How DKIM and DMARC can help prevent phishing
In early June, there was a spate of forged e-mails that claimed to come from SIDN. Several versions of an official-looking message were circulated with the aim of tricking people into disclosing valuable log-in details.
Some of the forgeries purported to come from a real-sounding SIDN e-mail address (e.g. firstname.lastname@example.org). Although the address on its own wouldn't be enough to fool a knowledgeable recipient, the plausible 'from' line will have increased the likelihood of readers taking the message's contents seriously. Clicking the link in the message took the reader to a spoof log-in page like the one on our website, where confidential information was requested. A familiar ruse, but one that's sure to induce discomfort when it's your own organisation whose name and logo are being abused. Various clues suggested that it wasn't the first time that the phisher had played the trick. It looked as if a 'fraud template' was being used, which had repeatedly been employed to harvest corporate and personal data. Naturally our CSIRT carried out a thorough investigation and the matter was reported to the police.
SMTP – an aging and non-secure protocol
The e-mail protocol (SMTP, RFC5321) is one of the older internet protocols and lacks built-in security. One of the shortcomings of SMTP is that falsifying a 'from' address is child's play. And, to an ordinary user, a falsified address looks just like a real one. Needless to say, therefore, spammers and phishers forge 'from' addresses all the time, as in this case. With an address ending '@sidn.nl' in the 'from' field, the forged e-mails looked more trustworthy.
What's the answer?
On its own, ordinary spam filtering isn't enough to ensure that all undesirable mail is promptly identified and flagged up to alert the user.Over the years, however, a number of solutions have been developed, which can help to minimise the problem of forged mail. They are the (proposed) internet standards DKIM (RFC6376), SPF (RFC7208) and DMARC (RFC7489).ISPs are well advised to implement all those solutions in their mail environments (where possible, because it isn't easy in some cases). Fortunately, that is what many ISPs already do, particularly the bigger ones. How do they work and why is it important to implement the three standards? Those questions are briefly considered below.
SPF, DKIM, DMARC
All three techniques are based on the Domain Name System (DNS). With SPF, a DNS record is created, specifying (amongst other things) which systems are allowed to send mail for the domain in question. Let's consider a simple example involving the domain 'example.nl'. Suppose that an SPF record (which is actually just a TXT record) is created for the domain, as follows:
example.nl. IN TXT "v=spf1 ip4:203.0.113.0/24 ip6:2001:db8::/32 ~all"
That SPF record means that only servers with IP addresses in the specified series are allowed to send mail for example.nl. Any mail that claims to be from example.nl, but isn't sent from a valid IP address, will immediately be identified as suspect by the recipient's mail system. In other words, SPF helps the recipient to tell whether incoming mail is legitimate. SPF isn't entirely straightforward, though. Before enabling SPF for outgoing mail or filtering incoming mail on the basis of SPF, you need to consider the configuration carefully. However, once set up correctly (see also RFC7001), SPF is a useful tool for identifying fraudulent mail.With DKIM, the sending server (MTA) uses a 'private key' to generate a cryptographic signature, which is added to the message in the form of a DKIM header. It is a sort of validation stamp, if you like.On receipt of a signed message, the recipient's mail system validates the signature (and thus the message) using the matching public key, which is available via the DNS. If the digital signature is valid, the recipient knows where the message came from and can be sure it hasn't been tampered with in transit. The system is secure because, without the sender's private key, a fraudster can't generate DKIM-protected mail. In addition, the detection of falsified messages will be noted by the increasingly popular e-mail reputation systems, making it harder still for fraudsters to get their messages through.DKIM offers other useful functionality. Your DKIM record can indicate that your system is in test mode, for example. By enabling test mode while DKIM is being configured, you can ensure that mail isn't rejected while the settings are still being perfected.Unfortunately, as with SPF, the forwarding of e-mail can cause problems, because forwarding sometimes involves alterations to the forwarded message (e.g. the insertion of additional headers). An alteration is liable to invalidate the original DKIM signature, resulting in rejection of the message. With DKIM too, therefore, it's important to think through the implications before implementing the protocol in your mail environment.All the mail giants, including Yahoo!, Gmail and Live, have been using DKIM for some years. DKIM is also on the Dutch government's use-or-justify-list. It is therefore a proven technology, which is increasingly relevant for anyone who wants to be sure of problem-free e-mail delivery.Finally, a DMARC record can be used to record mail handling rules in the DNS. So, for example, you might include a record that effectively says 'if the DKIM signature is invalid, or if a message fails the SPF check, treat it as spam'.That is what the following DMARC record does:
_dmarc.example.nl. IN TXT 'v=DMARC1; p=quarantine' A receiving MTA looks up the sending domain's DMARC record to see what should be done with a suspect message.Naturally, the value of DKIM, DMARC and SPF records in the DNS is enhanced when the domain is protected with DNSSEC.
Naturally, SIDN uses SPF, DKIM and DMARC. It's therefore very easy for a receiving system that supports those technologies to filter out fraudulent e-mails claiming to come from SIDN and with a 'from' address that ends '@sidn.nl'. Via the DMARC mechanism, we also request feedback reports. Feedback reporting is a useful feature of DMARC: it enables receiving systems to alert a domain's administrator to the fact that someone is spoofing addresses under that domain. Incoming feedback reports helped to alert us to the phishing scam referred to at the start of this blog.Anyone who wants to do something about the problems of spam and phishing mails should therefore seriously consider implementing the three security standards described.A good way to check a domain's mail security status is to look it up on https://internet.nl/. The site provides a quick and easy way of seeing whether a domain meets more secure modern standards.