Email: Spam/Ham and Some Indigestible Acronyms

This posting has been a long time coming, and is probably longer than ideal, but for those who send bulk emails, there may well be some useful tips in here. And for convenience those who use cloud-based services that also send email can also be classified as bulk email senders.

Some bits get very technical but if you want to skip over those details, feel free but bear in mind that email without the technical bits won’t work. Whatever the sales person tells you!

Ham is of course email that isn’t spam.

But what is spam? It depends on who you ask but :-

  1. It is email that the recipient doesn’t want to see. Whilst this is the least specific definition and the hardest to work to, it is perhaps the most important definition. If the recipient doesn’t want to receive your email, and hits the “This is Spam” button, your emails will be added to a statistical model and/or a machine learning neural network as an example of spam and make it less likely that future emails will be delivered without being filed away into the dreaded “Spam” folder.
  2. It is unsolicited bulk email which is the original technical specification of spam – unsolicited because it isn’t asked for (but what qualifies as “asking”?), bulk (but is generating individually customised versions mean it is no longer bulk?), and email (because sending unsolicited bulk instant messages isn’t quite so annoying?).

There is also a legal definition of what counts as spam but that is beyond the scope of this article.

Phishing can be considered a sub-type of spam – it is bulk email designed to fool you into doing something that you should not – such as “log in” to an attacker’s portal designed to look like a Google authentication page, or less technically, designed to get you to pay for something.

As one of the techniques used to try and fool recipients, phishing very often tries to forge the sender email address to make it look more official. For this reason, technical controls to make forging email addresses harder are frequently in use.

Tracking

One of the selling points of cloud-based bulk email senders is that they try and offer a control panel to indicate just how many recipients have received and read your emails. Perhaps unfortunately, email just doesn’t work that way.

Bulk email senders have been engaged in a low-level war with email privacy activists with one side inventing new ways to track what the recipients are doing with your email, and the other side trying to prevent that “invasion of privacy”.

Whilst the standard for “Do Not Track” has failed, there is still widespread support for it (as shown above), and some people are using “ad blockers” as a more effective alternative.

In summary: You cannot be sure that the control panels of cloud-based bulk email senders are actually tracking what they claim to be.

The Indigestible Acronyms

Email by itself is not secure in any way. You can pretend to be anybody you want, and the contents of the email are not secure either – if an attacker can intercept your email, they can read the contents.

The early solution to this problem was PGP, but whilst an excellent solution technically it really requires senders and recipients to actively participate and to have a rather high level of technical expertise. So it was widely ignored, although it remains an excellent solution for communication requiring very high levels of assurance.

But the problem of forged emails not only remained but increased so other solutions were developed … solutions that resided within the email infrastructure and did not require sender or recipient participation.

DNS

Whilst the Domain Name System sits underneath email, it also sits underneath every single Internet (and many other) applications. It is most commonly used to lookup names such as “www.example.com” and return network addresses (such as 192.168.172.31).

But it can be used to publish other information, and is widely used within various email security enhancements. The various standards are often implemented as a record added to the DNS – for example, the SPF standard requires publishing a text record in the DNS of the form “v=spf1 include:_spf.google.com ip4:148.197.0.0/16 -all“.

SPF (Sender Policy Framework)

The SPF standard publishes a record within the DNS for an organisation that allows that organisation to specify what network addresses can be used to send email addressed from that domain. For example, we have an SPF record that specifies that @port.ac.uk can come from 148.197.0.0/16 (the UoP public network address), Google’s network addresses, plus a rather large number more.

This SPF record is limited in size, and the more we add to it, the more likely we are to break email. For this reason there is an initiative to try and coalesce bulk email services to reduce the number that we are using.

DKIM (DomainKeys Identified Mail)

The DKIM standard also publishes a record (actually commonly more than one) within the DNS to specify the public key of a public/private key pair which is used to verify that a sending server is authorised by an organisation to send email.

The sending server uses a private key to sign a header, and the receiving server uses the public key published in the DNS to verify the signature. If the verification succeeds, the recipient’s mail server can be confident that the sending server was authentic.

