replies to a specific address.
    • Subject: The message’s subject as it will appear in the mail client.
    • The rest is the message body followed by the end of data indicator (.<CRLF>)

Other header items could have been included or we could have omitted any of the ones that were included. The only required items are the HELO, MAIL FROM, RCPT TO, and DATA and everything else is optional.

The “Envelope” vs The “Header”

The “MAIL FROM” address and “RCPT TO” address(es) are referred to as the “envelope” and you may hear “MAIL FROM” called the “envelope from.” Other names for the “MAIL FROM” address may include “MailFrom”, “RFC5321.From”, “RFC5321.MailFrom”, and a number of others. In contrast, our From: Bob Smith <bob.smith@mydomain.com> above is the “header from” or may be called the “RFC5322.From”, “from”, “display from”, or any number of other names. The “Bob Smith” portion is typically referred to as the “display name” but is mostly cosmetic (more on that later.)

For the rest of this document: The “envelope from” will be called the “MailFrom” address and the “header from” address will be called simply the “from” address.

That’s Allowed!?

Some things that really surprise people,

  • You can specify whatever you want in the MailFrom or From address. (SMTP servers can be configured to disallow certain domains or only allow “authoritative domains.”)
  • Either the MailFrom or From address can be null (<>) and there are circumstances where this is actually required.
  • You can specify a name with no address in the From address (From: Bob Smith <>) which will show up in some mail clients as “Bob Smith” business as usual.
  • You can format a From address like this: From: Bob Smith <bob.smith@example.com> <hacker@hacker.su> which is legal with the message actually from “hacker@hacker.su” but what most mail clients will show is “Bob Smith bob.smith@example.com.”

All of this is SMTP working as intended and while it’s easy to see how it can be abused for malicious purposes it’s important that SMTP functions this way (why is something for another post on another day.) Which leads us into…

Spoofing

When we talk about spoofing there are three main types:

  • Envelope From Spoofing … In envelope from spoofing the MailFrom address is declared in a way that is meant to look legitimate. Usually the header from is omitted and the spoofed address appears in both places.
  • Header From Spoofing … In header from spoofing the MailFrom is a real address the attacker controls but they declare an address in the header from that is intended to look legitimate since it’s what will appear in most mail clients anyway. Header from spoofing is more likely to get through filters which we’ll get into later.
  • Display Name Spoofing … In display name spoofing both the MailFrom and From are addresses the attack controls (or that have no spoofing controls) but they use the display name to make the message look like it came from someone legitimate. This is the most likely to make it through filters and while it’s the easiest for a human to detect it still works way too often. It’s usually used when the message requires some sort of response. If we use our example above From: Bob Smith <bob.smith@example.com>, “Bob Smith” is the display name. Usually Outlook and other clients will show “Bob Smith bob.smith@example.com” the first time you get an email from an unknown person but once you reply it will usually truncate it to “Bob Smith” and hide the address which makes it easy to miss if you don’t notice on first contact.

When it comes to spoofing the actual email address an attacker might use one of a number of different options:

  1. Use the actual address such as “bob.smith@megacorp.com” hoping it makes it through filters.
  2. Use a misspelling of the address like “bob.smith@megac0rp.com” (notice the zero.)
  3. Use a completely different domain but a valid name “bob.smith@yahoo.com” and claim it’s a personal address of the person they’re pretending to be.
  4. Use whatever address they want and rely on user stupidity “CeoEmail@hackersite.ru”, “MicrosoftSupport@92n3n33.com”, etc.

The most difficult spoofing to deal with as mail administrators is display name spoofing or spoofing where nothing about the address is actually spoofed and just relies on the user to herp-derp through it (2-4 above.)

A note on compromised mailboxes: Another big problem is when the mailbox of a real user is compromised (successfully credential phished, virus, etc) and is used to send further phishing messages, spam, or malicious attachments. A compromised mailbox is not “spoofed” since the attacker is using the actual user’s credentials.

A note to domain owners: Sending mail from your own domain but specifying an address other than your own is not “spoofing” unless you’re not authorized to do so or have malicious intent. If I am an admin for Mega Corp and send service messages from noreply@megacorp.com that’s business as usual not “spoofing.” Spoofing is unauthorized or malicious.

Protection Mechanisms

Sender Policy Framework (SPF)

In any post about spoofing or mail security recommendation number one is “implement SPF.” Which is good advice, everyone should have SPF implemented. So what is it and what does it do?

ELI5: SPF is a DNS record a domain owner publishes that contains a list of servers from which they send email. The idea is that a receiving server sees an email from their domain, checks the list of legitimate sources, and if the server it came from isn’t on the list it knows it’s not legitimate.

