SlideShare a Scribd company logo

Join the fight against email spam! - SweetlakePHP

Jeffrey Cafferata
Jeffrey Cafferata

Each and every one of us uses it.. E-mail. But how well do we monitor this crucial channel? How can we avoid SPAM being sent from our domains? If you own a domain that sends email, the most effective action you can take is to set up DKIM, SPF and DMARC. As more, and more domains implement authentication, phishers are forced to target domains that are not yet protected. Hopefully not your domains? In this presentation we will look at the three protocols.

Technology
1 of 147
Download to read offline
Join the fight Against email spam! 1
Why would we this? 4 People waste their time sorting SPAM 4 Lost money by phishing emails 4 banks, creditcards, invoices 4 No trust in their real message 4 Google force you to do! 2
Safer Internet Day February 9, 2016 3
4
5
6
Who is sending emails from there applications? 7
Who is running his own emailserver? 8
Who is in charge of the DNS-records? 9
Who recognize this situation? 10
My email to bob@example.com has not arrived. 1 Our client(s) 11
My email has not arrived.. Lots of reasons 4 The code doesn't send the email 4 The server IP-adres is on the (RBL) blacklist 4 The receiver server doesn't trust your IP-adres 4 The content is marked as SPAM 4 The email policy is not configured or not optimal 12
My email has not arrived.. What can we do about it? 4 Check the function of the script 4 Check the server IP-adres on the (RBL) blacklist 4 Submit for removal 4 Checking the email policies [SPF/DKIM] 4 Using email services providers 13
How we did it the old days 2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)" 2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= maillinglist@domain.com H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 id=384a86a39e83be0d9b3a94d1feb3119f@domain.com T="Daily Science Maillinglist: Chameleon" from for user@example.com 2016-04-01 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s 2016-04-01 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s 14
Email service providers 15
16
17
18
19
20
21
22
Email authentication 23
Email authentication 1. SPF 2. DKIM 3. DMARC 24
SPF 25
SPF Sender Policy Framework 26
SPF 4 Created in 2003 4 Which mail servers are used to send mail from your domain 4 Publish an SPF record in our DNS records 4 Technical method to prevent sender address forgery 27
SPF This technology requires two sides to play together 1. The domain owner, publishing an SPF record 2. The receiving server, checking for domain SPF records 28
SPF If the message comes from an unknown server, it can be considered as fake and could be rejected. 29
SPF record - JCID Let's look at an example jcid.nl. TXT "v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all" 30
SPF record - SweetLake PHP The parts of the SPF record mean the following: sweetlakephp.nl. TXT "v=spf1 +a +mx include:spf.mandrillapp.com ~all" 4 v=spf1 4 a 4 149.210.152.247 4 mx 4 mx.transip.email 4 include:spf.mandrillapp.com 4 ~all 31
SPF mechanisms 32
SPF mechanisms 4 Domains define zero or more mechanisms. 33
SPF mechanisms all | ip4 | ip6 | a | mx | ptr | exists | include 34
SPF mechanisms Mechanisms can be prefixed with one of four qualifiers: "+" Pass "-" Fail "~" SoftFail "?" Neutral 35
SPF mechanisms The default qualifier "+", i.e. "Pass". 36
SPF - The "ip4" & "ip6" mechanism ip4:<ip4-address> ip4:<ip4-network>/<prefix-length> ip6:<ip6-address> ip6:<ip6-network>/<prefix-length> 37
SPF - The "ip4" & "ip6" mechanism "v=spf1 ip4:192.168.0.1/16 -all" Allow any IP address between 192.168.0.1 and 192.168.255.255. "v=spf1 ip6:1080::8:800:200C:417A/96 -all" Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF. 38
SPF - The "a" & "mx" mechanism a a/<prefix-length> a:<domain> a:<domain>/<prefix-length> mx mx/<prefix-length> mx:<domain> mx:<domain>/<prefix-length> 39
SPF - The "include" mechanism include:<domain> Example include:spf.mandrillapp.com 40
SPF - The "include" mechanism Exact Online Example ip4:xxx.xxx.xxx.xxx ip4:yyy.yyy.yyy.yyy ip4:zzz.zzz.zzz.zzz 41
SPF record - SweetLake PHP sweetlakephp.nl. TXT "v=spf1 +a +mx include:spf.mandrillapp.com ~all" 42
SPF mechanisms The default qualifier "+", i.e. "Pass". 43
SPF record - The "all" mechanism sweetlakephp.nl. TXT "v=spf1 +a +mx include:spf.mandrillapp.com ~all" 44
SPF -all 45
SPF -all Stopping email forgery 46
SPF stats - All domains SPF -all, 1 April 2016 SPF -all - Stats. 47
SPF stats - Domains with SPF record SPF -all, 1 April 2016 SPF -all - Stats. 48
SPF - The "all" mechanism "v=spf1 mx -all" 49
SPF - The "all" mechanism "v=spf1 -all" 50
SPF - The "all" mechanism "v=spf1 +all" 51
SPF results 52
SPF results An SPF record can return any of these results: 1. Pass ------------ 2. Fail 3. SoftFail ------------ 4. Neutral 5. None ------------ 6. PermError 7. TempError 53
54
SPF result 1 - Pass (accept) Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; 55
SPF result - Receiver Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; receiver=bob.example.org the host name of the SPF client 56
