ݺߣ

ݺߣShare a Scribd company logo

Using DMARC to Improve Your Email Reputation

?Download as PPTX, PDF?
?
T
Terry Zink

Terry Zink of Microsoft's presentation from Virus Bulletin 2014 in Seattle - Using DMARC to Improve Your Email Reputation.

1 of 28
Using DMARC to Improve Your Email Reputation
1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
Toms a pilot for Zinko Airlines. He flies mostly commercial passenger jets but occasionally he does private jets in his spare time. Hes a very responsible pilot. He reads his manifests, checks the weather and forecasts ahead of time, and ensures that people have a smooth flight. He gets weather alerts every morning. ZA I R L I N E S inko
Zinko Air Weather Alerts Weather Alert for Sept 25, 2014 Thu 9/25, 5:30 am To: tzink@zinkoairlines.com Zinko A I R L I N E S Your daily weather alert is below: Login to view your customized weather report Zinko Airlines | Privacy | Oceanic Airlines | Privacy | Terms of Use | Unsubscribe One day, Tom gets an email from Zinko Airliness daily weather alert service. He clicks the link to go to the companys internal website where they have the daily schedule and weather information.
ZA I R L I N E S inko Zinko Air Weather Alerts Corporate Weather Alert for sign Sept 25, in 2014 Thu 9/25, 5:30 am user@tzink@zinkoairlines.com com To: tzink@zinkoairlines.com ZPassword inko A I R L I N E S Sign in Your daily weather alert is below: Login to view your customized weather report Zinko Airlines | Privacy | Oceanic Airlines | Privacy | Terms of Use | Unsubscribe ? 2014 Zinko Airlines zinkoairlines.phpforms.net/q1xfr4 Close, but not the right URL! He enters in his information to login and receives a login failure. He is directed back to the companys web page where he logs in again. But the damage has been done. Tom has been fooled into surrendering his login credentials to a phisher.
1. Looks like the real thing 2. Hard for users to notice anything that is off 3. Traditional anti-spam techniques dont work
1. Looks like the real thing 2. Hard for users to notice anything that is off 3. Traditional anti-spam techniques dont work Anti-abuse techniques usually focus on the filter to sort out good email from spam; however, phishing has the following characteristics: a) Sent from IP addresses and/or domains that dont have previous bad reputation b) Domains may authenticate with SPF or DKIM but this is hidden from the user c) Even the 5322.From may be hidden from the user, depending on the email client
1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
Zinko Air Weather Alerts Weather Alert for Sept 25, 2014 Thu 9/25, 5:30 am To: tzink@zinkoairlines.com Zinko A I R L I N E S Your daily weather alert is below: Login to view your customized weather report Oceanic Airlines | Privacy | Terms of Use | Unsubscribe Yes. Yes. No Zinko Airlines | Privacy |
1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
Not losing Fixing the phishing important email problem
Using DMARC to Improve Your Email Reputation
s Mail filter 1. Spammer on the Internet sends an email spoofing joe@example.com 2. Message does not pass DKIM or SPF, fails DMARC, mark message as spam 3. Send a notification back to dmarc_failures@example.com 4. Admins at example.com investigate the spammer Hmm, someone is spoofing me!
Mail filter 1. joe@example.com sends a message from a new set of servers 2. Message does not pass DKIM or SPF, fails DMARC 3. Send a notification back to dmarc_failures@example.com 4. Oops, I forgot to add this machine s IPs to my SPF record, and forgot to enable DKIM.
Mail filter 1. 3rd party mail server sends MAIL FROM alerts@3rdParty.com, From: alerts@example.com 2. Message passes SPF and DKIM, but RFC5321 MailFrom does not match RFC 5322 From 3. Send a notification back to dmarc_failures@example.com 3rd party mail server 4. Oops, I forgot to delegate a subdomain to this 3rd party mailer like Terry Zink explained on his blog.
1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
In chess strategy, there is a rule C always protect the queen. The reason is that your queen is your most powerful piece. It can attack in any direction and any player that loses his or her queen greatly weakens his position. If you have a strategy where you might lose your queen it is usually wise to fallback to a less risky strategy where you can retain it. Image taken from Flickr Creative Commons: https://www.flickr.com/photos/dlkinney/357134468/
Yet in chess, there are times when it makes perfect sense to sacrifice your queen C when you can increase the strength of your own position relative to your opponents. If you make him or her weaker than you make yourself, it is a net positive; its even a good thing to lose your queen! There are no hard-and-fast rules in chess.
DMARC is the same. In general, you will always want to authenticate your email and most of the time when it fails DMARC, it is malicious. This is true most of the time, but not always. Just like in chess, losing your queen is not always a bad thing, in email failing DMARC is not always because a domain is being spoofed maliciously.
Case 1: SPF only works if the message originates here and is slightly modified here, DMARC can break Case 2: If the message originates here
Case 1: SPF only works if the message originates here and is slightly modified here, DMARC can break Occurs all the time with legitimate mailing lists, still being worked out by the DMARC working group. Case 2: If the message originates here
1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
Using DMARC to Improve Your Email Reputation
Step 1 C Microsoft decided how to receive DMARC reports (used a 3rd party) Step 2 C Published a DMARC record Step 3 C Sorted through the DMARC reports for IPs that are used for corporate traffic Step 4 C Sorted through the DMARC reports for IPs that are internal to the company but failing authentication Step 5 C Sorted through the DMARC reports for IPs that are external to the company and failing authentication.
Step 6 C Got all the internal teams to properly authenticate email (about 30 of them) Step 7 C Updated DKIM keys Step 8 C Update the SPF record to a hard fail, now more difficult for spammers to spoof Microsoft Step 9 C Next: Publish a DMARC record of p=quarantine
1. DMARC solves one aspect of phishing 2. DMARC lets domains be more secure 3. But, DMARC still has challenges that are not yet solved
? 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related Content

