Lesson 05: Securing Infrastructure Services

Advanced Computer Security Module

Kushan Sharma
[email protected]
 Objectives
◼ Specific security configurations and controls that can be applied to the
most critical IT infrastructure services, including:
◼ DNS
◼ E-mail
◼ Web servers
◼ Proxy servers

Prepared by: Kushan Sharma 2

 DNS Servers
◼ A hierarchical naming service that can be communicated over both the
TCP and UDP protocols on port 53.
◼ UDP is used more frequently than TCP, but TCP is required for zone
transfers.
◼ Issue a DNS query to your DNS server, which forwards the request until
it finds an authoritative answer, and if the domain exists, the server will
return the resolved IP address.

Prepared by: Kushan Sharma 3

 DNS Servers
◼ DNS has some important behavioral properties that should be noted:
◼ DNS can transmit more than one question per query.
◼ A DNS reply can be made up of more than one answer.
◼ If queried from different locations, DNS can return different answers. Large
organizations manage their worldwide Internet services this way.

◼ Every DNS answer has a timeout value (usually two days) that tells
when this record may be changed.
◼ Keep the address in cache for the specific period of time to avoid having to
look it up every time a software to make a connection.
◼ Query the cache directly until the timeout expires.

Prepared by: Kushan Sharma 4

 DNS Servers
◼ The Internet has 13 DNS root servers. A resolver needs to start with
one of these servers.

Prepared by: Kushan Sharma 5

 Recursive DNS Query
◼ A DNS client sends a request to the
name server, whereupon the latter,
with the absence of the necessary
information addresses up the chain
to other name servers. After
receiving the information the name
server sends to client the result.

◼ Recursive mode is rarely used

◼ The load on name servers in this
case is greatly increased.
◼ For the client this mode is not
optimal, because in case of the
response delay it will be difficult for
client to determine what happened.
◼ Line failure or just polled a very
long chain of name servers is
processed.

Prepared by: Kushan Sharma 6

 Non-Recursive DNS Query
◼ If a domain name is included in
the zone of the control of server,
the server returns a response to
the client.
◼ If the required information is
does not refer to this server
control zone, but is present in the
cache server, the name server
also sends a response to the
client with the address of the
name server that is authoritative
for this information.
◼ If the information is not present
in the cache, the DNS client
received the IP-address of the
server that is closest to the
required domain, and which may
have the necessary information.

Prepared by: Kushan Sharma 7

 DNS Server
◼ DNS servers need to have the following actions taken to make them more
resistant against attacks:
◼ Installing patches to fix built-in software vulnerabilities
◼ Configuration to prevent zone transfer to unauthorized IPs
◼ Apply fixes to prevent cache poisoning

◼ Berkeley Internet Name Domain (BIND) is a DNS server provided free by the
Internet Software Consortium (ISC) and is the most common DNS service for
Unix computers.
◼ Numerous exploits have been discovered for BIND, and they are widely used to
attack DNS servers running it.

◼ Microsoft DNS is commonly used inside private organizational networks.

◼ Make sure you consistently install the latest patches in a timely fashion.

Prepared by: Kushan Sharma 8

 DNS Zone Transfer
◼ A zone transfer is a method for retrieving
all the records of a DNS server.
◼ Start of Authority [SOA] record.
◼ Identifies the start of a zone of authority.
◼ Every zone contains an SOA resource
record at the beginning of the zone file,
which stores information about the zone,
configures replication behavior, and sets
the default TTL for names in the zone.
◼ The secondary server checks the Serial
Number field of the returned SOA resource
record.
◼ If the serial number in the SOA resource
record is higher than the serial number of
the SOA resource record of the locally
stored zone file, then there have been
changes to the zone file on the master
server and a zone transfer is needed.
◼ The secondary server sends an AXFR
request (a request for a full zone transfer)
to the master server.

Prepared by: Kushan Sharma 9

 Prevent Unauthorized Zone Transfers
◼ In an organization that maintains its IP addresses on an internal DNS server, an
attacker can gain information about network topology and computer
information to help target attacks, by using a zone transfer.
◼ The attacker simply connects to the DNS server and requests a zone transfer.
The DNS server will helpfully provide all the names and IP addresses it
contains.
◼ After the transfer is complete, the attacker has a list of all of the organization’s
computers and devices. To prevent this scenario, three things can be done:
◼ If the DNS is used for internal purposes only, block access to the DNS server from
the Internet.
◼ Allow zone transfer to trusted IPs only.
◼ Block TCP DNS (zone transfers are done over TCP only, while regular DNS is usually
UDP).