SPF result Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; client_ip=192.0.2.1; the IP address of the SMTP client 57
SPF result Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; envelope-from=alice@example.com; the envelope sender mailbox 58
SPF result Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; helo the host name given in the HELO or EHLO command 59
SPF result 2 - Fail (reject) Received-SPF: fail (bob.example.org: domain of alice@example.com does not designate 192.0.2.1 as permitted sender) 3 - SoftFail (accept but marked) Received-SPF: softfail (bob.example.org: domain of transitioning alice@example.com does not designate 192.0.2.1 as permitted sender) 60
SPF result 4 - Neutral (accept) Received-SPF: neutral (bob.example.org: 192.0.2.1 is neither permitted nor denied by domain of alice@example.com) 5 - None (accept) Received-SPF: none (bob.example.org: domain of alice@example.com does not designate permitted sender hosts) 61
SPF result 6 - PermError (unspecified) Received-SPF: permerror -extension:foo (bob.example.org: domain of alice@example.com uses mechanism not recognized by this client) 7 - TempError (accept or reject) Received-SPF: temperror (bob.example.org: error in processing during lookup of alice@example.com: DNS timeout) 62
Recap 63
64
DKIM 65
DKIM DomainKey Identified Mail 66
DKIM Digital signature 67
Why DKIM? DKIM is an important authentication mechanism 68
DKIM 4 Email receivers 4 Phishing emails (banks, creditcard, invoices) 4 Email senders 4 No trust in their real message 69
DKIM Two proposals took shape, 2005 1. Yahoo’s DomainKeys 2. Cisco’s Identified Internet Mail 70
DKIM Both proposals were based in the use of “ Public Key Cryptography ” 71
DKIM Mid 2005, the IETF (Internet Engineering Task Force), submitted the draft “ DomainKeys Identified Mail — DKIM ” specification. 72
How does DKIM work? 73
How does DKIM work? 1. Author wishes to send an email to a recipient 2. They (their mailing software) calculate a crypto signature 4 that covers the relevant parts of the message using the Private Key. 3. The signature is placed in the email header 4 and the message is then sent normally by the mail server. 4. At any point in travel the signature is validated using the public key. 5. If any part of the message covered by the signature was manipulated 4 the signature won’t validate and the recipient will be alerted. 74
How does DKIM work? 4 Public Key Cryptography like SSH 4 Private key v.s. Public key 4 DKIM uses DNS to publish the Public Keys 75
76
DKIM header DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=jcid.nl; s=mandrill; t=1399817581; bh=Pl25…dcMqN+E=; h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type; b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA= 77
DKIM header - Version v=1 This indicates the DKIM version in use. 78
DKIM header - Algorithm a=rsa-sha256 The algorithm suite that was used to generate the crypto signature. Current two specification defines 4 rsa-sha1 4 rsa-sha256 79
DKIM header - Canonicalization c=simple/relaxed Note that the c= fragment defines two algorithms. 80
DKIM header - Domain d=jcid.nl 81
DKIM header - Selector s=mandrill 82
DKIM header - Selector txt:mandrill._domainkey.jcid.nl v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ /J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt 7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfN dynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB 83
DKIM header - Timestamp t=1399817581 84
DKIM header - Body part bh=Pl25…dcMqN+E= 85
DKIM header - Header list h=Message-ID:Date:Subject:From:... 86
DKIM header - Data b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA= 4 The crypto signature data itself, encoded in Base64 and possibly with whitespace inserted to conform to line length limitations. 87
DKIM results The possible results for your DKIM test are: 1. Pass 2. Fail 3. None 4. Policy 5. Neutral 6. TempError 7. PermError 88
DKIM results - Pass The message was signed, the signature or signatures were acceptable, and the signature(s) passed verification tests. 89
DKIM results - Fail The message was signed and the signature or signatures were acceptable, but they failed the verification test(s). 90
DKIM results - None The message was not signed 91
DKIM results - Policy The message was signed but the signature or signatures were not acceptable. 92
DKIM results - Neutral The message was signed but the signature or signatures contained syntax errors or were not otherwise able to be processed. 93
DKIM results - Temperror The message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result. 94
DKIM results - Permerror The message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result. 95
MoneyBird - SPAM 96
MoneyBird - Inbox 97
Cal Evans 98
Recap 99
100
DMARC 101
DMARC Domain-based Message Authentication, Reporting & Conformance 102
DMARC 4 Created in 2007 by PayPal, and Yahoo! 4 Later Gmail joined 103
What is DMARC 104
What is DMARC Remove the guesswork 105
What is DMARC Report back to the sender 106
107
DMARC record - JCID Let's look at an example _dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com; sp=none; aspf=r;" 108