Using DMARC to Improve Your Email Reputation

  • 2. 1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
  • 3. 1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
  • 4. Toms a pilot for Zinko Airlines. He flies mostly commercial passenger jets but occasionally he does private jets in his spare time. Hes a very responsible pilot. He reads his manifests, checks the weather and forecasts ahead of time, and ensures that people have a smooth flight. He gets weather alerts every morning. ZA I R L I N E S inko
  • 5. Zinko Air Weather Alerts Weather Alert for Sept 25, 2014 Thu 9/25, 5:30 am To: tzink@zinkoairlines.com Zinko A I R L I N E S Your daily weather alert is below: Login to view your customized weather report Zinko Airlines | Privacy | Oceanic Airlines | Privacy | Terms of Use | Unsubscribe One day, Tom gets an email from Zinko Airliness daily weather alert service. He clicks the link to go to the companys internal website where they have the daily schedule and weather information.
  • 6. ZA I R L I N E S inko Zinko Air Weather Alerts Corporate Weather Alert for sign Sept 25, in 2014 Thu 9/25, 5:30 am user@tzink@zinkoairlines.com com To: tzink@zinkoairlines.com ZPassword inko A I R L I N E S Sign in Your daily weather alert is below: Login to view your customized weather report Zinko Airlines | Privacy | Oceanic Airlines | Privacy | Terms of Use | Unsubscribe ? 2014 Zinko Airlines zinkoairlines.phpforms.net/q1xfr4 Close, but not the right URL! He enters in his information to login and receives a login failure. He is directed back to the companys web page where he logs in again. But the damage has been done. Tom has been fooled into surrendering his login credentials to a phisher.
  • 7. 1. Looks like the real thing 2. Hard for users to notice anything that is off 3. Traditional anti-spam techniques dont work
  • 8. 1. Looks like the real thing 2. Hard for users to notice anything that is off 3. Traditional anti-spam techniques dont work Anti-abuse techniques usually focus on the filter to sort out good email from spam; however, phishing has the following characteristics: a) Sent from IP addresses and/or domains that dont have previous bad reputation b) Domains may authenticate with SPF or DKIM but this is hidden from the user c) Even the 5322.From may be hidden from the user, depending on the email client
  • 9. 1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
  • 10. Zinko Air Weather Alerts Weather Alert for Sept 25, 2014 Thu 9/25, 5:30 am To: tzink@zinkoairlines.com Zinko A I R L I N E S Your daily weather alert is below: Login to view your customized weather report Oceanic Airlines | Privacy | Terms of Use | Unsubscribe Yes. Yes. No Zinko Airlines | Privacy |
  • 11. 1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
  • 12. Not losing Fixing the phishing important email problem
  • 14. s Mail filter 1. Spammer on the Internet sends an email spoofing joe@example.com 2. Message does not pass DKIM or SPF, fails DMARC, mark message as spam 3. Send a notification back to dmarc_failures@example.com 4. Admins at example.com investigate the spammer Hmm, someone is spoofing me!
