Home page logo

pauldotcom logo PaulDotCom mailing list archives

Spoofing emails
From: johnemiller at gmail.com (John Miller)
Date: Fri, 15 May 2009 20:25:21 -0500

SPF and DomainKeys verification can help prevent spoofed messages from
reaching your users. Neither of these technologies is a perfect solution as
they require the sending domain to have properly implemented them.
Configuring SPF and DomainKeys for domains that you control helps others
prevent spoofed messages from your domain reaching them. This is good for
both parties, as no spoofed messages means no back scatter.

Probably the most important type of spoofed email to prevent are those that
feign internal FROM addresses. If you permit spoofed messages from your own
domain, it becomes trivial to perform social engineering. When people get an
angry email from their boss demanding that they download a patch or make a
specific change to the firewall, they tend to perform what ever is asked of
them. It often comes up in my audit and assessment work that users are used
to receiving requests to perform some technical action, such as installing a
patch. Training users in bad habits such as this makes it much easier to for
an attacker. Requiring all incomming messages with an internal FROM address
to perform some sort of authentication can help to mitigate this threat.

In the end, SMTP is flat out broken, security-wise. Any organization should
be practicing defense-in-depth when it comes to email.

   - Keep everything patched, eliminate unnecesasary services.
   - Use a mail gateway that performs spam and malware filtering, block
   against black lists, don't have secondary MX records that bypass the gateway
   - attackers will find that! Ensure the mail server will only receive
   messages from the gateway.
   - Implement and check SPF and/or DomainKeys.
   - Establish strict policies and procedures to prevent users from blindly
   following instructions send via email.
   - Perform security awareness training with users to inform them of the
   threats, follow this up with social engineering pentests to reenforce the
   - Ensure users have the least privileges required to perform their job
   fuctions, reducing the threat of secondary exploitation should they have
   their workstation compromised.
   - Have sufficent visibility into the network (via IDS/IPS, firewall
   alerting, etc) and effective procedures to quickly respond to any detected

On Fri, May 15, 2009 at 12:16 PM, natron <natron at invisibledenizen.org>wrote:

On Sat, May 9, 2009 at 9:45 AM, Nathan Sweaney <NSweaney at tulsacash.com>
Other than Core, what's the best way to go about creating spoofed emails?

On a related note, what's the generally accepted best way to defend
against spoofed emails?  SPF?

Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090515/cc3f4494/attachment.htm 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]