DMARC record - Version v=DMARC1 This indicates the DMARC version in use. 109
DMARC record - Percentage pct=100 Percentage of messages subjected to filtering 110
DMARC record - Aggregate report rua=mailto:aggrep@example.com Reporting URI of aggregate reports 111
DMARC record - Failure Reports ruf=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com Reporting URI for forensic reports 112
DMARC record - Policy p=none Policy for domain 4 none 4 quarantine 4 reject 113
DMARC record - Sub-domain Policy sp=none Sub-domain Policy 114
DMARC record - Alignment adkim=s Alignment mode for DKIM - r = relaxed (default) - s = strict mode 115
DMARC record - Alignment aspf=r Alignment mode for SPF - r = relaxed (default) - s = strict mode 116
Recap 117
118
DMARC Aggregate report 119
DMARC ZIP file google.com!jcid.nl!1455062400!1455148799.zip with XML aggregate report google.com!jcid.nl!1455062400!1455148799.xml 120
DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>nonstopdeals.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>nonstopdeals.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record> </feedback> 121
DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata> </feedback> 122
DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> </feedback> 123
DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>nonstopdeals.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>nonstopdeals.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record> </feedback> 124
DMARC report I'm in control 125
DMARC - Tools 1. Postmark App 2. Dmarcian 126
Postmark DMARC monitor 127
128
Dmarcian 129
130
Overview DNS records JCID SPF @ TXT v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all DKIM google._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+w63i8quIsOR09AfNup5pyt/jsSmKo/iQnOkT8EI1LOn6daR1GqR+5... mandrill._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8N... DMARC _dmarc TXT v=DMARC1; p=none; pct=100; rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com; sp=none; aspf=r; 131
How to start your own? 4 Deploy SPF & DKIM 4 Publish a DMARC record with the “none” flag set for the policies (monitor mode) 4 Analyze the data and modify your DMARC policy 4 from “none” to “quarantine” to “reject” 132
Any questions About the theory? 133
MXToolbox 134
135
136
137
138
Delivered-To: info@jcid.nl Received: by 10.194.81.166 with SMTP id b6csp2710139wjy; Thu, 3 Mar 2016 03:07:28 -0800 (PST) X-Received: by 10.28.177.134 with SMTP id a128mr347820wmf.55.1457003248665; Thu, 03 Mar 2016 03:07:28 -0800 (PST) Return-Path: <ramon@delafuente.nl> Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com. [2a00:1450:400c:c09::236]) by mx.google.com with ESMTPS id b71si9817151wmd.46.2016.03.03.03.07.28 for <info@jcid.nl> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Mar 2016 03:07:28 -0800 (PST) Received-SPF: pass (google.com: domain of ramon@delafuente.nl designates 2a00:1450:400c:c09::236 as permitted sender) client-ip=2a00:1450:400c:c09::236; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ramon@delafuente.nl designates 2a00:1450:400c:c09::236 as permitted sender) smtp.mailfrom=ramon@delafuente.nl; dkim=pass header.i=@delafuente.nl Received: by mail-wm0-x236.google.com with SMTP id l68so29526516wml.0 for <info@jcid.nl>; Thu, 03 Mar 2016 03:07:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delafuente.nl; s=google; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=FSN7Fi9D6o/kqt5G7qz43kmPTxT4eFBfPTd+OGfRiZ4=; b=RDqYimIWeTNR13wseVHStCgo+iVXpE5LeUFSpmJETvVC2OnxuEBOF9vlF5JfWjJ4C5 nheVvDqWUSRHo06kcZ+IgsWSGCIDUNrn14y065xCD9CTYCZcmuKWJyZhfYiSQco3GDiO SVGnW36e3toxNzAtsPyhiN7Xt++euRCgoYbv8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=FSN7Fi9D6o/kqt5G7qz43kmPTxT4eFBfPTd+OGfRiZ4=; b=WutHJxu1kCncM3pWRitfDiiNouwzedP7o6Ta7lfeRz5FGTfuuv1aQcURtZWtaXKp8S YKlRPZa5VeQHuzerxsQrtKwTqHB2+N3FtQWmQVIdBQS+JRZ9tXeka3qeiLSRTqdI6huZ lN6XgaF80KedTJqh1etPpMa92C+qbYbMhXmhacUhanfUdwWXQs7gIeOOds4YXK3hEgbT mp9jU9ajA9sQumWUa5upPyw5DdKuSpiRt70J5BIU5DFgCXSBcdmxfiWaOYvnqRssSERD 6xdYKT8RnetKFn7h+gGDVjs4texPN1Inmek4tUIpIdq0a/hv5av8AJj/TCJiCNylJzCa VxDw== X-Gm-Message-State: AD7BkJL923JBKM2KJibPZmJoZ+9qAnqpVPywwpLQLsMUj+kfIf7dmPNeDOaCv4+cqCOEdA== X-Received: by 10.28.194.132 with SMTP id s126mr5301943wmf.23.1457003248334; Thu, 03 Mar 2016 03:07:28 -0800 (PST) Return-Path: <ramon@delafuente.nl> Received: from FzzBook.fritz.box ([2001:981:fe71:1:b0b1:c9bc:ec89:e494]) by smtp.gmail.com with ESMTPSA id az8sm34038471wjc.17.2016.03.03.03.07.27 for <info@jcid.nl> (version=TLSv1/SSLv3 cipher=OTHER); Thu, 03 Mar 2016 03:07:27 -0800 (PST) Date: Thu, 3 Mar 2016 12:07:26 +0100 From: Ramon de la Fuente <ramon@delafuente.nl> To: info@jcid.nl Message-ID: <etPan.56d81aee.66334873.1174c@FzzBook.fritz.box> In-Reply-To: <372a6aae6fcf4240ca8698381aed29ba@mijn.jcid.nl> References: <372a6aae6fcf4240ca8698381aed29ba@mijn.jcid.nl> Subject: Re: [#SFB-667-90513]: SweetLakePHP - Join the fight against email spam! X-Mailer: Airmail (249) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="56d81aee_74b0dc51_1174c" 139
140
141
Mail tester 142
143
144
The practice - domains 145
Thank you! 146
Jeffrey Cafferata Twitter handle: @jcid 147