  • 15. Mail filter 1. joe@example.com sends a message from a new set of servers 2. Message does not pass DKIM or SPF, fails DMARC 3. Send a notification back to dmarc_failures@example.com 4. Oops, I forgot to add this machine s IPs to my SPF record, and forgot to enable DKIM.
  • 16. Mail filter 1. 3rd party mail server sends MAIL FROM alerts@3rdParty.com, From: alerts@example.com 2. Message passes SPF and DKIM, but RFC5321 MailFrom does not match RFC 5322 From 3. Send a notification back to dmarc_failures@example.com 3rd party mail server 4. Oops, I forgot to delegate a subdomain to this 3rd party mailer like Terry Zink explained on his blog.
  • 17. 1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
  • 18. In chess strategy, there is a rule C always protect the queen. The reason is that your queen is your most powerful piece. It can attack in any direction and any player that loses his or her queen greatly weakens his position. If you have a strategy where you might lose your queen it is usually wise to fallback to a less risky strategy where you can retain it. Image taken from Flickr Creative Commons: https://www.flickr.com/photos/dlkinney/357134468/
  • 19. Yet in chess, there are times when it makes perfect sense to sacrifice your queen C when you can increase the strength of your own position relative to your opponents. If you make him or her weaker than you make yourself, it is a net positive; its even a good thing to lose your queen! There are no hard-and-fast rules in chess.
  • 20. DMARC is the same. In general, you will always want to authenticate your email and most of the time when it fails DMARC, it is malicious. This is true most of the time, but not always. Just like in chess, losing your queen is not always a bad thing, in email failing DMARC is not always because a domain is being spoofed maliciously.
  • 21. Case 1: SPF only works if the message originates here and is slightly modified here, DMARC can break Case 2: If the message originates here
  • 22. Case 1: SPF only works if the message originates here and is slightly modified here, DMARC can break Occurs all the time with legitimate mailing lists, still being worked out by the DMARC working group. Case 2: If the message originates here
  • 23. 1. The problem 2. How does DMARC work? 3. The unexpected upside of DMARC 4. The unexpected downside of DMARC 5. Case study 6. Conclusion
  • 25. Step 1 C Microsoft decided how to receive DMARC reports (used a 3rd party) Step 2 C Published a DMARC record Step 3 C Sorted through the DMARC reports for IPs that are used for corporate traffic Step 4 C Sorted through the DMARC reports for IPs that are internal to the company but failing authentication Step 5 C Sorted through the DMARC reports for IPs that are external to the company and failing authentication.
  • 26. Step 6 C Got all the internal teams to properly authenticate email (about 30 of them) Step 7 C Updated DKIM keys Step 8 C Update the SPF record to a hard fail, now more difficult for spammers to spoof Microsoft Step 9 C Next: Publish a DMARC record of p=quarantine
  • 27. 1. DMARC solves one aspect of phishing 2. DMARC lets domains be more secure 3. But, DMARC still has challenges that are not yet solved
  • 28. ? 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Editor's Notes