Prepared by: Kushan Sharma 10

 DNS Cache Poisoning
◼ ISPs or you run a own DNS Server, which cache information from other DNS servers.
◼ A DNS cache can become poisoned if it contains an incorrect entry.
◼ An attacker guesses the request ID of the server that the attacker wants to poison, and
then sends it back a forged answer with an IP address of the attacker’s (malicious)
server. This type of attack is made possible for two reasons:
◼ Most DNS clients use UDP, which is stateless and easily forged.
◼ The vulnerable implementation of a DNS server uses a sequential ID generator. For example, if it
uses 1 as the current ID, it uses 2 as the next, and so on. So an attacker can easily guess the
next ID.
◼ The attacker can use this attack for two purposes:
◼ For a denial of service (DoS) attack
◼ To lure users to a specially crafted site

Prepared by: Kushan Sharma 11

 Exercise: 01
◼ Can the DNS poisoning be spread through out the Internet? Briefly explain your
answer.
◼ In 2010, an Internet service provider outside of China mistakenly configured its DNS
servers to fetch information from DNS servers in China. It fetched the incorrect DNS
records from China and cached them on its own DNS servers. Other Internet service
providers fetched DNS information from that Internet service provider and used it on
their DNS servers. The poisoned DNS entries continued to spread until some people
in the US were blocked from accessing Twitter, Facebook, and YouTube on their
American Internet service providers. The Great Firewall of China had “leaked” outside
of its national borders, preventing people from elsewhere in the world from accessing
these websites. This essentially functioned as a large-scale DNS poisoning attack.

◼ Propose a long-term solution to prevent DNS cache poisoning.

◼ The long-term solution to DNS cache poisoning is DNSSEC. DNSSEC will allow
organizations to sign their DNS records using public-key cryptography, ensuring that
your computer will know whether a DNS record should be trusted or whether it’s
been poisoned and redirects to an incorrect location.

Prepared by: Kushan Sharma 12

 Attacks Targeting DNS
◼ Denial of Service:
◼ An attacker can return invalid IP addresses (such as 127.0.0.1, which is an
address known as localhost that always refers to the local computer, to every
request from the server.
◼ Prevent the client to correctly resolve any domain names and thereby making it
unable to communicate.

◼ Luring Users to a Crafted Site:

◼ To lure users, attackers can return the IP address of their own crafted sites that
resemble the real sites.
◼ Trick users into giving personal information, such as e-mail addresses, passwords,
and credit card numbers, or executing malicious code.
◼ When users see a site they recognize, they may be less wary about submitting
sensitive data.

◼ Best solution:
◼ Make sure you run the most up-to-date version of the DNS server software, and keep
it updated, to minimize the vulnerabilities that lead to cache poisoning.

Prepared by: Kushan Sharma 13

 DNS Amplification Attack
◼ All compromised PCs with
spoofed ip address "Victim
IP Address" make a DNS
query to the Primary DNS
Servers configured in their
TCP/IP properties, asking
to resolve the ip address
for some-webserver.com.

◼ The matter is made worse

because this reply can be
amplified up to factor of
73.
◼ Occurs due to the
response packet being
significantly larger than
that of the query.

◼ Recommendation:
◼ Disable the Recursive
functionality of DNS
Servers or limit it to the
clients in your network.
◼ Separate the DNS Servers
that are authoritative to
some domains and the
ones used by internal
users to resolve the
names.

Prepared by: Kushan Sharma 14

 HTTP Proxy & FTP Proxy
◼ Use to make HTTP requests to a web server and return HTTP answers to the
browser.
◼ After the client has requested data from the proxy, the proxy makes a request
on the client’s behalf.
◼ Take advantage of the capability to cache results and increase responsiveness
by delivering the response right away instead of waiting for it to come back
from the network.
◼ The FTP proxy acts just like the HTTP proxy, but for the FTP protocol.

Prepared by: Kushan Sharma 15

 Reverse Proxy
◼ A type of proxy server that typically sits behind the perimeter firewall in a
private network and directs client requests to the appropriate backend server.
◼ Provides an additional level of abstraction and control to ensure the smooth
flow of network traffic between clients and servers.
◼ Common uses for a reverse proxy server include:
◼ Load Balancing: Act as a “traffic cop,” sitting in front of your backend servers and
distributing client requests across a group of servers
◼ Web Acceleration: Cache commonly requested content.
◼ Security & Anonymity: Protects their identities and acts as an additional defense
against security attacks.

Prepared by: Kushan Sharma 16

 Direct Mapping
◼ An administrator can “direct map” a
local IP address and port to a
remote IP address and port.
◼ For example:
◼ The administrator can map a proxy
server’s IP address of 203.110.25.149 and
TCP port 25 to an SMTP server’s IP
address of 10.1.250.50 and TCP port 25.
◼ Users connect to the proxy’s IP address
(192.168.1.100) and are “tunneled” to the
remote server (10.1.250.50) so it appears
they are connected to the remote server
directly.