Recommended

Join the fight against email spam! - EmmenPHP
Join the fight against email spam! - EmmenPHPJoin the fight against email spam! - EmmenPHP
Join the fight against email spam! - EmmenPHPJeffrey Cafferata
 
How does sender verification work how we identify spoof mail) spf, dkim dmar...
How does sender verification work how we identify spoof mail) spf, dkim dmar...How does sender verification work how we identify spoof mail) spf, dkim dmar...
How does sender verification work how we identify spoof mail) spf, dkim dmar...Eyal Doron
 
PPT
PPTPPT
PPTwebhostingguy
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
RT and RT for Incident Response
RT and RT for Incident ResponseRT and RT for Incident Response
RT and RT for Incident ResponseBest Practical Solutions
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9Eventos Creativos
 

Recommended

Join the fight against email spam! - EmmenPHP
Join the fight against email spam! - EmmenPHPJoin the fight against email spam! - EmmenPHP
Join the fight against email spam! - EmmenPHPJeffrey Cafferata
 
How does sender verification work how we identify spoof mail) spf, dkim dmar...
How does sender verification work how we identify spoof mail) spf, dkim dmar...How does sender verification work how we identify spoof mail) spf, dkim dmar...
How does sender verification work how we identify spoof mail) spf, dkim dmar...Eyal Doron
 
PPT
PPTPPT
PPTwebhostingguy
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
RT and RT for Incident Response
RT and RT for Incident ResponseRT and RT for Incident Response
RT and RT for Incident ResponseBest Practical Solutions
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9Eventos Creativos
 
Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Railsibelmonte
 
Sender Policy Framework (SPF): An Email Authentication Technique
Sender Policy Framework (SPF): An Email Authentication TechniqueSender Policy Framework (SPF): An Email Authentication Technique
Sender Policy Framework (SPF): An Email Authentication TechniqueHTS Hosting
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARCKurt Andersen
 
How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works Pinpointe On-Demand
 
"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentationThe_IPA
 
Odoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in OdooOdoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in OdooElínAnna Jónasdóttir
 
Protect your domain with DMARC
Protect your domain with DMARCProtect your domain with DMARC
Protect your domain with DMARCContactlab
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified MailMatthew Chang
 
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008ClubHack
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
aryan.pptx
aryan.pptxaryan.pptx
aryan.pptxJsm Bhanot
 
Async os dkim-dmarc-guide
Async os dkim-dmarc-guideAsync os dkim-dmarc-guide
Async os dkim-dmarc-guideGlDemira
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudArek Rafflewski
 
DMARC360 Guide
DMARC360 GuideDMARC360 Guide
DMARC360 GuideDMARC360
 
Modern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sortingModern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sortingGranikos GmbH & Co. KG
 
Complete guide to_email
Complete guide to_emailComplete guide to_email
Complete guide to_emailRochelle Lee
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Greykamaelian
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

More Related Content

Similar to Join the fight against email spam! - SweetlakePHP

Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Railsibelmonte
 
Sender Policy Framework (SPF): An Email Authentication Technique
Sender Policy Framework (SPF): An Email Authentication TechniqueSender Policy Framework (SPF): An Email Authentication Technique
Sender Policy Framework (SPF): An Email Authentication TechniqueHTS Hosting
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARCKurt Andersen
 
How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works Pinpointe On-Demand
 