An SPF record looks something like this:

v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all

Which is gmail.com’s if you follow the redirect. They’re contained in a txt record at the top of the domain so can do dig <domain> txt | grep v=spf1 on Linux or Resolve-DnsName <domain> txt | ? {$_.Strings -like “v=spf1*”} in PowerShell on Windows to see a domain’s SPF record.

There are a bunch of rules about how they’re structured and a number of different mechanisms that an SPF record can contain that I won’t get in to here but ultimately they resolve to a list of IPs that can be compared to the origin of an email.

SPF is both useful for protecting against MailFrom spoofing of your domain towards your users but also to external destinations where it could harm your brand. Ie, Microsoft’s SPF record stops MailFrom spoofing from @microsoft.com not just to @microsoft.com but also to you which helps stop some fake Microsoft phishing emails.

Caveats:

  • SPF is only concerned with the MailFrom address. It is not checked against the Header From address so does not in any way protect against header from spoofing or display name spoofing.
  • The SPF RFC (7208) uses the word “SHOULD” a lot and rarely uses the word “MUST” so different receiving servers/filters may handle SPF failures differently. Even if you specify “hard fail” in your SPF record they may accept it on failure. (Lots of receiving mail servers treat -all and ~all exactly the same.)

DomainKeys Identified Mail (DKIM)

DKIM is a key-pair signing mechanism for the header of mail messages. When you send mail you attach a signature to the message using a private key which is compared to a public key published in DNS for your domain. DKIM adds authenticity to a message and guards against tampering with the header by down-stream mail servers. One of the benefits to working on the header is it survives SMTP relaying and auto-forwarding.

DKIM does not directly prevent abusive / malicious behaviour. DKIM is just a signature… If I hand you a letter with my signature on it there’s added authenticity; However, if I hand you a letter without my signature if there’s no requirement for the letter to be signed there’s no reason to be suspicious. It’s like SSL, just because a website doesn’t have SSL doesn’t mean it’s fake but it’s preferred when SSL is used.

Domain Message Authentication Reporting & Conformance (DMARC)

As the name suggests there are reporting and conformance components to DMARC. For this post we’re only concerned with the conformance component which tries to make up for the weaknesses in both SPF and DKIM. The DMARC record of the domain in the header from address is used if it exists. Like the above records it exists as a TXT record in DNS.

DMARC’s conformance check is called “alignment” and it checks that the header from is “aligned” with other authenticated domains on the message either via DKIM or SPF. If either DKIM or SPF alignment passes DMARC evaluates as a “PASS.”

SPF Alignment: The domain in the header from and envelope from must be the same (or sub-domains of the same parent domain if “relaxed”) and must pass SPF.

DKIM Alignment: DMARC requires a valid signature where the domain specified in the d= tag aligns with the sender’s domain from the header from field.

Caveats:

  • DMARC alignment is only enforced when your policy (p=) is set to “reject” or “quarantine”.
  • Lots of receiving mail servers still do not evaluate DMARC, evaluate only for reporting, or evaluate but don’t report (it’s a crap shoot.)
  • DMARC can mess with automated messages like Out of Office replies and/or messages where the two from addresses have different domains but are still legitimate if only SPF+DMARC are implimented. It’s generally best to implement DKIM along with DMARC to avoid SPF alignment issues.

Solutions…

  • Envelope from spoofing… SPF
  • Header from spoofing… SPF + DMARC, DKIM + DMARC, or SPF + DKIM + DMARC. No one mechanism alone will be sufficient.
  • Display name spoofing… Advanced threat filters, transport rules, and user training. None of the mechanisms care about the display name.
  • Compromised mailboxes or “legitimate” senders…. Advanced threat filters, transport rules, and user training.

It is the owner of the domain who implements these technologies and it’s up to receivers to configure their filters to check them and take appropriate action. If you’re getting mail spoofed from someone else’s domain and they don’t have SPF, adding SPF to your own domain isn’t going to do anything (I’ve seen this suggested.)

Useful Links

RFCs

  • Simple Mail Transfer Protocol – RFC 5321 … If anyone links you to RFC 821 tell them it was made obsolete by RFC 2821 in 2001 which was made obsolete by 5321 in 2008 and they need to update their shit.
  • Internet Message Format – RFC 5322 … Governs how message headers are formatted (again 822 was made obsolete by 2822 which was made obsolete by 5322… I’m looking at you MX Toolbox.)
  • Sender Policy Framework (SPF) – RFC 7208 … Obsoleted RFC 4408.
  • DomainKeys Identified Mail (DKIM) Signatures – RFC 6376
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC) – RFC 7489

Tools

  • https://mxtoolbox.com/ … Various mail tools like SPF lookup, blacklist lookup, header parser, etc.
  • https://kitterman.com/spf/validate.html … One of the better public SPF validation tools.
  • http://dmarcian.com/ … A useful tool for parsing DMARC reports.
  • https://dmarc.org/resources/deployment-tools/ … DMARC deployment tools.

