Mailbox forgery details

Sleepy Dragon · 2013/08/29 20:20

0 x00 background

Email forgery can be used for phishing attacks.

That is, fake the mailbox of the administrator or IT operation and maintenance department to send emails, and obtain the trust to make the other party open the attached Trojan file or reply to the sensitive information that they want to obtain.

0 x01 details

In SMTP, senders are allowed to forge most of the sender signature information.

This leads to the ability to fake someone else’s email.

Take a look at the case on the dark cloud:

WooYun: Ifeng Exchange Forgery source address vulnerability

WooYun: Tencent email server allows source address spoofing vulnerability

WooYun: qq mailbox forged mailing address, easy to be used by phishing

There’s another site on the Internet that makes it easier to send fake emails directly:

emkei.cz/

0 x02 defense

To prevent mailbox forgery, SPF came into being.

SPF(or Sender ID) stands for Sender Policy Framework.

After you define the SPF record of your domain name, the recipient determines whether the connected IP address is included in the SPF record according to your SPF record. If yes, it is a correct email; otherwise, it is a forged email. Today, most anti-spam systems support SPF filtering. SPF filtering generally avoids miscalculation, except that the mail system administrator has incorrectly configured or omitted SPF records.

Domain Key was proposed by Yahoo. Must cooperate with software and encryption technology, more troublesome. Not much is being used. Google currently supports domainKey only when sending a letter to avoid being rejected by Yahoo. It does not require a domainkey.

If the email header is set correctly, the following information is displayed:

Received-SPF: pass (google.com: domain of [email protected]_domain.com designates 72.47.192.112 as permitted sender) client-ip=72.47.192.112;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected]As permitted sender)[email protected]_domain.com
Copy the code

Is it necessary to set SPF? SPF is generally considered to be a good option, in case you encounter a receiving server that uses SenderID to filter messages.

To add SPF records, add TXT records to the DNS. You can use the following two SPF generation check tools:

www.microsoft.com/mscorp/safe…

old.openspf.org/wizard.html

A A record of your domain name, usually choose yes, because it may send emails, such as the reply from WordPress I mentioned above. Mx is also usually yes, mx server will send back letters and so on. PTR chose no, officially recommended. Inlude if it is possible to send messages via an ISP with its own SPF record, fill in the domain name of that ISP. For example, if you use Google Apps, you should add include:google.com because your email is sent from Google's servers. Ip4: Do you have any other IP to send messages to? If your SMTP server is separate, enter your IP address or network segment. ~all: means that all but the above are not accepted. Yes, of course.Copy the code

Method of viewing SPF records

Run the following command to enter DOS mode in Windows

Nslookup -type = TXT domain nameCopy the code

For Unix operating system:

# dig -t TXT domain nameCopy the code

0 x00 background

0 x01 details

0 x02 defense

Related Posts

Network security written test so answer, I can clench the interviewer up!!

Plugins for the basic Webpack configuration

May the Force be with you