"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentationThe_IPA
 
Protect your domain with DMARC
Protect your domain with DMARCProtect your domain with DMARC
Protect your domain with DMARCContactlab
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified MailMatthew Chang
 
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008ClubHack
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Async os dkim-dmarc-guide
Async os dkim-dmarc-guideAsync os dkim-dmarc-guide
Async os dkim-dmarc-guideGlDemira
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudArek Rafflewski
 
DMARC360 Guide
DMARC360 GuideDMARC360 Guide
DMARC360 GuideDMARC360
 
Modern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sortingModern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sortingGranikos GmbH & Co. KG
 
Complete guide to_email
Complete guide to_emailComplete guide to_email
Complete guide to_emailRochelle Lee
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Greykamaelian
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 

Similar to Join the fight against email spam! - SweetlakePHP (20)

Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Rails
 
Sender Policy Framework (SPF): An Email Authentication Technique
Sender Policy Framework (SPF): An Email Authentication TechniqueSender Policy Framework (SPF): An Email Authentication Technique
Sender Policy Framework (SPF): An Email Authentication Technique
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARC
 
How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works
 
"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation
 
Odoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in OdooOdoo Experience 2018 - Emails in Odoo
Odoo Experience 2018 - Emails in Odoo
 
Protect your domain with DMARC
Protect your domain with DMARCProtect your domain with DMARC
Protect your domain with DMARC
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Digital Certified Mail
Digital Certified MailDigital Certified Mail
Digital Certified Mail
 
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
aryan.pptx
aryan.pptxaryan.pptx
aryan.pptx
 
Async os dkim-dmarc-guide
Async os dkim-dmarc-guideAsync os dkim-dmarc-guide
Async os dkim-dmarc-guide
 
Choosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing CloudChoosing domain and IP address for Salesforce Marketing Cloud
Choosing domain and IP address for Salesforce Marketing Cloud
 
DMARC360 Guide
DMARC360 GuideDMARC360 Guide
DMARC360 Guide
 
Modern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sortingModern Anti-Spam Protection - Rejection, no sorting
Modern Anti-Spam Protection - Rejection, no sorting
 
Complete guide to_email
Complete guide to_emailComplete guide to_email
Complete guide to_email
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its Uses
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Grey
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 

Recently uploaded

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Join the fight against email spam! - SweetlakePHP