◼ Tunneling can be used for other

services as well, including those
running on UDP.
◼ For example, DNS, which uses port 53
UDP, can be tunneled when deploying a
DNS server isn’t an option.

Prepared by: Kushan Sharma 17

 Web Security
◼ Falls into two categories:
◼ Web server security (the security and software configuration of the web
server itself)
◼ Web application security (the security of the Java, ActiveX, PHP, and ASP
code that runs on the web server)

◼ This lecture focuses on web server security.

◼ To read more on web application security, please refer:

◼ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Prepared by: Kushan Sharma 18

 Types of Attacks
◼ Web server attacks are made possible by vulnerabilities that are
commonly found in web server software and configurations. These
vulnerabilities include:
◼ Buffer overflow
◼ Directory traversal
◼ Script permissions
◼ Directory browsing
◼ Sample web code that is installed by default by web server software
◼ Vulnerabilities in other software running on the web server, such as SQL
database software

Prepared by: Kushan Sharma 19

 Directory Traversal
◼ A term indicating access to directories
(or folders) other than the ones that
were intended and allowed.
◼ Example:
◼ In a default Microsoft IIS web site
located in the C:\inetpub folder,
attackers may make use of directory
traversal vulnerabilities to go outside
that folder and read files they weren’t
meant to.

◼ Unless the server is configured to avoid

directory traversal, all directories could
be accessible.
◼ Directory traversal should be disabled.

Prepared by: Kushan Sharma 20

 Script Permissions
◼ Administrator must grant executable permission to the
directory where the server-side application resides. i.e.
CGI.
◼ Some administrators grant this permission to the wrong
place. For example, administrator grants executable
permission to all of drive C:
◼ URL to be executed:

◼ After the web server parses it, the URL becomes:

◼ The dir command lists all the files in the current directory
and sends the results back to the user.
◼ Attackers can perform more complex commands in order to
delete, run, or modify data on the web server.
◼ Recommendation:
◼ Set executable permissions only on a folder that contains
only the server-side applications.
Prepared by: Kushan Sharma 21
 Directory Browsing
◼ Directory browsing is usually
disabled, but if it is enabled,
it shows the list of all files in
that directory and allows
browsing of subdirectories.
◼ Sometimes the knowledge
of a file’s existence can help
an attacker exploit
vulnerabilities in files and
programs on the web
server.

◼ Recommendation:
◼ Disable directory browsing
on a web servers.

Prepared by: Kushan Sharma 22

 Default Samples & Inherent Vulnerabilities
◼ Default Samples:
◼ Applications included with web server software, installed by default when
the web server software is installed.
◼ Some samples that are installed by default contain vulnerabilities.
◼ Recommendation:
◼ Do not install the samples, and if they are already installed, just delete them.

◼ Inherent Vulnerabilities in Web Server Software:

◼ Each web server software, including IIS and Apache, has built-in
vulnerabilities.
◼ New vulnerabilities in the major web server software platforms are found
and published every week.

Prepared by: Kushan Sharma 23

 Web Server Protection
◼ Taking the following measures will improve the security of the web
server:
◼ Set the web server service or daemon to run with the least amount of
privileges that allow it to function properly.
◼ Install the most recent security patches and keep track of new exploits as
they are discovered.
◼ Delete default samples or avoid installing them.
◼ Secure the computer hosting the web server by deleting unneeded
applications.
◼ Harden the operating system.
◼ Make sure script permissions are given only to isolated directories.
◼ Provide an index.html file in each directory on the web server, to avoid the
need for directory browsing.

Prepared by: Kushan Sharma 24

 Third-Party Security Products
◼ Firewall Hardware and Software:
◼ Filter out traffic that is not part of a normal web session.
◼ Web application firewalls (WAFs):
◼ Design to have very deep web traffic inspection capabilities.
◼ They provide good protection against content-based attacks because they check the
actual contents of the HTTP session, looking for known bad or anomalous behavior
that doesn’t match normal usage patterns.
◼ Antivirus software:
◼ Install on the web server because if an attacker uses an exploit in an attempt to
compromise the web server, and it’s a known exploit, the AV will detect and stop it.
◼ Feedback Analyzers:
◼ Analyze the response of the web server and compare it to the original known good
web site.
◼ If the site is defaced or otherwise modified in some way, the response will not match
the original known good result

Prepared by: Kushan Sharma 25

 Third-Party Security Products
◼ Intrusion Detection and Prevention
◼ IDSs are Good for postmortem investigations because they keep a record of what
happened.
◼ IPSs are good for blocking certain known bad behaviors.
◼ Vulnerability Scanners
◼ Should run a vulnerability scanner periodically to identify vulnerabilities in the web
server.
◼ Input Validation:
◼ Use to check every data submission to the web site and test for signs of anomaly,
SQL injection commands, and buffer overflows.
◼ Secure logs server:
◼ A source of information that can provide evidence of an attack or compromise.