  1. Solid background, with 1 box highlight
  2. Meet Jack. Hes a pilot for Oceanic Airlines. He flies mostly commercial passenger jets but occasionally he does private jets in his spare time. Hes a very responsible pilot. He reads his manifests, checks the weather and forecasts ahead of time, and ensures that people have a smooth flight. He gets weather alerts every morning. One day, Jack gets an email from Oceanic Airliness daily weather alert service. He clicks the link to go to the companys internal website where they have the daily schedule and weather information. He enters in his information to login and receives a login failure. He is directed back to the companys web page where he logs in again. Jack has just become a victim of a spear phishing attack.
  3. Users are tricked into believing What you see is all there is (Kahneman and Tvetsky) Very difficult to inspect on mobile devices which frequently hide the domain; Hover to uncover not available, Looking at the base URL often encodes the target into the abusive URL Anti-abuse techniques usually focus on the filter which is reliable and predictable, rather than the user who is not Sent from IP addresses and/or domains that dont have previous bad reputation Domains may authenticate with SPF or DKIM but this is hidden from the user Even the 5322.From may be hidden from the user, depending on the email client
  4. Image taken from Flickr Creative Commons: https://www.flickr.com/photos/dlkinney/357134468/ In chess strategy, there is a rule C always protect the queen. The reason is that your queen is your most powerful piece. It can attack in any direction and any player that loses his or her queen greatly weakens his position. If you have a strategy where you might lose your queen it is usually wise to fallback to a less risky strategy where you can retain it. Yet in chess, there are times when it makes perfect sense to sacrifice your queen C when you can increase the strength of your own position relative to your opponents. If you make him or her weaker than you make yourself, it is a net positive; its even a good thing to lose your queen! There are no hard-and-fast rules in chess. DMARC is the same. In general, you will always want to authenticate your email and most of the time when it fails DMARC, it is malicious. This is true most of the time, but not always. Just like in chess, losing your queen is not always a bad thing, in email failing DMARC is not always because a domain is being spoofed maliciously.
  5. Image taken from Flickr Creative Commons: https://www.flickr.com/photos/dlkinney/357134468/ In chess strategy, there is a rule C always protect the queen. The reason is that your queen is your most powerful piece. It can attack in any direction and any player that loses his or her queen greatly weakens his position. If you have a strategy where you might lose your queen it is usually wise to fallback to a less risky strategy where you can retain it. Yet in chess, there are times when it makes perfect sense to sacrifice your queen C when you can increase the strength of your own position relative to your opponents. If you make him or her weaker than you make yourself, it is a net positive; its even a good thing to lose your queen! There are no hard-and-fast rules in chess. DMARC is the same. In general, you will always want to authenticate your email and most of the time when it fails DMARC, it is malicious. This is true most of the time, but not always. Just like in chess, losing your queen is not always a bad thing, in email failing DMARC is not always because a domain is being spoofed maliciously.
  6. Image taken from Flickr Creative Commons: https://www.flickr.com/photos/dlkinney/357134468/ In chess strategy, there is a rule C always protect the queen. The reason is that your queen is your most powerful piece. It can attack in any direction and any player that loses his or her queen greatly weakens his position. If you have a strategy where you might lose your queen it is usually wise to fallback to a less risky strategy where you can retain it. Yet in chess, there are times when it makes perfect sense to sacrifice your queen C when you can increase the strength of your own position relative to your opponents. If you make him or her weaker than you make yourself, it is a net positive; its even a good thing to lose your queen! There are no hard-and-fast rules in chess. DMARC is the same. In general, you will always want to authenticate your email and most of the time when it fails DMARC, it is malicious. This is true most of the time, but not always. Just like in chess, losing your queen is not always a bad thing, in email failing DMARC is not always because a domain is being spoofed maliciously.
  7. Step 1 C Decide how to receive DMARC reports Step 2 C Publish a DMARC record Step 3 C Sort through the DMARC reports for IPs that are used for corporate traffic Step 4 C Sort through the DMARC reports for IPs that are internal to the company but failing authentication Step 5 C Sort through the DMARC reports for IPs that are external to the company and failing authentication Step 6 C Update DKIM keys Step 7 C Update the SPF record to a hard fail Step 8 C Publish a DMARC record of p=quarantine
  8. Step 1 C Decide how to receive DMARC reports Step 2 C Publish a DMARC record Step 3 C Sort through the DMARC reports for IPs that are used for corporate traffic Step 4 C Sort through the DMARC reports for IPs that are internal to the company but failing authentication Step 5 C Sort through the DMARC reports for IPs that are external to the company and failing authentication Step 6 C Update DKIM keys Step 7 C Update the SPF record to a hard fail Step 8 C Publish a DMARC record of p=quarantine
  9. Step 1 C Decide how to receive DMARC reports Step 2 C Publish a DMARC record Step 3 C Sort through the DMARC reports for IPs that are used for corporate traffic Step 4 C Sort through the DMARC reports for IPs that are internal to the company but failing authentication Step 5 C Sort through the DMARC reports for IPs that are external to the company and failing authentication Step 6 C Update DKIM keys Step 7 C Update the SPF record to a hard fail Step 8 C Publish a DMARC record of p=quarantine
  10. Step 1 C Decide how to receive DMARC reports Step 2 C Publish a DMARC record Step 3 C Sort through the DMARC reports for IPs that are used for corporate traffic Step 4 C Sort through the DMARC reports for IPs that are internal to the company but failing authentication Step 5 C Sort through the DMARC reports for IPs that are external to the company and failing authentication Step 6 C Update DKIM keys Step 7 C Update the SPF record to a hard fail Step 8 C Publish a DMARC record of p=quarantine