  • 1. Join the fight Against email spam! 1
  • 2. Why would we this? 4 People waste their time sorting SPAM 4 Lost money by phishing emails 4 banks, creditcards, invoices 4 No trust in their real message 4 Google force you to do! 2
  • 4. 4
  • 5. 5
  • 6. 6
  • 7. Who is sending emails from there applications? 7
  • 8. Who is running his own emailserver? 8
  • 9. Who is in charge of the DNS-records? 9
  • 11. My email to bob@example.com has not arrived. 1 Our client(s) 11
  • 12. My email has not arrived.. Lots of reasons 4 The code doesn't send the email 4 The server IP-adres is on the (RBL) blacklist 4 The receiver server doesn't trust your IP-adres 4 The content is marked as SPAM 4 The email policy is not configured or not optimal 12
  • 13. My email has not arrived.. What can we do about it? 4 Check the function of the script 4 Check the server IP-adres on the (RBL) blacklist 4 Submit for removal 4 Checking the email policies [SPF/DKIM] 4 Using email services providers 13
  • 14. How we did it the old days 2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)" 2016-04-01 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= maillinglist@domain.com H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 id=384a86a39e83be0d9b3a94d1feb3119f@domain.com T="Daily Science Maillinglist: Chameleon" from for user@example.com 2016-04-01 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s 2016-04-01 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s 14
  • 16. 16
  • 17. 17
  • 18. 18
  • 19. 19
  • 20. 20
  • 21. 21
  • 22. 22
  • 24. Email authentication 1. SPF 2. DKIM 3. DMARC 24
  • 27. SPF 4 Created in 2003 4 Which mail servers are used to send mail from your domain 4 Publish an SPF record in our DNS records 4 Technical method to prevent sender address forgery 27
  • 28. SPF This technology requires two sides to play together 1. The domain owner, publishing an SPF record 2. The receiving server, checking for domain SPF records 28
  • 29. SPF If the message comes from an unknown server, it can be considered as fake and could be rejected. 29
  • 30. SPF record - JCID Let's look at an example jcid.nl. TXT "v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all" 30
  • 31. SPF record - SweetLake PHP The parts of the SPF record mean the following: sweetlakephp.nl. TXT "v=spf1 +a +mx include:spf.mandrillapp.com ~all" 4 v=spf1 4 a 4 149.210.152.247 4 mx 4 mx.transip.email 4 include:spf.mandrillapp.com 4 ~all 31
  • 33. SPF mechanisms 4 Domains define zero or more mechanisms. 33
  • 34. SPF mechanisms all | ip4 | ip6 | a | mx | ptr | exists | include 34
  • 35. SPF mechanisms Mechanisms can be prefixed with one of four qualifiers: "+" Pass "-" Fail "~" SoftFail "?" Neutral 35
  • 36. SPF mechanisms The default qualifier "+", i.e. "Pass". 36
  • 37. SPF - The "ip4" & "ip6" mechanism ip4:<ip4-address> ip4:<ip4-network>/<prefix-length> ip6:<ip6-address> ip6:<ip6-network>/<prefix-length> 37
  • 38. SPF - The "ip4" & "ip6" mechanism "v=spf1 ip4:192.168.0.1/16 -all" Allow any IP address between 192.168.0.1 and 192.168.255.255. "v=spf1 ip6:1080::8:800:200C:417A/96 -all" Allow any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF. 38
  • 39. SPF - The "a" & "mx" mechanism a a/<prefix-length> a:<domain> a:<domain>/<prefix-length> mx mx/<prefix-length> mx:<domain> mx:<domain>/<prefix-length> 39
  • 40. SPF - The "include" mechanism include:<domain> Example include:spf.mandrillapp.com 40
  • 41. SPF - The "include" mechanism Exact Online Example ip4:xxx.xxx.xxx.xxx ip4:yyy.yyy.yyy.yyy ip4:zzz.zzz.zzz.zzz 41
  • 42. SPF record - SweetLake PHP sweetlakephp.nl. TXT "v=spf1 +a +mx include:spf.mandrillapp.com ~all" 42
  • 43. SPF mechanisms The default qualifier "+", i.e. "Pass". 43
  • 44. SPF record - The "all" mechanism sweetlakephp.nl. TXT "v=spf1 +a +mx include:spf.mandrillapp.com ~all" 44
  • 47. SPF stats - All domains SPF -all, 1 April 2016 SPF -all - Stats. 47
  • 48. SPF stats - Domains with SPF record SPF -all, 1 April 2016 SPF -all - Stats. 48
  • 49. SPF - The "all" mechanism "v=spf1 mx -all" 49
  • 50. SPF - The "all" mechanism "v=spf1 -all" 50
  • 51. SPF - The "all" mechanism "v=spf1 +all" 51
  • 53. SPF results An SPF record can return any of these results: 1. Pass ------------ 2. Fail 3. SoftFail ------------ 4. Neutral 5. None ------------ 6. PermError 7. TempError 53
  • 54. 54
  • 55. SPF result 1 - Pass (accept) Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; 55
  • 56. SPF result - Receiver Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; receiver=bob.example.org the host name of the SPF client 56
  • 57. SPF result Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; client_ip=192.0.2.1; the IP address of the SMTP client 57
  • 58. SPF result Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; envelope-from=alice@example.com; the envelope sender mailbox 58
  • 59. SPF result Received-SPF: pass (bob.example.org: domain of alice@example.com designates 192.0.2.1 as permitted sender) receiver=bob.example.org; client_ip=192.0.2.1; envelope-from=alice@example.com; helo=mailout00.controlledmail.com; helo the host name given in the HELO or EHLO command 59