Prepared by: Kushan Sharma 26

 E-Mail
◼ Most people consider e-mail to be a vehicle for communication.
◼ E-mail provides a path into the private, protected network for
somebody outside who wants to get in.
◼ Pass through firewalls & other perimeter defenses
◼ Harbor spam, malware such as viruses and Trojans
◼ Threats to the confidentiality of private data contained within e-mail
messages
◼ E-mail is a huge back door into the network.

Prepared by: Kushan Sharma 27

 Email – Two Part System
◼ E-mail is a two-part system—one part for sending and one for
receiving.
◼ Protocols for sending e-mail, SMTP and ESMTP.
◼ Tailored to the delivery of messages between computers
◼ Protocols for receiving e-mail, POP3 and IMAP4.
◼ Designed with user interaction in mind.

Prepared by: Kushan Sharma 28

 Simple Mail Transfer Protocol - SMTP
◼ Predominant protocol in use today for e-mail delivery.
◼ Early design stages, smtp was used by few trusted individuals to
communicate with each other.
◼ No concept of fraud or misrepresentation – Not required a robust identity
system.
◼ This makes life easy for those who want to abuse it.

◼ There are two types of SMTP protocols:

◼ Extended SMTP (also called ESMTP) - Supports authentication.
◼ Regular SMTP - No support for authentication.

◼ SMTP communicates using simple commands, which user can actually

type into a Telnet session.

Prepared by: Kushan Sharma 29

 Manually Connecting to an SMTP Server
◼ With a telnet session:
◼ Run telnet.exe on a Windows system or telnet on a Unix system.
◼ Enter open <mailserver> 25.
Where mailserver is the name or IP address of the SMTP server you want to connect to.

◼ If the connection is successful, banner will be shown. If that banner

contains information about the software and version of SMTP the server
is running, attackers can tailor their exploits to take advantage of
vulnerabilities in that version.
◼ For example, consider the following banner:
220 mail.domain.com ESMTP MAIL Service, Version: 5.0.2195.1600;
Thu, 24 Jan 2013 22:51:17 -0800 (PST)
◼ This banner is from a Microsoft Exchange server, and it’s easy to see what
version.
◼ An attacker can download exploits that are tailored to this version.

Prepared by: Kushan Sharma 30

 SMTP Uses Plaintext
◼ Protocol allows only 7-bit ASCII characters.
◼ An attachment that requires 8-bit binary data must be converted
(encoded) into a 7-bit representation.
◼ Most common way to encode binary data in e-mail is with the Multipurpose
Internet Mail Extension (MIME) protocol.
◼ MIME allows attachments to be put inside messages.
◼ MIME has two choices of encoding schemes:
◼ Base64: The most common e-mail format.
◼ Quoted-printable or QP: More common in browsers.

Prepared by: Kushan Sharma 31

 SMTP Request/Response
◼ SMTP is “request/response”–based.
◼ The client send a command, server replies with a three-digit numeric code
followed by a descriptive message.
◼ Each command has its own assigned response code that denotes success or
failure.
◼ There is no handshake, only an expectation that a response will follow a
request and vice versa.
◼ The system assumes that the sending system and receiving system are in
sync.
◼ This can lead to delivery problems if the connection is interrupted or the
communication doesn’t follow the protocol.

Prepared by: Kushan Sharma 32

 SMTP Command Sequence
◼ Session begins after the initial connection between the client and
server. When session established, the SMTP server sends its command
code and identifying message.

◼ HELO (as in hello) is the command that opens the SMTP session. This send the
client’s identifying name to the mail server.

◼ MAIL FROM is the command sent to define the current e-mail sender’s
address.

Prepared by: Kushan Sharma 33

 SMTP Command Sequence
◼ RCPT TO is the command sent to add one more recipient to the
current e-mail. RCPT TO can be invoked multiple times for multiple
recipients.

◼ DATA is the command that tells the server you are ready to send the
contents of the e-mail.

The client indicates it

finished transmitting by
sending a line
containing only a
period.

Prepared by: Kushan Sharma 34

 Complete SMTP Session

Prepared by: Kushan Sharma 35

 Typical SMTP Session

Prepared by: Kushan Sharma 36

 Common SMTP Response Code

Prepared by: Kushan Sharma 37

 Disable EXPN and VRFY
◼ The EXPN (expand) command is used to view the content of a mailing list
◼ The SMTP EXPN command causes sendmail to expand (show all the recipients) of an
address.