A DKIM record looks something like :-

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAfEB8lKdN9PEGll4hxix17dnvGFbvjiIfrIq/E3Yi5rePbLfOHQ1lnJwG54mdA8AFQjgJ4hKiC8++JGog/v4RiamLdq7csjuz7erUvjoC3VSco8K33iNRWskgTFnwuJj2BwC89F3GZjBBZ0cKvim+OHi/jHSuk+4vR1z21He4LwIDAQAB

And yes that has to be entered exactly as given with no risk of mistakes – a text-based cut and paste is required to create a new DKIM record for a new email sender.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

The DMARC standard is yet another DNS record published by an organisation that specifies how messages should be permitted, rejected, or quarantined (put in a “spam” folder) depending on whether they pass SPF and DKIM verification.

Membership Management

When running a mailing list, it is important to manage the members of that list :-

  1. Removing addresses that don’t work.
  2. Removing members of an “opt in” list who expressed a desire to opt out.

These two tasks may be managed automatically, but it is worth bearing in mind that these are both tasks that a bulk emailer is responsible for. Sending to broken addresses may well increase the likelihood that email to a similar destination will be marked as spam; and of course sending email to those who don’t want to receive it will result in it being manually marked as spam.

Content

In addition to getting the technical configuration right to not fall afoul of DMARC,DKIM, or SPF checking, it is also important to optimise the content of messages to minimise the chances of being marked as spam. This is definitely the trickiest bit to advise on because the “markers” for spam tend to be based on statistical models and in some cases advice may be in conflict for the purpose of the message!

  1. Email with “rich” content (fonts, colours, embedded links, etc.) is normally sent as two parts – an HTML version (with the “rich” bits) and a plain text version. Email sent as only HTML is quite likely to be marked as spam. Depending on your email sender, this may be an option to turn on or off although Mailchimp at least sends plain-text versions alongside HTML messages by default.
  2. When composing email with “rich” content, avoid making it too “rich” – the use of JavaScript, external CSS, Flash, embedded video, etc. will most likely not work, and will make your email look like spam.
  3. Don’t! Get!! Too!!! Excited!!!! Spam often seems to be very excited in its tone (and is often guilty of using too many exclamation marks) – try and avoid getting too overenthusiastic in tone. This doesn’t mean try to be too bland though. On a related note, DON’T SHOUT (uppercase only text is perceived as shouting).
  4. Using punctuation like “!” or “?” in Subject headers is also ‘spam-like’.
  5. No matter how urgent it is, don’t try to push people into doing something urgently (“Urgent! Bank fees to go up!”) – they won’t, and it is a very spam-like (and phishing) thing to do.
  6. Avoid spam-like phrases such as “business offer”, “free”, “best price”, “cash”, “no obligation”, “wrinkles”, “mortgage”, “valium”, “weight-loss”, “guaranteed”.
  7. Never mention ‘impossible’ percentages (anything greater than 100%) – it is a clear sign of spamminess, and causes mathematical inclined people to grind their teeth.
  8. Use correct English.

There are other guides to avoiding being marked as spam – search for them.

In general, it is also important to “stick to the subject” – use mailing lists for the purpose for which they were created, avoid sending unnecessary messages, minimise the number of emails sent, and keep them interesting.

Posted in Email | Tagged , , | Comments Off on Email: Spam/Ham and Some Indigestible Acronyms

Diagnosing a Phishing Attack

I was clearing out some older emails today and encountered an attempt to phish Apple credentials; although this one was specific to Apple, the general lessons apply to all phishing attacks … and indeed more general malicious spam.

The attack was immediately obvious simply from the email addresses within the “To” and “From” headers without opening the body of the email :-

To: customer@apple.bill.com
From: suρρort@aρρlе.com <srvcsiyaccntse19sr345icdoeh@pesawwaatadaka.com>

First of all, look at the “To” header :-

  1. It doesn’t contain your (or in this case my) email address. This is a mark of suspicion; not enough on it’s own to make it spam, but on the way.
  2. Look how “apple” is a sub-domain of “bill.com”. Is Apple likely to allow anything significant to be branded with anything other than “apple”? More suspicious.

