Secure e-mail: how to protect your e-mails from identity theft

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ custom_padding=”0px|||” transparent_background=”off” global_colors_info=”{}”][et_pb_row _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” use_border_color=”off” border_style=”solid” global_colors_info=”{}”]In 2016, 37% of businesses fell victim to phishing. Find out why emails are vulnerable to identity theft, and how you can protect yourself by deploying 3 existing standards:

  • SPF, Sender Policy Framework: to specify who is authorized to sende-mails in its (domain’s) name;
  • DKIM, DomainKeys Identified Mail to check the origin and integrity of your e-mails;
  • DMARC, Domain-based Message Authentication, Reporting and Conformance: tells the receiver what to do in the event of SPF and DKIM failure.

 

Phishing attacks on the rise in 2016

Email-based attacks are growing in number and becoming increasingly targeted. According to a November 2016 Kaspersky Labs report, based on data from 4,000 companies in 25 countries, 37% suffered at least one phishing attack in 2016.

Phishing is a hacking technique that consists of sending mass e-mails containing an attachment which, when opened, installs a Locky-type virus, or a link to a form imitating an official service (bank, e-mail service, etc.), in order to steal the victim’s login details or credit card number.

This type of attack exploits a human vulnerability by betting on the lack of vigilance or training of some of the message’s recipients. A well-trained user will be able to identify suspicious domain names in addresses and links, or the extensions of files sent as attachments (“look, a JS dot”).

Email-spoofing and identity theft at the heart of spectacular attacks

While phishing is akin to fishing with a net, spear-phishing refers to an approach in which the hacker targets a specific individual or company. In the first stage, the identity, role and official e-mail address of key people in the organization are obtained byanalyzing social networks and the company’s website. In the second stage, a scenario is constructed to obtain the desired action by sending an email that frequently impersonates the authentic email address of a company executive.

There is no typical victim profile. This type of attack has been used against SMEs, to embezzle funds, against listed companies, such as the Vinci group, to hijack a stock price or even against states, as attested by this report from the US Department of Homeland Security, made public in December 2016. In it, we learn that a group of hackers linked to Russia has durably infiltrated various government organizations and political parties, using email spoofing in particular.

No sender verification required by e-mail standards

How e-mail works is defined in several RFCs, which are normative texts for the technical aspects of the Internet. The most recent date from 2008 and are RFC 5321, which defines SMTP, the e-mail routing protocol, and RFC 5322, which defines the message format.

These standards make no provision for checking theauthenticity of the sender, who will then appear in the “From:” field of the e-mail client. The situation is more complex because the sender’s identity appears in two different places: in the “MAIL FROM” command used during the SMTP session, and in the “From:” header of the message.

To enablee-mail authentication, new complementary standards have been defined. These are the SPF(RFC 7208), DKIM(RFC 6376) and DMARC(RFC 7489) trio, all of which use the domain name as a reference and dedicated DNS records.

Secure email delivery with SPF, DKIM and DMARC in action

The following illustration shows the chronology and components involved in sending an e-mail.
[/et_pb_text][et_pb_image src=”http://wms.dmca.com/wmtc87d1ff/wp-content/uploads/2017/01/spf-dkim-dmarc.png” alt=”SPF, DKIM and DMARC in action” title_text=”SPF, DKIM et DMARC en action” show_in_lightbox=”on” show_bottom_space=”off” align_tablet=”center” align_last_edited=”on|desktop” _builder_version=”4.16″ animation_style=”slide” animation_direction=”left” animation_duration=”500ms” animation_intensity_slide=”10%” border_width_all=”1px” border_color_all=”#0c71c3″ border_style_all=”solid” use_border_color=”on” border_color=”#0c71c3″ border_width=”1px” border_style=”solid” sticky=”on” global_colors_info=”{}” align_phone=”center”][/et_pb_image][et_pb_text _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” use_border_color=”off” border_style=”solid” global_colors_info=”{}”] 

 

 

 

  1. joe@football.example.com writes an e-mail to suzie@shopping.example.net.
    Joe’s mail server is configured for DKIM and contains the private key. The example.com DNS zone contains the DKIM public key, an SPF record authorizing the mail server IP and a DMARC record recommending the “none” policy and sending DMARC reports to admin@example.com.
  2. When the message is sent, the server uses the private key to calculate and add the DKIM signature to the message header.
  3. The server contacts the SMTP server smtp.example.net, which is responsible for @example.net addresses, and starts an SMTP session. In the MAIL FROM command, it indicates who the sender is, in this case joe@football.example.com.
  4. SPF check takes place. The DNS of the sender’s domain name is queried for an SPF entry (TXT). This exists and lists the IP 221.227.126.130, which corresponds to the sending server. The SPF test is successful.
  5. DKIM verification takes place. The DKIM signature of the received message is recalculated and compared with the signature sent in the header. The signature is verified using the public key stored in the DNS entry. The DKIM test is successful.
  6. If the 2 SPF and DKIM tests had failed, the server would have searched the contents of the DNS record _dmarc.example.com to find out which policy to adopt. Here, “p=none” would indicate to process the email with the local policy.
  7. The DMARC record also indicates the e-mail address to which the error report should be sent. Here it is, admin@example.comwho can analyze and take action.

Sender Policy Framework (SPF): to specify who is authorized to send e-mails in its (domain’s) name

The SPF aims to limit spam by enabling domain name owners to declare the IP addresses authorized to send e-mail. This list of IP addresses is published in a DNS TXT record in a dedicated format. This information can then be retrieved on the recipient’s side, to check whether the client is authorized.