Credit  : https://www.reddit.com/user/omers

network-basics-tcp-handshake

Network Basics: TCP Handshake

Network Basics: TCP Handshake

A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server. It is a three-step method that requires both the client and server to exchange SYN and ACK (acknowledgement) packets before actual data communication begins.

TCP Handshake Diagram

29 basics things IT people want you to know

 

1. Rebooting really does fix the majority of all IT problems!

Have you tried turning it off and on again? If an application starts acting up, or your computer starts running slowly, there might be a quick fix. By taking a minute of your time to reboot your computer, you can start over fresh. Consider rebooting a second chance for your machine to forget everything that’s troubling it, regroup, and get its act together. What’s more, recent patches or updates might not take effect until you restart your computer — so if your machine recommends a reboot, you should.

Heck, before writing this, I fixed a Wi-Fi issue by rebooting my smartphone. It really works.

2. Logging off and on is different from rebooting.

When you log off of your machine, you’re simply signing out of the system so that someone else can sign in. To get the full benefits of a full restart, you’ll either need to shut down (turn your computer off and on again) or reboot the machine.

3. Turning the monitor off and on isn’t the same as turning the computer off and on.

The power button on a monitor only turns off the screen without restarting the computer. While you’re smart and know this already, some people get confused.

4. The terms “computer” and “CPU” mean different things.

The computer is your entire machine … memory, hard drives, case, and all. However, the central processing unit (CPU) is the main computer chip — usually less than a few inches wide — inside of the computer, most probably made by Intel or AMD.

5. The computer’s desktop is not a good place to save important files. Neither is the recycling bin. 

Where you save your files matters. For example, IT departments might only back up files located in certain folders, such as those on a network drive. And in the case of the recycling bin, occasionally the files there are automatically deleted forever. Besides, files in the desktop folder appear over your background image, making your screen look like a jumbled mess.

6. The “deleted items” section of Outlook is not a good place to file important emails.

Just like the recycling bin, the deleted items folder in outlook gets automatically cleaned out from time to time. But believe it or not, some people like to store their most important emails there! For the task of holding your important communications, you should create special folder instead.

7. Not everything that can be emailed should be emailed.

Because it isn’t the most secure method of communication around, and because of regulatory issues, you shouldn’t include the following in emails: confidential materials; customer information; trade secrets; social security and credit-card numbers (and more!). Also, you shouldn’t email large files because they often won’t go through — and if they do, they put a large burden on your company’s email server. Use a secure file share instead.

8. Don’t “reply all” unless necessary.

Especially on communications sent to large groups of people — for example, the entire company  — don’t feel the need to reply to everyone. This will needlessly generate a lot of extra data that will clog up / slow down the mail server for everyone else. Besides, unless you’re the CEO, it’s unlikely that everyone wants to hear what you have to say.

9. If an email is returned as undeliverable, it likely won’t go through the second, third or tenth time you send it either.

The only thing trying to send an email that many times will do … is frustrate you. Address the underlying issue first (perhaps your computer isn’t connected to the network?) before trying to send again, and again, and again.

10. If a document didn’t print the first time, it won’t print no matter how many times you click on the print button.

Similarly, trying to send a print command 10 times likely won’t do anything good, but it might give you 10 copies of the same thing when the issue is finally resolved.

11. Clicking on a link 50 times won’t make it open any faster, either.

Having a happy finger might unexpectedly cause 50 windows to pop up once your computer decides to start responding again.

12. There’s a difference between the internet, your network connection, the intranet, and a specific website being down.

Losing your connection to the internet and the internet being down are different things. You can be connected to the network in your office without being connected to the internet. So even if you can access shared folders and internal websites, you might not be able to reach external sites like Google. Also, sometimes individual websites experience problems. Just because Amazon is having issues, it doesn’t necessarily mean that Wikipedia is also down.

13. IT does not control cellphone reception, or Wi-Fi outside the office.

If you aren’t on Wi-Fi, your phone company (Verizon, T-Mobile, AT&T, et al.) handles the voice and data networks your cellphone connects to. IT doesn’t have control over that network, so they can’t typically help you if you don’t have signal. And when you’re traveling outside the office, all bets are off because IT doesn’t control Wi-Fi networks at your house, in airports, or in your hotel.