Next look at the “From” header … it may well be that your mail client does not show the full version of this – it would show just the “suρρort@aρρlе.com” rather than the real email address which is contained within “<” and “>” (“srvcsiyaccntse19sr345icdoeh@pesawwaatadaka.com”). So some of the first indicators may not be visible to you :-

  1. The real email address (“srvcsiyaccntse19sr345icdoeh@pesawwaatadaka.com”) is very odd, and the domain part (“pesawwaatadaka.com”) has no apparent connections with Apple.
  2. The supposed email address (“suρρort@aρρlе.com”) appears where a full name would normally appear – this is a clear mark of suspicion.
  3. Look closely at the “p”s in “aρρlе.com” and “suρρort”. Magnify the screen if you wish; not quite right are they? That’s because they’re not “p”s but a Greek rho letter with a similar but not identical appearance to a “p”. Using deceptive Unicode letters like this is doubly suspicious – enough to treat the email very carefully.

The subject itself also has lots of suspicious keywords selected (in some cases) to fool you into treating it more urgently and less suspiciously :-

  1. “Fwd:”: This is commonly added when someone manually forwards an email on – why is this sort of email being forwarded and not sent directly? Do you have a personal assistant who handles emails for you?
  2. “Daily-Reminder”: If it’s a daily reminder, what is so urgent about it?
  3. “Receipt-Document due”: Are you behind on your paperwork with Apple?
  4. “Alert!”: Is it really?

And lastly, there is the message body itself, although by now there is enough information leading to suspicion that there is no need to examine the body. But the body consists of just an attachment; no serious email from an organisation like Apple will consist of just an attachment with no explanation as to the contents. I have never sent an email to someone with just an attachment – even when they know such a thing is on the way; there is always an explanation.

I (and don’t do this unless you know you are running it in a prepared environment with full protection against infection) downloaded the attachment and passed it through some checks :-

  1. It isn’t detected as malware by VirusTotal (which passes an uploaded file through 61 anti-malware engines).
  2. The document contains lots of scary words plus a link to a suspicious site. The link was to csactivityremember.ddns.${obfuscated}. The “ddns” bit indicates that this site moved around to different servers on a regular basis. Not the sort of thing that Apple would do; and Apple certainly wouldn’t use a name like that.

Note how there was enough information in the “To” and “From” headers to indicate that this was a suspicious email – all the rest of it was further analysis to confirm my suspicions. You can (and should) reject such suspicious emails at the earliest possible stage.

Posted in Active Attacks, Email | Tagged , | Comments Off on Diagnosing a Phishing Attack

German University Forced To Reset All Passwords

According to this story in The Register (the source material is reasonably enough in German), one of our German competitors has recently been forced to reset every single account password causing significant queues for service. Plus a significant amount of malware cleansing.

Reading between the lines, and making possibly unwarranted assumptions based on my knowledge of how attacks work, it seems likely that this incident came about because :-

  1. A significant malware outbreak occurred despite anti-virus protection (everyone has that these days) making a cause for “next generation endpoint protection” (detecting malware by behaviour rather than signature).
  2. At least one infected workstation was used by someone with “domain admin” level privileges allowing access to the Active Directory database.
  3. And presumably some indication was found that the Active Directory database was “stolen” in theory allowing accounts with relatively weak passwords to be compromised.

Security is one of those tasks that can seem kind of like wasted time; until you look at events like this!

Posted in General | Tagged , , | Comments Off on German University Forced To Reset All Passwords

The Anti-Phishing “Gold Star”

Recently a query to a UK HE security list came with a link to https://www.phishingscorecard.com/ScoreCard/United-Kingdom/Education/MTEtMTE%3d which gives us a classification of “Security rockstar” for anti-phishing security measures :-

(The “DKIM” green flag only shows up if you upload an appropriate DKIM key).

Whilst it might be a bit of an exaggeration, we do compare quite favourably with the rest of the UK HE sector – only 11 organisations have a green shield under “DMARC”, but there is room for improvement as we have yet to implement DNSSEC.

The Phishing score card is published by “Dmarcian” who are behind the creation of “DMARC”. All three (DMARC, DKIM, and SPF) are a combination of technologies built on top of the basic email standard to make it harder for email addresses to be forged.