◼ The VRFY (verify) command is used to verify that a user exists.

◼ The SMTP VRFY command causes sendmail/postfix to verify that it will accept an
address for delivery. If a user's login name is given, the full name and login name are
printed:

◼ If user is not available:

◼ The mail server should be configured to ignore these commands because they
can be used to gather information about users on the server.

Prepared by: Kushan Sharma 38

 Extended SMTP (ESMTP)
◼ ESMTP is much like SMTP, but it
forces the client to authenticate
before that client is allowed to
send e-mail to a server.
◼ The server can be configured to
require authentication from
every IP address in order to
prevent outside systems from
sending e-mail through internal
servers.
◼ ESMTP uses the same
commands as regular SMTP—
with a few exceptions:
◼ The session begins when the
client sends the EHLO
(extended hello) command
rather than the HELO
command, as with SMTP.
◼ After the server’s response, the
client may authenticate with
the mail server, but this is not
mandatory.

Prepared by: Kushan Sharma 39

 ESMTP Authentication Types
◼ Offers a number of authentication methods.
◼ Server needs not to support all of them. For example line 11 and 12 of
the bellow shows supported authentications. Supported authentications
are:
◼ AUTH LOGIN PLAIN:
◼ Requires the client to send its username and password in plaintext.
◼ Username and password can be intercepted easily from the network.
◼ AUTH-LOGIN:
◼ Sends the username and password using Base64 encoding.
◼ This is trivial for modern software to decode on the fly.

Prepared by: Kushan Sharma 40

 ESMTP Authentication Types
◼ CRAM-MD5:
◼ Mail server sends the client a challenge; and the client uses this challenge
and its password to calculate an MD5 hash value to send to the server.
◼ When an attacker is sniffing the network and sees the hash value being
sent, they have no way of knowing the original password.

◼ Some other authentication methods are available:

◼ GSSAPI (RFC 2078 and RFC 2743)
◼ Kerberos_V4 (RFC 1411)

Prepared by: Kushan Sharma 41

 Exercise 02:
1) How SMTP knows where to deliver its data?
2) What are the differences between direct connection and an open
relay?
3) How does one mail server know what other server it needs to connect
to in order to deliver an e-mail message?

Prepared by: Kushan Sharma 42

 E-Mail Distribution
◼ When mail server receives an e-mail addressed to
[email protected]:
◼ The sending server can’t simply perform a regular DNS lookup to find the
receiving server’s IP address.
◼ A type of DNS entry known as an “A record”
◼ Mail server’s address isn’t necessarily the same as the recipient’s
domain.
◼ For example, “domain.com” may or may not have an IP address, but its
mail server may be “mail.domain.com”.
◼ A domain may have several mail servers.
◼ The MX (Mail Exchange) record tells the sending server the IP address of the
receiving server it needs to connect to.
◼ The MX entry has a preference field that ranks the mail server priority.

Prepared by: Kushan Sharma 43

 nslookup For MX Records

Prepared by: Kushan Sharma 44

 E-Mail Distribution
◼ A mail server that sends e-mail will first resolve the recipient domain’s MX
record.
◼ When the server receives an answer of an IP address, it will attempt to connect
to that address on TCP port 25.
◼ Upon a successful connection, it then behaves like a normal SMTP client.
◼ When the mail server cannot resolve the domain’s MX record, it will send an
error message back to the sender’s e-mail address indicating that it can’t
resolve the address.
◼ When the mail server cannot connect to IP Address, it tries to connect
to lower priority servers on the list at every arbitrary interval (defined
per mail server) until it manages to send the e-mail or fails.
◼ Upon failure an e-mail message will be sent back to the sender saying it wasn’t
able to deliver the message.

Prepared by: Kushan Sharma 45

 E-Mail Distribution

Prepared by: Kushan Sharma 46

 Mimicing a Mail Sending Server
◼ User can mimic a mail sending server and connect directly to the
recipient’s SMTP server.
◼ Example: You want to send e-mail to [email protected] and
you don’t want to use your mail server (or you don’t have access to
such a server). Then:
◼ Resolve the MX record for the domain somewhere.com
◼ Connect to the IP you resolved
◼ Enter the correct SMTP commands as described above (HELO, MAIL FROM,
RCPT TO, and DATA) to send the message like a normal SMTP server.

◼ When to add RCPT TO for a different domain, for example

somewhere-else.com, while you are being connected to
somewhere.com’s mail server?
◼ The mail server responds that it can’t relay to a user outside the domain.
◼ Else, the mail server allows to enter this address and will forward the
message on your behalf. This is called OPEN RELAY.