14. If in doubt, read the instructions or Google the answer to a question.

The internet is an amazing resource at your fingertips. If you don’t understand an error message or know how to do something on your computer, there’s a high probability that someone has written about it or even made a step-by-step instructional video about it. Also, manuals and documentation for most products can be found online.

15. Just because you can access a website from your home computer doesn’t mean you need access to it at work.

Computers at work should be treated differently from your home computer. Companies have to worry about hackers, malware, legal issues, and ensuring there’s enough bandwidth for everyone at work. (Your excessive video streaming really slows down the network.) IT sets up firewalls, filtering software, and puts restrictions in place for a reason — to keep everyone safe, keep the company out of trouble, and to ensure that all employees can do their job.

16. If your work computer is locked down in some way, there’s a reason why.

Remember the time Bob downloaded a virus that spread throughout the entire company? How about the time George brought down the email server because he just had to forward the link, “freegamezlolz.com/malware-and-such.html” to everyone in the office?

17. Lock your computer when you walk away.

When you leave your computer behind without locking it, anyone can use it without a password. From there, they might copy (or delete) important files without your permission, install malware, or even send emails pretending to be you. Every time you leave your desk, you should lock your computer (on Windows, press the Window key+L or press Ctrl+Alt+Del and lock).

18. On Windows, Ctrl+Alt+Del gives you other options.

When you press Ctrl+Alt+Del, you can do things such as change your password; run the task manager (which lets you know what’s running on your computer); or log off.

19. Right-click is your friend. So are double-click, and click-drag.

When simply clicking on a button isn’t doing what you want, or presenting you with the right menu, try a different mouse function. If one doesn’t work, try one of the other options for a greater chance at success.

20. Password problems? Check the caps lock and num lock keys.

If your password doesn’t seem to work for some reason, no matter what you do, it might be because you’re entering it in all capital letters, thanks to caps lock. And if you use the numbers in your password, make sure that num lock is on the correct setting.

21. DO NOT write your password down and stick it to the bottom of the keyboard!

Or worse, on your monitor. All someone would have to do to hack your machine is be able to read since you’ve given away the secret. Even if someone is not physically right in front of your computer, they might snap a photo of your exposed passwords.

22. Be careful if you rely on your web browser to remember passwords.

Think about it … if you forget to lock your computer and someone gains access to it, they’ll be able to log into all of your accounts, potentially stealing important data or ordering stuff on the internet using your money.

23. When you tell IT exactly what an error message says, it makes a big difference.

The IT department needs more information than “the system is down.” Tell them exactly what’s wrong and they’ll be able to help you more quickly. However, a vague description of the problem will lead to unnecessary delays.

24. Taking a screenshot can help you show IT exactly what’s going on.

The “print screen” button on the keyboard captures a picture of everything that’s on your screen. You can then paste the image into an email, or to a program like Word or Paint. Alternatively, you can use the “Snipping Tool” to capture a specific part of the screen. On a Mac, Command+Shift+4 does the same thing.

25. If you ask for some IT support, you need to be available so IT can ask you followup questions.

Don’t go running off, if you want your issue resolved quickly. If you’re not there, either in person or on the phone, IT might not be able to fix your issue in a timely manner.

26. Your PC needs to be on for IT to support you remotely.

IT can often use a remote support tool to see what’s on your screen. They can even take control of your computer in order to resolve issues for you. However, this can only happen if the program is running, which means your system has to be powered on.

27. If you don’t have the newest, latest, and greatest tech toys … it’s usually not because IT doesn’t want you to have them.

IT professionals typically love new tech. However, buying new hardware and software can get expensive. If you’re using an ancient PC at work, it’s probably because bosses who control the budget don’t like spending money on newer gear.

28. Be patient, and be nice to IT pros.

Members of the IT department might be working on a dozen other things in addition to your request. And when they’re juggling issues, they need to prioritize emergencies over things can wait a bit. If your question or concern isn’t urgent, don’t expect immediate service.

29. A lack of planning on your part does not constitute an IT emergency.

Within reason, the IT department will do everything it can to help you out. However, don’t expect them to drop everything from their busy schedules just for you. Your definition of an emergency isn’t the same as theirs, especially if yours is a last-minute request.

What did you think of these 29 computer tips IT pros want everyone to know?

 

Content retrieved from: https://community.spiceworks.com/topic/2167177-29-basic-computer-tips-it-pros-want-everyone-to-know?utm_campaign=Newsletter+Global+Knowledge+NL+BE+11062018+289634++security+training++awareness&utm_content=Newsletter+Global+Knowledge+NL+BE+11062018+289634++security+training++awareness+CID_fdd4a60eef87aa7d5a4c82e7e9a8f283&utm_medium=email&utm_source=Spicenews+Newsletter+Email&utm_term=Just+Click+Once+Please.