  • 60. SPF result 2 - Fail (reject) Received-SPF: fail (bob.example.org: domain of alice@example.com does not designate 192.0.2.1 as permitted sender) 3 - SoftFail (accept but marked) Received-SPF: softfail (bob.example.org: domain of transitioning alice@example.com does not designate 192.0.2.1 as permitted sender) 60
  • 61. SPF result 4 - Neutral (accept) Received-SPF: neutral (bob.example.org: 192.0.2.1 is neither permitted nor denied by domain of alice@example.com) 5 - None (accept) Received-SPF: none (bob.example.org: domain of alice@example.com does not designate permitted sender hosts) 61
  • 62. SPF result 6 - PermError (unspecified) Received-SPF: permerror -extension:foo (bob.example.org: domain of alice@example.com uses mechanism not recognized by this client) 7 - TempError (accept or reject) Received-SPF: temperror (bob.example.org: error in processing during lookup of alice@example.com: DNS timeout) 62
  • 64. 64
  • 68. Why DKIM? DKIM is an important authentication mechanism 68
  • 69. DKIM 4 Email receivers 4 Phishing emails (banks, creditcard, invoices) 4 Email senders 4 No trust in their real message 69
  • 70. DKIM Two proposals took shape, 2005 1. Yahoo’s DomainKeys 2. Cisco’s Identified Internet Mail 70
  • 71. DKIM Both proposals were based in the use of “ Public Key Cryptography ” 71
  • 72. DKIM Mid 2005, the IETF (Internet Engineering Task Force), submitted the draft “ DomainKeys Identified Mail — DKIM ” specification. 72
  • 73. How does DKIM work? 73
  • 74. How does DKIM work? 1. Author wishes to send an email to a recipient 2. They (their mailing software) calculate a crypto signature 4 that covers the relevant parts of the message using the Private Key. 3. The signature is placed in the email header 4 and the message is then sent normally by the mail server. 4. At any point in travel the signature is validated using the public key. 5. If any part of the message covered by the signature was manipulated 4 the signature won’t validate and the recipient will be alerted. 74
  • 75. How does DKIM work? 4 Public Key Cryptography like SSH 4 Private key v.s. Public key 4 DKIM uses DNS to publish the Public Keys 75
  • 76. 76
  • 78. DKIM header - Version v=1 This indicates the DKIM version in use. 78
  • 79. DKIM header - Algorithm a=rsa-sha256 The algorithm suite that was used to generate the crypto signature. Current two specification defines 4 rsa-sha1 4 rsa-sha256 79
  • 80. DKIM header - Canonicalization c=simple/relaxed Note that the c= fragment defines two algorithms. 80
  • 81. DKIM header - Domain d=jcid.nl 81
  • 82. DKIM header - Selector s=mandrill 82
  • 83. DKIM header - Selector txt:mandrill._domainkey.jcid.nl v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ /J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt 7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfN dynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB 83
  • 84. DKIM header - Timestamp t=1399817581 84
  • 85. DKIM header - Body part bh=Pl25…dcMqN+E= 85
  • 86. DKIM header - Header list h=Message-ID:Date:Subject:From:... 86
  • 87. DKIM header - Data b=Xp/nL93bv6Qo73K…KmskU/xefbYhHUA= 4 The crypto signature data itself, encoded in Base64 and possibly with whitespace inserted to conform to line length limitations. 87
  • 88. DKIM results The possible results for your DKIM test are: 1. Pass 2. Fail 3. None 4. Policy 5. Neutral 6. TempError 7. PermError 88
  • 89. DKIM results - Pass The message was signed, the signature or signatures were acceptable, and the signature(s) passed verification tests. 89
  • 90. DKIM results - Fail The message was signed and the signature or signatures were acceptable, but they failed the verification test(s). 90
  • 91. DKIM results - None The message was not signed 91
  • 92. DKIM results - Policy The message was signed but the signature or signatures were not acceptable. 92
  • 93. DKIM results - Neutral The message was signed but the signature or signatures contained syntax errors or were not otherwise able to be processed. 93
  • 94. DKIM results - Temperror The message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result. 94
  • 95. DKIM results - Permerror The message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result. 95
  • 100. 100
  • 103. DMARC 4 Created in 2007 by PayPal, and Yahoo! 4 Later Gmail joined 103
  • 105. What is DMARC Remove the guesswork 105
  • 106. What is DMARC Report back to the sender 106
  • 107. 107
  • 108. DMARC record - JCID Let's look at an example _dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com; sp=none; aspf=r;" 108
  • 109. DMARC record - Version v=DMARC1 This indicates the DMARC version in use. 109
  • 110. DMARC record - Percentage pct=100 Percentage of messages subjected to filtering 110
  • 111. DMARC record - Aggregate report rua=mailto:aggrep@example.com Reporting URI of aggregate reports 111
  • 112. DMARC record - Failure Reports ruf=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com Reporting URI for forensic reports 112
  • 113. DMARC record - Policy p=none Policy for domain 4 none 4 quarantine 4 reject 113