Prepared by: Kushan Sharma 47

 Open Relay
◼ A spammer can
use to send spam
without detection
because the
spam will appear
to originate from
the open relay.

Prepared by: Kushan Sharma 48

 POP3
◼ The protocol used to retrieve e-mail from the mail server.
◼ It uses TCP port 110.
◼ It uses plaintext to communicate (without the 7-bit limit), and it mimics
the SMTP answer/reply mechanism. To denote success, the POP3
server sends plus (+) at the beginning of the response, as opposed to a
minus (–) to denote failure.

◼ A failed POP3 session.

◼ POP3 describes the error in the text following the – character.

◼ Most smartphones that can receive e-mail use POP3 or IMAP4.

Prepared by: Kushan Sharma 49

 POP3 Command Sequence
◼ Session begins when the POP3 server sends its identifying message:
◼ Composed of the process ID, a timestamp, and the server ID

◼ 20750 is the process ID.

◼ 1052874132 is the timestamp.
◼ sender.domain.com is the ID of the sending server.

◼ Most commonly used POP3 commands.

Prepared by: Kushan Sharma 50

 POP3 Command Sequence
◼ USER is the command that sends the user’s username. Most POP3
implementations will always return +

◼ PASS is the command that sends the password for the username given
in the USER command.

◼ A good mail server always waits a few seconds after a failed login in
order to slow down brute-force attack attempts.

Prepared by: Kushan Sharma 51

 POP3 Command Sequence
◼ LIST is the command that retrieves the list of all the messages that
reside on the server. The POP3 server assigns each message a unique
per-session ID number.

◼ RETR is the command used to retrieve a specific message. The only

valid numbers are the ones specified by the LIST command.

Prepared by: Kushan Sharma 52

 APOP3
◼ POP3 passwords are insecure because they are not encrypted on the
network, so they can be intercepted.
◼ Advanced POP3 (APOP3) was introduced for this reason.
◼ APOP3 allows a user to send an MD5 hash of their password using a
challenge.
◼ The syntax for APOP3 is shown here:

◼ The MD5 digest is calculated based on the process ID and timestamp

followed by a shared secret that has previously been agreed on by the
client and server.
◼ The server checks the MD5 digest, and if it’s correct, the client is
authenticated.

Prepared by: Kushan Sharma 53

 IMAP4
◼ Internet Message Access Protocol (IMAP4).
◼ Allows the e-mail client to send outgoing mail by connecting to an
SMTP server to send a message.
◼ The client connects to the IMAP4 server, authenticates itself using the
sender’s e-mail account and password, and then processes stored e-
mail messages.
◼ IMAP4 can work in two persistency modes:
◼ It can store all the incoming and outbound e-mail data on the server (which
is the default mode),
◼ Or it can allow the user to work offline by storing the data locally on their
client device.
◼ IMAP4 allows users to create directories and store their e-mail
messages in those directories.
◼ Authentication options are similar to the options for POP3:
◼ It uses a plaintext username and password.
◼ It uses CRAM-MD5 for encrypted logins (but it doesn’t encrypt the data,
only the login information).
Prepared by: Kushan Sharma 54
 Comparison of POP3 and IMAP4
◼ IMAP4’s specific features include:
◼ It is optimized for speed (which was important in the days when network
connections were slow, such as dial-up).
◼ It can store e-mail messages on the server or retrieve them locally.

Prepared by: Kushan Sharma 55

 Comparison of POP3 and IMAP4
◼ POP3 has traits that are similar to IMAP4.
◼ Both can work while offline (not connected to the Internet).
◼ Mail is delivered to a server that is highly available.
◼ E-mail can be retrieved using multiple clients from different vendors.
◼ Both protocols are “open” (that is, they are defined by RFCs).
◼ Both protocols need SMTP to send mail.

◼ POP3’s specific features include:

◼ It is a simple protocol and easy to implement.
◼ It works with a large variety of client software.

Prepared by: Kushan Sharma 56

 SSL Support for SMTP, POP3, and IMAP4
◼ POP3, SMTP, and IMAP4 all have available SSL support.
◼ SSL encrypts the session from start to finish, making interception of
either the login credentials or the message contents difficult.
◼ Without SSL, these protocols allow interception of the message
contents even if the added authentication encryption options are used.
◼ Standard ports are defined for the SSL-encrypted versions of these
protocols:
◼ POP3 SSL (POP3S) uses TCP port 995,
◼ SMTP SSL (SMTPS) uses TCP port 465,
◼ IMAP SSL (IMAPS) uses TCP port 993.

