Registry of Public Email Senders ™ –A Secure DNS Database

1. Dr. David MacQuigg, President Open-mail.org Registry of Public Email Senders™–A Secure DNS Database University of Arizona ECE 596c – Cyber Security November 2006

2. User User Registry T R Agent Agent Trust Boundary • Who is a Public Email Sender? • A domain-name owner • Authorizing an Internet Transmitter • To send email to unrelated Receivers • What does the Registry Provide? • Authentication Data – Does the sender authorize this transmitter? • Reputation Data – How likely are messages authorized by this sender to be spam? • A simple, effective whitelisting method that works well with exiting anti-spam methods • The first non-proprietary database of Public Email Senders • Typical Registry Record amazon.com.s-id.net. 86400 IN TXT "opt=df:5 svc=X1:B ip4=207.171.160.0/19,87.238.80.24/29,87.238.84.24/29" • Other Authentication/Reputation Systems • Senderbase™, Bonded Sender™, Gossip™, many others • Many private systems operated by large ISPs for their own recipients, or by “spam appliance” companies for their own customers DNS Database Fast Efficient Secure?

4. Registry DNS Architecture & Security Threats

5. Testing the Registry Dynamic Update from Admin [root@open-mail dave]# python dnsupdate.py 48 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: test1.s-id.net. 0 ANY ANY test1.s-id.net. 1800 IN TXT "Test_Record_48" ... a few seconds later on one of our public servers [macquigg@box61 ~]$ dig @ns1.rimuhosting.com txt test1.s-id.net +short "Test_Record_48"

6. Pieces of Python # dnsupdate.py DMQ 11/4/06 ... # Start an nsupdate client process & connect file pointers to its # input and output pipes. fi,fo = popen2('nsupdate') ... # Commands to nsupdate: header = '''\ local 127.0.0.1 953 server 207.210.221.26 key updatedns 1M92TYO2dznMK0M2N/q62Q== zone %(ZONE)s ''' % VARS template = '''\ update delete %(NAME)s.%(ZONE)s update add %(NAME)s.%(ZONE)s %(TTL)s %(TYPE)s %(VAL)s ''' % VARS trailer = '''\ show send quit ''' text = header + template + trailer ...

7. Other Systems Facing Similar Threats • Root Servers • 13 IP addresses, IP multicast • TTL = 518400 ( 6 days ) • IP Blacklists ( Spamhaus, et. al.) • 30 servers • One record per IP, TTL only a few hours • Attacker Motivations • Vandalism (script kiddies) • Profit (spammers) • Tort (anger, revenge, politics, …) • Denial of Service • Defamation

8. Bibliography A short list of the most useful books and articles on the technology behind the Registry. • Pro DNS and BIND, Ron Aitchison, 2005. – Best book for learning DNS. Excellent examples. Thorough discussion of security. • DNS and BIND, 4th ed., Albitz & Liu, 2001. – The DNS “Bible”. • TCP/IP Illustrated, vol. I, The Protocols, W. Richard Stevens, 1994. Very thorough, yet readable. Good illustrations. Project Links • https://www.open-mail.org – Current status of our Authentication and Reputation System • http://purl.net/macquigg/email – Articles and notes from early development.

10. Precise Terminology Border MTA – Mail Transfer Agent at the border of an Administrative Domain. If we exclude Open Relays, which are banned by most Receivers, all MTA’s, including the Forwarder above, can be associated with either the Sender or the Receiver, and the border is clearly defined. Administrative Domain – includes all MTA’s that have some pre-arrangement to exchange email. An Administrative Domain may include servers using many different domain names. The two uses of “domain” are unrelated. Sender – poorly defined. Should mean the outgoing Border MTA, but can mean the original sending domain or even an author. Use only when the context is clear or precision doesn’t matter. Receiver – The incoming Border MTA, not including MTA’s that are internal to the Receiver’s Administrative Domain. Authentication should always be done at the border. Forwarder – An MTA that relays mail from one MTA to another. Transmitter – MTA that is the source for the current “hop”, and whose IP address appears in the Source field of the IP packets. Can include Senders and Forwarders. Return Address – The address in the MAIL FROM command, used by the mail system for Delivery Status Notifications (DSN’s). MUA, MSA, MDA – Other types of mail agents - Mail User Agent, Mail Submission Agent, Mail Distribution Agent.

11. Identities in an Email Session $ telnet open-mail.org 25 220 open-mail.org ESMTP Sendmail 8.13.1/8.13.1; Wed, 30 Aug 2006 07:36:42 -0400 HELO mailout1.phrednet.com 250 open-mail.org Hello ip068.subnet71.gci-net.com [216.183.71.68], pleased to meet you MAIL FROM:<macquigg@box67.com> 250 2.1.0 <macquigg@box67.com>... Sender ok RCPT TO:<jman@box67.com> 250 2.1.5 <jman@box67.com>... Recipient ok DATA 354 Enter mail, end with "." on a line by itself From: Dave\r\nTo: Test Recipient\r\nSubject: SPAM SPAM SPAM\r\n\r\nThis is message 1 from our test script.\r\n.\r\n 250 2.0.0 k7TKIBYb024731 Message accepted for delivery QUIT 221 2.0.0 open-mail.org closing connection 1 2 6 Network Owner 3 4 RFC-2821 Helo Name Envelope Addresses: Return Address Recipient Addresses RFC-2822 Header Addresses: From Address Reply-To Address 1 4 2 5 3

12. Border Patrol™ MTA

13. Forgery is the Critical Factor in Email Abuse Crooks hide their IP addresses by using a forwarder. Signature-based Authentication (DKIM): Sender provides a Public Key via a secure channel. Messages are signed with the related Private Key. End-to-end protocol works independently of forwarders. Slow but secure. IP-based Authentication (SPF, SenderID, CSV): Sender provides a list of authorized transmitter addresses. Fast but requires a “chain of trust” with forwarders.