MDT – Windowsupdate has ran too many times – MS Printer

ZTIWindowsupdate has run And Failed too Many Times. Microsoft – Printer 6/21/2006 12:00:00 AM 10.0.15063.0

Recently I discovered a really annoyoing issue when:
Deploying with MDT
NO WSUS
Both Windows 10 1703 and Windows 10 1709

Here´s the issue, when running the Windows update step in the MDT, it hangs on some Updates
2017-11-06 16_05_17-TEST F12 på PONWEN-LAP01 - Anslutning till virtuell dator.png

2017-11-06 16_11_41-TEST F12 på PONWEN-LAP01 - Anslutning till virtuell dator.png

Biggest question, What it is?
Its two drivers,
Microsoft to PDF
XPS Services

And somehow it causes the Windowsupdate to retry,retry and retry. Its simpely cant succeed. These updates are not in the WSUS just when you going to microsoft.com

My solution is to “Disable” the feature before the updates, and “Enable” them after the updates. Because it bad drivers from Microsoft.

The solution:
1. First, Open the Task Sequence that you are deploying.

2. Add a Step into the task sequence. (Make sure you add it After Windows is Installed, Add it just before Windows update is running.)
AddRolesUninstall Roles and Features
2017-11-06 15_39_59-sql.invidjkp.local - ASG-RemoteDesktop 2017 - invjkp-mdt01.png

3. Check Microsoft Print to PDF
2017-11-06 15_42_39-sql.invidjkp.local - ASG-RemoteDesktop 2017 - invjkp-mdt01.png

4. Check XPS Services
2017-11-06 15_48_20-sql.invidjkp.local - ASG-RemoteDesktop 2017 - invjkp-mdt01.png

5. Then We add a new step in the task sequence. Pretty down in the task sequence. Just before “Apply Local GPO Package”
AddRolesInstall Roles and Features
2017-11-06 15_51_07-sql.invidjkp.local - ASG-RemoteDesktop 2017 - invjkp-mdt01.png

6. Check Microsoft Print to PDF
2017-11-06 16_12_58-sql.invidjkp.local - ASG-RemoteDesktop 2017 - invjkp-mdt01.png

7. Check XPS Services
2017-11-06 16_17_41-sql.invidjkp.local - ASG-RemoteDesktop 2017 - invjkp-mdt01.png

8. Then apply

9. Update your Deploymentshare and try again. On my machine it solved the issue. Good luck!
doen.png

Content retrieved from: https://pontuswendt.blog/2017/11/06/ztiwindowsupdate-has-run-and-failed-too-many-times-microsoft-printer-6212006-120000-am-10-0-15063-0/.

Removing Windows 10 apps

I came accross this TechNet article how to remove WIN 10 apps.

I found it very useful because of standard apps that where installed and never used.remove win 10 apps

https://gallery.technet.microsoft.com/Removing-Built-in-apps-65dc387b#content

Youtube: https://www.youtube.com/watch?v=pxectRu8Xgo

.DESCRIPTION
Removing Built-in apps from Windows 10 / Windows 8.1 / Windows 8
.PARAMETER
PathtoWim – Path to install.wim
select – Enable
.EXAMPLE
.\removeapps.ps1 -pathtowim c:\10\install.wim
.\removeapps.ps1 -pathtowim c:\10\install.wim -selectapps $true
.\removeapps.ps1 -pathtowim c:\10\install.wim -select $true -index 2

I had an issue regarding the DISM version. It was solved with this procedure

I found my issue – the environment PATH for PowerShell was looking at the old DISM toolkit and importing the old modules.

Solution, non-persistent:

At PS admin prompt

PS C:\Windows\system32> $env:path = “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM”

PS C:\Windows\system32> import-module “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM”

PS C:\Windows\system32> dism /?

 

Windows 10 Creators update adds button in Internet Explorer to open Microsoft Edge – Here’s how to remove it.

In the new Creators update for Windows 10, the option appears in IE to open Edge.
If you are like me, you do not want this. We still use some legacy apps only working in Internet Explorer.

The easiest way to disable this is with the following procedure :

  • Download the latest ADMX files for WIN 10 Creator update
    • https://www.microsoft.com/en-us/download/details.aspx?id=55080
  • Use GPP to disable the new button
    • User Configuration \ Administrative Templates \ Windows Components \ Internet Explorer \ Internet Settings \ Advanced Settings \ Browsing -> Hide the button (next to the New Tab button) that opens Microsoft Edge
  • Have a coffee !