The interpretation of the authentication result is a decision local to the software receiving the message. SPF failure may be combined with other indicators to lead to the message being flagged as SPAM, or may lead to the message being rejected outright. In any case, the final action is variable.

Check the origin and integrity of your e-mails with a DKIM Signature, DomainKeys Identified Mail

DKIM guarantees the integrity of transmitted messages. When a message is sent, the messaging software calculates a fingerprint of the message body and a fingerprint of the headers, including the mandatory “From:”. This fingerprint calculation has two important properties:

  • The imprint is much shorter than the original text
  • Two different messages have an extremely low probability of leading to the same print.

If the text or headers of the e-mail change during routing, then the fingerprint calculated on arrival will be different from the one calculated at the beginning. To ensure that the fingerprint can only be calculated by the domain name owner, it is signed with the private key and the fingerprint signature is added to the header.

The infrastructure required for DKIM is simple and pre-existing, based on a header entitled “DKIM-Signature” and a DNS record. DKIM uses theRSA encryption algorithm, which uses a key pair to sign the contents of the e-mail at the time of sending, and to verify that the signature on the received message is still valid at the time of receipt. The private key is known only to the servers that send mail for a particular domain name. The public key is stored in a DNS TXT record; it is accessible to everyone and can be retrieved when verifying the signature at the time of receipt.

DKIM therefore guarantees the integrity of the message transmitted, and alsoauthenticates the message as originating from the domain name that stores the public verification key. However, this domain name is different from the one used in the “From” header. Finally, as with SPF, DKIM does not indicate how to handle a verification failure, leaving the choice to the receiver of the message.

Domain-based Message Authentication, Reporting and Conformance (DMARC): tells the receiver what to do in the event of SPF and DKIM failure.

SPF and DKIM do not specify the action to be taken in the event of verification failure. This decision depends on the policy chosen locally by each recipient. SPF authenticates the domain name used in the MAIL FROM command, which may differ from the “From” header. DKIM authenticates the domain name that presents a valid public key for signing the message, which may also differ from what is displayed in the “From” field.

DMARC defines the policy to be applied in the event of SPF and DKIM failure. This feature is presented in informative RFC 7489, and enables the chosen policy to be applied via a dedicated DNS record. This method requires a match between the SPF and DKIM domain names and the “From” header. DMARC then allows a choice of 3 policies to be applied in the event of a mismatch:

  • none: no action, apply local policy ;
  • quarantine: marked as spam ;
  • reject: message rejected.

Securing your emails in practice: gradual deployment to preserve deliverability

It’s tempting to apply a drastic DMARC policy from the outset (p=reject) in order to minimize the delivery ofspoofed emails. However, you need to take precautions to ensure that the cure is not worse than the disease. If you run email marketing campaigns, or if your services send out transactional emails, the deliverability of these is strategic. It’s essential to proceed methodically, and to follow the steps below:

  1. Have an audit carried out of your domain name portfolio to differentiate between domain names associated with your official emails and those that should not be associated with emails. On these “secondary” names, which correspond to product names or defensive registrations, apply strict SPF and DMARC settings to indicate that you never send emails with these names. In this way, you explicitly protect yourself against possible identity theft on these domain names.
  2. For your official emails, adopt a progressive deployment:
    • Deploy SPF and DKIM
    • Ensure that your email software correctly performs SPF and DKIM checks on incoming messages
    • Publish a DMARC record with a suitable policy and address for collecting failure reports
    • Analyze reports and adjust settings. For example, by adding legitimate IPs to your SPF record or by deploying DKIM with your external service providers (emailing platforms or transactional mailings).
    • Modify your DMARC policy and gradually switch to a reject policy. Check the deliverability of your e-mails as you make these adjustments.
  3. Keep an eye out for domain names with similar spellings to your own, so as to detect “good candidates” for identity theft as early as possible. In the case of the Vinci Group’s share price manipulation, it was a domain name registered by a third party that was the source of the fraud.

Solidnames can help you with all these steps. Contact us for a free diagnosis of the risk of identity theft by email (DRUIDE).
[/et_pb_text][et_pb_cta title=”Contact us to test the risk of identity theft of your own e-mails by third parties, free of charge.” button_url=”#” button_text=”Vérifiez gratuitement la vulnérabilité de vos emails” _builder_version=”4.16″ background_color=”#0c71c3″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” use_border_color=”off” border_color=”#ffffff” border_width=”1px” border_style=”solid” global_colors_info=”{}” button_text_size__hover_enabled=”off” button_one_text_size__hover_enabled=”off” button_two_text_size__hover_enabled=”off” button_text_color__hover_enabled=”off” button_one_text_color__hover_enabled=”off” button_two_text_color__hover_enabled=”off” button_border_width__hover_enabled=”off” button_one_border_width__hover_enabled=”off” button_two_border_width__hover_enabled=”off” button_border_color__hover_enabled=”off” button_one_border_color__hover_enabled=”off” button_two_border_color__hover_enabled=”off” button_border_radius__hover_enabled=”off” button_one_border_radius__hover_enabled=”off” button_two_border_radius__hover_enabled=”off” button_letter_spacing__hover_enabled=”off” button_one_letter_spacing__hover_enabled=”off” button_two_letter_spacing__hover_enabled=”off” button_bg_color__hover_enabled=”off” button_one_bg_color__hover_enabled=”off” button_two_bg_color__hover_enabled=”off”][/et_pb_cta][et_pb_code _builder_version=”4.17.4″ hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″][/et_pb_code][/et_pb_column][/et_pb_row][/et_pb_section]