Prepared by: Kushan Sharma 57

 Inbound SMTP
◼ http://www.diablotin.com/librairie/networking/firewall/ch08_01.htm

Prepared by: Kushan Sharma 58

 OutBound SMTP
◼ http://www.diablotin.com/librairie/networking/firewall/ch08_01.htm

Prepared by: Kushan Sharma 59

 Impersonating the Sender
◼ An illusion that e-mail is non-refutable. Examples:
◼ “I’ve received an e-mail from John; therefore, I’m sure it came from John”
◼ “John, I sent you that contract yesterday—what do you mean you don’t
have it?”
◼ Spoofing e-mail messages is remarkably easy to do, because the
underlying protocols trust that all input given to them is correct.

Prepared by: Kushan Sharma 60

 Email Spoofing
◼ Forgery of an email header so that the message appears to have
originated from someone or somewhere other than the actual source.
◼ Tactic used in phishing and spam campaigns because people are more
likely to open an email when they think it has been sent by a legitimate
source.
◼ Possible because the Simple Mail Transfer Protocol (SMTP) does not
provide a mechanism for address authentication.
◼ Mechanisms available to battle spoofing:
◼ SPF (Sender Policy Framework).
◼ DKIM (Domain Keys Identified Mail).
◼ DMARC (Domain-based Message Authentication, Reporting &
Conformance).
◼ SMTP AUTH extension.

Prepared by: Kushan Sharma 61

 SPF – Sender Policy Framework
◼ Owner of a domain can provide a public
list of approved senders.
◼ If the message originates from a server
that’s not on your list, then the receiving
server can consider it a fake and treat it
accordingly.
◼ SPF does not validate against the From
domain. Instead, SPF looks at the
Return-Path value to validate the
originating server.
◼ Receiving servers verify SPF by checking
a specific TXT DNS entry in your
domain, which includes a list of
approved IP addresses.

Prepared by: Kushan Sharma 62

 DKIM – Domain Keys Identified Mail
◼ Verify whether the email originated
from an authorized system and
prevents spammers from stealing
the identity of legitimate entities.
◼ Mechanism used:
◼ For every server a public/private key pair
(or a set of pairs) is generated.
◼ The private key is stored on the sender’s
server and is being used to create all
corresponding DKIM headers for the
outgoing mail.
◼ The public key is added to the domain
DNS zone file in the form of special TXT-
record by the domain owner and be
comes accessible to everyone.
◼ Email with DKIM signature is sent to the
recipient.
◼ Signature is verified using the public key
retrieved from the DNS records.

Prepared by: Kushan Sharma 63

 DMARC
◼ DMARC (Domain-based Message
Authentication, Reporting &
Conformance) is a relatively new
standard designed to address this
shortcoming in SPF.
◼ Takes a step further and gives
full control to set a policy to
reject or quarantine emails from
sources you do not know or
trust, all based on the results of
DKIM and SPF.
◼ The record sets a policy to reject
100%, if the email do not pass
DKIM or SPF.

Prepared by: Kushan Sharma 64

 Spoofing Email
◼ Can create identities with mail clients.
◼ Example: Thunderbird Identities,
◼ In order to fake (spoof) an email, you first need to have an SMTP (Simple Mail
Transfer Protocol) server that you can use to send the email from.

Prepared by: Kushan Sharma 65

 Spam and Spam Control
◼ Spam is a type of electronic “junk mail,” or unsolicited e-mail
attempting to sell commodities or services.

◼ How do I get spam even though you haven't submitted your e-mail to
any advertisement company?
◼ E-mail addresses are easy to obtain from:
◼ Compromised websites and social networking services
◼ Sold by marketing companies
◼ Can be harvested from peoples’ address books by malware
◼ Difficult to trace back to the original sender.

◼ Every year, more than 72 trillion spam e-mails are sent worldwide, and
the number continues to grow.

Prepared by: Kushan Sharma 66

 Exercise 03:
◼ What are the known problems with Spams?
◼ It wastes bandwidth and server resources both for the ISP from which the
spam is sent and for the ISPs whose mail servers receive the spam.
◼ It wastes user time to read and delete.
◼ Most spam source addresses are forged and may use the e-mail of a
legitimate user to spoof its origins. In this case, the spoofed user’s inbox
will receive all the bounced e-mail, as well as replies from other users (who
may not be very polite).
◼ It can be dangerous, either carrying malware or tricking the user into
sending money somewhere.

◼ Where Does Spam Come From?

◼ Spam is the cheapest way to advertise a product, as it costs only $120
(more or less) for a list of 30 million e-mail addresses.
◼ Even though most people ignore spam, a tiny percentage actually send
their money to the spammer.
◼ This adds up to real money with millions of attempts.