DNSSEC is slightly different in that it secures the DNS making it harder to forge DMARC, DKIM and SPF records within the DNS.

Posted in Email | Comments Off on The Anti-Phishing “Gold Star”

Keeping Secret Google Meetings Secret

It is possible that some people are unaware (certainly I wasn’t; at least not this week) that it is possible that information about meetings can be seen not by looking at someone’s shared diary but looking at the room booked.

Specifically you can see the subject and the agenda of meetings (if it was included) if you can view a room’s “diary”.

If you happen to set up meetings that involve sensitive information, you may want to be aware and either do not include any sensitive information in the meeting subject/agenda (the one within the Google calendar). Or …

Whilst setting up a meeting, you can change the visibility of the meeting from “Default visibility” to “Private” and the details of your meeting will not show up. See :-

The relevant drop-down appears alongside “Busy”.

Just for the record, I’ve never booked a meeting with a location specified as vaguely as “Somewhere with a bar”.

Posted in General | Tagged , , | Comments Off on Keeping Secret Google Meetings Secret

Careful With That Link Eugene

Over the last few weeks, I have noticed an increasing number of very suspicious looking links blocked by our “DNS firewall” – links like “xwhdg.read-this-hot-stuff.today”.

The suspicion is that people are being sent emails with links within and they are clicking on the links for further information rather than checking the link first and refusing to follow the link because the destination looks suspicious.

Check the link you are about to click on! And if it looks suspicious, don’t click on it.

When your mouse “hovers” over a link, the status bar at the bottom of your browser (Firefox and Chrome at least) will show the address it will take you too :-

It is not as conveniently obvious as a pop-up display of the link you are about to click on, but it does make it possible to check links in (for example) emails.

As to what makes a web address suspicious, that’s more of an art than a science but some indications :-

  1. If it includes nonsense strings of letters (such as “xwhdg”).
  2. Anything embedded within the string of labels which tries to hurry you up (“click-now”) or encourage you (“read-this-hot-stuff”).
  3. Any domain that ends with a word (“.today”) rather than the old country specific domains (“.co.uk”) or organisation types (“.com”, “.org”, or “.net”) probably gets a ½ point towards suspicious.
Posted in Email, Firewall | Comments Off on Careful With That Link Eugene

‘Shoulder Surfing’ or Is Your Screen Showing Others Information It Shouldn’t?

Every time I travel by train during working hours, I get reminded of the old “shoulder surfing” attack; a surprising number of people are working away on their laptops seeming unaware that anyone peaking over their shoulders has a good chance of catching what they are doing.

Which is all very well if it is something innocuous, but what if the work involves sensitive information?

It may seem unlikely that any serious compromise could take place in such a way, but it has been known to happen. Besides it’s a good excuse to put away the laptop and get on with something more fun.

Posted in General | Tagged | Comments Off on ‘Shoulder Surfing’ or Is Your Screen Showing Others Information It Shouldn’t?

Imaging PCs for Offline Analysis

This is going to be a technical post with requirements for access rights that most people do not have, so it can be ignored. The intention is to file this information in a place that can be widely seen for the benefit of others needing this information.

In some circumstances, it can be helpful to “clone” a hard disk to a file image that can be used independently of the machine itself. This list of actions indicates how it can be done in the UoP environment :-

  1. Make some firmware changes :-
    1. Turn off ‘Secure Boot’
    2. Enable ‘Network Booting’ (not sure why it’s ever disabled)
    3. Enable “Legacy booting” (as many ipxe recipes require it)
  2. Turn off BitLocker encryption (an encrypted blob is tricky to analyse) :-
    1. Start → Control Panel → System and Security → BitLocker Drive Encryption
    2. Select drive, and “Turn Off BitLocker” (presumably needs admin)
    3. One turned off, the laptop becomes toxic and must remain on site in a physically secure environment.
  3. Perform the imaging :-
    1. Boot off the network (PXE)
    2. Continue to the iPXE menu and (currently) the testing menu.
    3. Select “Ghost for Linux” (either 1 or 2)
    4. Go through the wordage and select backup to a local filesystem – turn
      off compression (the default of “lzo” is rather useless and the usual destination performs compression transparently).
    5. Start an sshfs (sshfs username@148.197.8.78:)
    6. Create an image name – YYYYMMDD-description.img
    7. Start the backup
    8. Restore firmware settings.
  4. Turn BitLocker encryption back on.

