DMARC and why should you give a damn

So for the very first time our company received a phishing email attempt. The asshole supposedly sent a message from the CEO’s mailbox to the CFO’s and requested a very large amount of cash to be wired to some unknown off-shore account. Imagine the depth that fucker went into to get all that info, huh? Luckily, the CFO sensed something in the context was wrong so she called yours truely. Baffled by this mystery and with a lot of curiousity I sat down and began my investigation.

I literally didnt sleep that night. Not because I fought aimlessly trying to figure out how he did it, but because I discovered how INCREDIBLY EFFORTLESS it was to spoof an undefended domain’s email address. Within a few hours I managed to send an email to a friend from his employer telling him he’s fired and another to my wife from her Bank Manager telling her she got promoted. Just for the record, this could probably be done with ANY domain out there that doesnt enforce DMARC or any special email filter inspection like Forti Mail, Pineapp etc. So without a due, this is why you should give a damn.

DMARC – Domain-based Message Authentication, Reporting & Conformance

DMARC – What does it do?

Easily put, it’s a mechanism that stops assholes from spoofing YOUR email addresses. But the biggest thing about DMARC is that it prevents them from spoofing your emails against OTHER domains as well. Meaning it doesnt allow for an unknown source to send emails on your behalf to different organizations, NOT just from you to yourself. Moreover, it encompasses ways to receive reports about external attempts being made at forging your domain.

DMARC – How does it do it?

  1. Policy – When you receive an email the MAILFROM header domain is being checked for a published DMARC policy (based on DNS). What this policy basically says is that the domain owner has a working set of SPF and DKIM records and that it’s 100% “aligned” which I’ll be explaining shortly. On top of it, it tells or better yet recommends the receiver what to do if the message he received fails DMARC and where to send the report to. Need I say that without such policy DMARC is bypassed.
  2. Alignment – All an attacker really needs to do in order to spoof the common domain email address today is to use a MAILFROM address of a domain that does NOT have an SPF record while forging the FROM header to be from your domain. What this check does is it compares between the two and SPF\DKIM. SPF: smtp.MAILFROM domain must match RFC5322.From domain; DKIM: d= domain must match RFC5322.From.
  3. SPF Records – At this point if the SPF record passes then it’s extremely likely that the sender is indeed legitimate. His FROM and MAILFROM addresses checked out and his physical IP address is within the bounds of the allowed IPS in the sender’s record. No further checks will be required but if SPF fails then the final decision will be made according to DKIM.
  4. DKIM Records – You cant go wrong if an encrypted email header did not decrypt properly with the public key hanging, well, publically out in the open. This method of cryptography by itself is enough to tell if the sender is who he’s telling he is. The decision whether or not to accept the email will be made accordingly.

If like me you’re running Office 365 or Google Apps, chances are that all you have right now for email verification is an SPF record. That of course is laughably not enough to stop someone from forging your emails. Thankfully DKIM is being rolled out in Office 365 as we speak (already supported in GoogleApps) and DMARC is already fully supported.  This sent me at the right path. Hopefully it will do someone else good as well.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s