1 / 29

ISQS 6342

ISQS 6342 . Email server attacks Presented by Deven Patel. Common types of email abuse . Eavesdropping Mail-bombing Impersonating someone else Propagating viruses Sending Hoaxes or Chain letters Hijacking email server. Email agents. Message Transfer Agent (MTA)

lucita
Download Presentation

ISQS 6342

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISQS 6342 Email server attacks Presented by Deven Patel

  2. Common types of email abuse • Eavesdropping • Mail-bombing • Impersonating someone else • Propagating viruses • Sending Hoaxes or Chain letters • Hijacking email server

  3. Email agents • Message Transfer Agent (MTA) • Message Delivery Agent (MDA)

  4. MTAs • Simple Mail Transfer Protocol (SMTP) • Unix to Unix Copy Program (UUCP)

  5. SMTP • Sendmail • Postfix • Qmail • Exim

  6. Email Architecture: SMTP Gateways and DMZ Networks DMZ net SMTP Gateway Router Firewall Internet Public FTP Public Web Server Switch Internal net End user workstations SMTP and other internal servers

  7. SMTP attacks • Buffer Overflow attacks • http://www.cert.org/advisories/CA-1997-05.html • Relaying • Unsolicited Commercial Email • http://www.cert.org/incident_notes/IN-2001-02.html • Leaking User and System information to prospective intruders • ftp://ftp.isi.edu/in-notes/rfc2821.txt • VRFY & EXPN

  8. Unsolicited Commercial Email • Network availability • Server performance and • Bandwidth optimization.

  9. Remedies • Blacklist • http://mail-abuse.org/rbl • SpamAssasin • http://www.spamassassin.org

  10. Some SMTP troubleshooting commands • Helo • Mail from • Rcpt to • Data • Subject • Quit

  11. Sendmail Pros • Huge user community, as a result its easy to find both free and commercial support for it, not to mention a wealth of electronic and print publications.

  12. Sendmail Cons Layers of old code resulting in a reputation of being insecure and bloated. Monolithic i.e. a vulnerability in one portion of its functionality results in the compromise of the entire application. Complex application.

  13. Two modes of Operation • Invoked on the fly • Persistent Background Daemon

  14. Configuring Sendmail • Enable needed features and tweak settings in sendmail.mc • Set up domain name masquerading, if needed, in sendmail.mc • Run m4 to generate sendmail.cf from sendmail.mc • Configure delivery rules by editing the mailertable. • Configure relaying rules by editing access. • Configure multiple-domain handling rules by editing virtusers. • Define local user-aliases in aliases. • Convert mailertable, access, virtusers, and aliases to databases. • Define all valid hostnames of the local system in the file local-host-names. • (Re-)start sendmail.

  15. Excert from an /etc/mail/sendmail.mc file

  16. Excert from an /etc/mail/sendmail.mc file (contd)

  17. Feature directives

  18. Feature directives • FEATURE(‘access_db’,’hash|dbm|btree [-o] /path/access.db’)dnl • This is a modularizing feature which creates an access database providing a convenient way to maintain a list of both allowed and explicitly denied relaying hosts and domains.

  19. FEATURE(‘dnsbl’,’blackhole.list.provider’)dnl • Use a special DNS look-up to check all senders hostnames against a “black hole list” of known sources of UCE. If ommited, the name of the blackhole.list.provider defaults to blackholes.mail-abuse.org. This is a subscription-based service: mail-abuse.org charges a yearly fee for nonpersonal use. http://mail-abuse.org/rbl

  20. FEATURE(‘blacklist_recipients’)dnl • Check recipient addresses of incoming mail against the access database to block mail to selected usernames.

  21. FEATURE(‘use_cw_file’)dnl • This feature causes sendmail to use the file /etc/mail/local-host-names to determine valid local names – i.e. names that, if used to the right of the “@” in an email address, will cause that mail to be delivered locally. This is part of Sendmail’s anti-SPAM-relaying functionality.

  22. Sendmail and SMTP AUTH • SMTP AUTH is a badly needed extension to the SMTP protocol: it describes a flexible authentication mechanism that can be used to authenticate relaying. SMTP AUTH allows a password shared by two hosts (or stored by one host for its local users) to be used to validate email senders. • ftp://ftp.isi.edu/in-notes/rfc2554.txt

  23. Sendmail and STARTTLS • Beginning with version 8.11, sendmail supports the Extended SMTP command STARTTLS. When this command is issued at the beginning of an ESMTP session, it initiates an encrypted TLS tunnel that protects the rest of the session from eavesdropping. • ftp://ftp.isi.edu/in-notes/rfc2487.txt

  24. Sendmail and STARTTLS • TLS and SSL use x.509 digital certificates, a type of public-key cryptography in which one’s public key is formatted to include certain amount of identification information (besides just your key ID and the public key itself), including the digital signature of a “Certificate Authority” (CA) that vouches for the authenticity of the certificate. • http://www.rsasecurity.com/rsalabs/faq

  25. Postfix • Postfix is simpler in design, more modular, and easier to configure and administer. • Postfix is designed with scalability, reliability, and security as fundamental requirements. • Postfix consists of a suite of Daemons and helper applications, whereas sendmail is essentially monolithic.

  26. Postfix • Postfix separates functions across different processes which is a big factor in postfix’s speed and stability. • Also Postfix handles the mails intelligently by processing mails in four different queues rather than a single big queue as sendmail does.

  27. Postfix’s four different queues • Maildrop queue • Incoming queue • Active queue • Deferred queue

  28. References • http://www.cert.org/incident_notes/IN-2001-02.html • http://www.cert.org/advisories/CA-1997-05.html • ftp://ftp.isi.edu/in-notes/rfc2821.txt • http://mail-abuse.org/rbl • http://www.spamassassin.org • http://mail-abuse.org/rbl • ftp://ftp.isi.edu/in-notes/rfc2554.txt • ftp://ftp.isi.edu/in-notes/rfc2487.txt • http://www.rsasecurity.com/rsalabs/faq • Bauer, Michael D. (2002). Building Secure Servers with Linux. O’reilly, CA

More Related