Prepared by: Kushan Sharma 67

 Open Relay
◼ Open Relays
◼ Mail servers that are configured to accept relay requests from anyone
◼ Allow anyone on the Internet to send e-mail to all domains anywhere
without traceability.
◼ Due to misconfigured or default server settings, or hacked computers on
which mail server software has been installed.
◼ To prevent open relay:
◼ Make sure the mail server is up to date.
◼ Set up a rule that limits outside users so they can send e-mail only to users on
your domain.

Prepared by: Kushan Sharma 68

 Open Proxies
◼ To disguise their identities, use an open proxy.
◼ Allow Internet users to relay data through them, showing the
destination host the IP address of the proxy.
◼ The spammers load their spamming software with a list of open proxies
on the Internet, then cycles the list and uses the proxies as relays for e-
mail connections to send spam.
◼ The recipient sees only the proxy’s IP address and has no way of
knowing the spammer’s original IP address—in fact, there’s no
indication that the proxy wasn’t the real source.
◼ Why do these proxies exist? Here are some reasons:
◼ People run proxies to acquire e-mails for creating a mailing list of their own.
◼ Governments want to monitor people who try to “anonymize” and guard
their privacy.
◼ Companies want an early warning system for spam, so they add the proxies
to their list before the competition.
◼ Computers can run spam zombies.

Prepared by: Kushan Sharma 69

 How ISPs Fight Spam
◼ ISPs contract the anti-spamming to a company that manages a real-
time black list (RBL).
◼ The spam-fighting company maintains a real-time list of open proxies,
open relays, and spammer IPs.
◼ Every connection coming from one of these IPs is treated as spam and
is rejected.
◼ ISPs may also use spam-blocking methods that rely on the following
criteria:
◼ Repetitive source IP addresses
◼ Source IPs with no MX record
◼ DNS records associated with personal Internet services
◼ Body text containing common spam keywords
◼ Recurring body text content
◼ Recurring subject lines
◼ Recurring source addresses
◼ More than one user per message
◼ Invalid message structure
◼ Blacklists and whitelists

Prepared by: Kushan Sharma 70

 How ISPs Fight Spam
◼ Reputation-based score of the sending system, based on an Internet-
based reputation database Mail servers have a couple of ways to reject
a spam session if it is identified in a search during or before the
session:
◼ If the spam is identified because of the IP address of the sending server,
the mail server can refuse to answer or respond with error code 553 or 554
after the spammer sends the HELO command.
◼ The mail server can allow the spammer to complete the session, giving the
spammer the appearance that the mail was sent successfully, when actually
it was discarded.
◼ Because they have only partial success in blocking spam, these solutions
are not magic bullets. It’s true that they block spam, but they can also
block legitimate e-mail. Fine tuning a spam filtering system to avoid false
positives while allowing legitimate e-mail delivery is not easy.

Prepared by: Kushan Sharma 71

 Exercise 04:
◼ When you receive a spam message, what steps are you going to take?
◼ You can reply to the sender with a request to be removed from their list, or
with an insult; however, this is not a good idea because it will confirm to
the spammer that your e-mail address is a valid one with a real person
behind it, and your address will consequently go from the “spam” list to the
“confirmed working” list.
◼ Some spammers try to lure innocent users into responding by adding an
option to be removed from their “mailing list”, which results in the e-mail
address being shifted into the “confirmed working” list and receiving even
more spam.
◼ How can an organization shield its users from this plague?
◼ Options are to use built-in junk mail filtering capabilities of the mail client
and server, spam-blocking software that resides on the mail server, spam-
blocking appliances on the network that act as mail relays, or an Internet
SaaS-based spam blocking service that replaces your MX records and blocks
spam.

Prepared by: Kushan Sharma 72

 Steps to be Taken to Avoid Spams
◼ Make sure your organization’s mail servers aren’t “open relays.”
◼ Educate users how to handle spam.
◼ Complain to an online spam-combating service.
◼ Report the spammer’s IP address to the ISP that owns that address.
Even if the address is a proxy or zombie, if the ISP cuts them off, the
number of resources available to all spammers will be reduced.
◼ Complain to the ISP that hosts any links listed in the spam e-mail.
◼ When you contact the ISP, the ISP should shut down the spammer’s
account and add it to a black list.
◼ This will result in lost time and maybe the loss of potential clients who
might be lured into the spammer’s web.

Prepared by: Kushan Sharma 73

 Active Network Threats: Botnet

Prepared by: Kushan Sharma 74

 Passive Network Threats

Prepared by: Kushan Sharma 75

 Email DLP

Prepared by: Kushan Sharma 76

[email protected]