Posted in Technical | Tagged | Comments Off on Imaging PCs for Offline Analysis

Zoom Desktop Vulnerability for macOS

Update: Apple is now silently pushing out an update to remove the Zoom “hidden feature” so you will be please to know that the geeky removal is no longer necessary. Just make sure you have opted in to all recent updates from Apple, and let it “phone home” for malware updates.

Update 2: It turns out (not entirely unexpectedly) that the little web server that Zoom installs is not only a vulnerability in itself, but it is also vulnerable to exploitation allowing an attacker to do just about everything with your computer that you can.

Update 3: In addition to Zoom, it seems that Bluejeans and Ring Central for Meetings may be licensed copies of Zoom and also install a little “helper” web server. It should be assumed that they are similarly vulnerable.

According to the security researcher who found the vulnerability (warning it gets quite technical quite quickly), when you install Zoom – usually at the last minute before a conference call where it is suggested that you install Zoom to show presentation slides – you open yourself to a vulnerability that allows a rogue web site to open your webcam without notification.

Indeed the vulnerability is still present after the Zoom client is removed in the ordinary way. Zoom apparently in addition to the actual client software also installs a web server to make re-installing the client software easier. On the down side, a malicious web site can redirect requests via that web server.

Not good news!

The current Zoom response amounts to “make sure your web cam is turned off” when inside the Zoom client (‘go into the Zoom settings window and enable the “Turn off my video when joining a meeting” setting.’)

Which doesn’t seem quite adequate.

The currently known fix for removing that hidden web server is unfortunately limited to terminal commands :-

$ sudo lsof -i :19421
{Look for the "PID" of the process listed - which may be nothing}
$ sudo kill PID
{meaning enter the number you used previously}
$ rm -rf ~/.zoomus
{if you want to be ultra cautious you could rename it instead: mv ~/.zoomus ~/that-dodgy-zoom-thing}

In addition you will want to remove the Zoom desktop client in the normal way (drag from the Applications folder to the trash icon).

Whilst this is being actively exploited, the current damage seems to be limited to suddenly finding yourself attached to a conference call with a bunch of random strangers all looking rather startled. Whilst this might sound amusing, this is probably the least of what might result.

Posted in Active Attacks, Technical | Tagged | Comments Off on Zoom Desktop Vulnerability for macOS

DNS Firewalls: What They Are, and What They’re Not

This posting is really a description of so-called “DNS Firewalls” intended for those who have to deal with security vendors regularly. Having said that, there are DNS firewalls for home users (I cannot make any specific recommendations), so it may be of wider interest.

Calling them “DNS Firewalls” is a bit deceptive (and it is even possible to persuade a security vendor’s salesperson to admit that it’s a bad name for them). Firewalls control network traffic whereas “DNS firewalls” allow you to apply a policy to DNS lookups.

To be fair, the implementation for the most common DNS server is called “Response Policy Zones” (RPZ) which is a little bit on the geeky side. But to be summed up, it allows you to specify a policy when looking up names in the DNS.

What Does It Do?

When you look up names in the DNS – which happens in the background whenever you make a network connection – the DNS server performs that lookup on your behalf. If a “DNS Firewall” is turned on, it can do one of two things :-

  • Return a value indicating that the name doesn’t exist (a web browser will show an error page saying something similar to “foo.zonky.org’s server IP address could not be found.”)
  • Return an answer to a query that is not the correct answer. Or in other words lie. This can be used to provide an alternate service, or to present a web page explaining why the page is being blocked.

Of course high-end commercial “DNS firewalls” offer to do quite a bit more, but the chief cost is really the threat information feeds that gets turned into a policy. Catching phishing attacks automatically and rapidly.

Posted in Firewall, General | Tagged | Comments Off on DNS Firewalls: What They Are, and What They’re Not