#!/usr/bin/env nix-shell #!nix-shell -p sent -i sent E-mail authentication 101 Big picture: Identifying odd mails, e.g., from supposed friends. # https://old.reddit.com/r/wtfstockphotos/comments/8ce5ke/lady_rejects_her_love_for_potato_over_computer/ @img/woman-no-computer.png How does e-mail actually work? # https://commons.wikimedia.org/wiki/File:Email.svg @img/email.png But how does a mail look like? # https://old.reddit.com/r/wtfstockphotos/comments/98bqnz/mailing_myself_to_getty_hq_it_actually_workednot/ @img/walking-mail.jpg An e-mail is just plain text - Headers - Body Excerpt of headers from the invitation mail: > From: Alvar Penning > To: Ein Hackspace in Marburg > Subject: SIEBTE~1.TXT This is all plaintext. So, anyone can set these values. Pls rember e-mail picture. Receivers record previous servers. > Received: from altair.reis.asia (altair.reis.asia [195.138.247.98]) > by sadachbia.lurk.space (Postfix) with ESMTPS id 6FCF614E63A4 > for ; Thu, 5 Dec 2019 21:29:50 +0100 (CET) > > Received: from sadachbia.lurk.space (sadachbia.lurk.space [188.68.48.46]) > (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) > by altair.reis.asia (Postfix) with ESMTPS id F2D1D606C8 > for ; Thu, 5 Dec 2019 21:29:40 +0100 (CET) # https://old.reddit.com/r/wtfstockphotos/comments/2h14g0/laptop_race/ @img/laptop-race.jpg Check how consistent the first server looks. E.g., sender's mail is something@gmail.com, but the first sender is some strange host. Might be… # https://old.reddit.com/r/wtfstockphotos/comments/9cgbo1/hacker_stabbing_laptop/ @img/hacker-laptop.jpg How to (automatically) detect shady / imposting senders? SPF: Sender Policy Framework \ List allowed mail servers for a domain in the DNS. Whitelist mail servers in a TXT record. Sender: - Sets this up once. - Just sends a mail, like before. \ Receiver: - Must actively check this when receiving. > $ dig +short TXT 0x21.biz > "v=spf1 mx -all" > $ dig +short MX 0x21.biz > 10 sadachbia.lurk.space. \ > Received-SPF: Pass (mailfrom) identity=mailfrom; … DKIM: DomainKeys Identified Mail \ Sign each outgoing mail. The public key is also stored in the DNS. Sender: - Also sets this up once. - Sign each outgoing mail. \ Receiver: - Must check signature. >DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=0x21.biz; s=mail; > t=1575577780; bh=3BrszPLd/kLpIVN9XseICLX0YnIpkPnLD3UIMh4b1Y8=; > h=Date:From:To:Subject; b=… \ > $ dig +short TXT mail._domainkey.0x21.biz > "v=DKIM1; k=rsa; p=…" # https://old.reddit.com/r/wtfstockphotos/comments/4cwuwx/senior_businessman_on_toilet_with_laptop_computer/ @img/boomer-toilet.jpg SPF: Allowed servers list. DKIM: Verify authenticity by signature. DMARC: Domain-based Message Authentication, Reporting and Conformance Long name for a matrix of SPF / DKIM settings, e.g., enforces presence of DKIM signature. Is all this technology used? Yes. Most likely also used by your spam filter. # https://old.reddit.com/r/wtfstockphotos/comments/e7gow7/our_boss_came_out_today_as_a_furry_and_it_was/ @img/generic-ending.jpg