  • 114. DMARC record - Sub-domain Policy sp=none Sub-domain Policy 114
  • 115. DMARC record - Alignment adkim=s Alignment mode for DKIM - r = relaxed (default) - s = strict mode 115
  • 116. DMARC record - Alignment aspf=r Alignment mode for SPF - r = relaxed (default) - s = strict mode 116
  • 118. 118
  • 120. DMARC ZIP file google.com!jcid.nl!1455062400!1455148799.zip with XML aggregate report google.com!jcid.nl!1455062400!1455148799.xml 120
  • 121. DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>nonstopdeals.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>nonstopdeals.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record> </feedback> 121
  • 122. DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4151131448954607551</report_id> <date_range> <begin>1455062400</begin> <end>1455148799</end> </date_range> </report_metadata> </feedback> 122
  • 123. DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <policy_published> <domain>jcid.nl</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> </feedback> 123
  • 124. DMARC report <?xml version="1.0" encoding="UTF-8" ?> <feedback> <record> <row> <source_ip>31.3.97.173</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>nonstopdeals.prod.jcid.nl</header_from> </identifiers> <auth_results> <spf> <domain>nonstopdeals.prod.jcid.nl</domain> <result>none</result> </spf> </auth_results> </record> </feedback> 124
  • 125. DMARC report I'm in control 125
  • 126. DMARC - Tools 1. Postmark App 2. Dmarcian 126
  • 128. 128
  • 130. 130
  • 131. Overview DNS records JCID SPF @ TXT v=spf1 include:spf.jcid.nl include:_spf.google.com include:spf.mandrillapp.com include:_spf.exactonline.nl -all DKIM google._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+w63i8quIsOR09AfNup5pyt/jsSmKo/iQnOkT8EI1LOn6daR1GqR+5... mandrill._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8N... DMARC _dmarc TXT v=DMARC1; p=none; pct=100; rua=mailto:re+oqz4ekvxqt0@dmarc.postmarkapp.com; sp=none; aspf=r; 131
  • 132. How to start your own? 4 Deploy SPF & DKIM 4 Publish a DMARC record with the “none” flag set for the policies (monitor mode) 4 Analyze the data and modify your DMARC policy 4 from “none” to “quarantine” to “reject” 132
  • 133. Any questions About the theory? 133
  • 135. 135
  • 136. 136
  • 137. 137
  • 138. 138
  • 139. Delivered-To: info@jcid.nl Received: by 10.194.81.166 with SMTP id b6csp2710139wjy; Thu, 3 Mar 2016 03:07:28 -0800 (PST) X-Received: by 10.28.177.134 with SMTP id a128mr347820wmf.55.1457003248665; Thu, 03 Mar 2016 03:07:28 -0800 (PST) Return-Path: <ramon@delafuente.nl> Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com. [2a00:1450:400c:c09::236]) by mx.google.com with ESMTPS id b71si9817151wmd.46.2016.03.03.03.07.28 for <info@jcid.nl> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Mar 2016 03:07:28 -0800 (PST) Received-SPF: pass (google.com: domain of ramon@delafuente.nl designates 2a00:1450:400c:c09::236 as permitted sender) client-ip=2a00:1450:400c:c09::236; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ramon@delafuente.nl designates 2a00:1450:400c:c09::236 as permitted sender) smtp.mailfrom=ramon@delafuente.nl; dkim=pass header.i=@delafuente.nl Received: by mail-wm0-x236.google.com with SMTP id l68so29526516wml.0 for <info@jcid.nl>; Thu, 03 Mar 2016 03:07:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delafuente.nl; s=google; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=FSN7Fi9D6o/kqt5G7qz43kmPTxT4eFBfPTd+OGfRiZ4=; b=RDqYimIWeTNR13wseVHStCgo+iVXpE5LeUFSpmJETvVC2OnxuEBOF9vlF5JfWjJ4C5 nheVvDqWUSRHo06kcZ+IgsWSGCIDUNrn14y065xCD9CTYCZcmuKWJyZhfYiSQco3GDiO SVGnW36e3toxNzAtsPyhiN7Xt++euRCgoYbv8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=FSN7Fi9D6o/kqt5G7qz43kmPTxT4eFBfPTd+OGfRiZ4=; b=WutHJxu1kCncM3pWRitfDiiNouwzedP7o6Ta7lfeRz5FGTfuuv1aQcURtZWtaXKp8S YKlRPZa5VeQHuzerxsQrtKwTqHB2+N3FtQWmQVIdBQS+JRZ9tXeka3qeiLSRTqdI6huZ lN6XgaF80KedTJqh1etPpMa92C+qbYbMhXmhacUhanfUdwWXQs7gIeOOds4YXK3hEgbT mp9jU9ajA9sQumWUa5upPyw5DdKuSpiRt70J5BIU5DFgCXSBcdmxfiWaOYvnqRssSERD 6xdYKT8RnetKFn7h+gGDVjs4texPN1Inmek4tUIpIdq0a/hv5av8AJj/TCJiCNylJzCa VxDw== X-Gm-Message-State: AD7BkJL923JBKM2KJibPZmJoZ+9qAnqpVPywwpLQLsMUj+kfIf7dmPNeDOaCv4+cqCOEdA== X-Received: by 10.28.194.132 with SMTP id s126mr5301943wmf.23.1457003248334; Thu, 03 Mar 2016 03:07:28 -0800 (PST) Return-Path: <ramon@delafuente.nl> Received: from FzzBook.fritz.box ([2001:981:fe71:1:b0b1:c9bc:ec89:e494]) by smtp.gmail.com with ESMTPSA id az8sm34038471wjc.17.2016.03.03.03.07.27 for <info@jcid.nl> (version=TLSv1/SSLv3 cipher=OTHER); Thu, 03 Mar 2016 03:07:27 -0800 (PST) Date: Thu, 3 Mar 2016 12:07:26 +0100 From: Ramon de la Fuente <ramon@delafuente.nl> To: info@jcid.nl Message-ID: <etPan.56d81aee.66334873.1174c@FzzBook.fritz.box> In-Reply-To: <372a6aae6fcf4240ca8698381aed29ba@mijn.jcid.nl> References: <372a6aae6fcf4240ca8698381aed29ba@mijn.jcid.nl> Subject: Re: [#SFB-667-90513]: SweetLakePHP - Join the fight against email spam! X-Mailer: Airmail (249) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="56d81aee_74b0dc51_1174c" 139
  • 140. 140
  • 141. 141
  • 143. 143
  • 144. 144
  • 145. The practice - domains 145