[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:22.18,Default,,0000,0000,0000,,{\i1}36C3 preroll music{\i0}
Dialogue: 0,0:00:22.18,0:00:28.54,Default,,0000,0000,0000,,Herald: So, have you ever wondered how to\Nalmost perfectly fake an email? Then you
Dialogue: 0,0:00:28.54,0:00:33.37,Default,,0000,0000,0000,,might be actually in the right talk here.\NWe have our next speaker. Andrew, who is
Dialogue: 0,0:00:33.37,0:00:41.18,Default,,0000,0000,0000,,currently working for the National CERT of\NLatvia as a security researcher. And he's
Dialogue: 0,0:00:41.18,0:00:50.12,Default,,0000,0000,0000,,going to talk about e-mail counterfeiting\Nand strategies for modern anti-spoofing.
Dialogue: 0,0:00:50.12,0:00:53.36,Default,,0000,0000,0000,,Stage is yours.
Dialogue: 0,0:00:53.36,0:01:04.46,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:01:04.46,0:01:14.49,Default,,0000,0000,0000,,Andrew: So. Greetings. I'm Andrew and I\Nwork for Latvian National CERT. One of our
Dialogue: 0,0:01:14.49,0:01:21.44,Default,,0000,0000,0000,,current goals is improving the state of\Nemail security in our country and which we
Dialogue: 0,0:01:21.44,0:01:26.40,Default,,0000,0000,0000,,mostly do through raising awareness about\Nthis issue and communicating best
Dialogue: 0,0:01:26.40,0:01:30.77,Default,,0000,0000,0000,,practices. And of course we are not the\Nonly organization that is doing that.
Dialogue: 0,0:01:30.77,0:01:34.42,Default,,0000,0000,0000,,There are many more CERTs in other\Ncountries and there are various
Dialogue: 0,0:01:34.42,0:01:39.30,Default,,0000,0000,0000,,nongovernmental organizations that are\Ndoing the same. And commercial entities.
Dialogue: 0,0:01:39.30,0:01:46.06,Default,,0000,0000,0000,,However, so far, frankly speaking, our\Ncollective progress has been quite
Dialogue: 0,0:01:46.06,0:01:54.10,Default,,0000,0000,0000,,underwhelming. So for example, here is the\None stat which is the usage of one
Dialogue: 0,0:01:54.10,0:01:59.77,Default,,0000,0000,0000,,specific technology, DMARC, which as you\Nwill learn in this talk, is quite
Dialogue: 0,0:01:59.77,0:02:06.77,Default,,0000,0000,0000,,important and I hope that everyone will\Nstart using it. So on the left. There are
Dialogue: 0,0:02:06.77,0:02:11.06,Default,,0000,0000,0000,,twenty thousand domains across all the\Nworld which are important domains for
Dialogue: 0,0:02:11.06,0:02:15.88,Default,,0000,0000,0000,,important organizations that truly should\Nknow better. And on the right side we see
Dialogue: 0,0:02:15.88,0:02:24.80,Default,,0000,0000,0000,,the top 50, top 500 EU retailer domains\Nand across both of these groups two thirds
Dialogue: 0,0:02:24.80,0:02:29.80,Default,,0000,0000,0000,,haven't even configured DMARC yet. And out\Nof those that have configured majority
Dialogue: 0,0:02:29.80,0:02:36.35,Default,,0000,0000,0000,,hasn't enabled strict policy yet. So if\Nthere is just one key takeaway from this
Dialogue: 0,0:02:36.35,0:02:41.46,Default,,0000,0000,0000,,talk, I hope that it will be that everyone\Nshould start using DMARC. It is important
Dialogue: 0,0:02:41.46,0:02:49.12,Default,,0000,0000,0000,,to use it even for domains that are not\Nsupposed to send email. So, one
Dialogue: 0,0:02:49.12,0:02:56.76,Default,,0000,0000,0000,,explanation for these low adoption rates,\NI think, is that, there are seemingly too
Dialogue: 0,0:02:56.76,0:03:04.31,Default,,0000,0000,0000,,many competing technologies. This is the\Ncontents for my talk. And I really tried
Dialogue: 0,0:03:04.31,0:03:12.45,Default,,0000,0000,0000,,to do my best to trim it down. But as you\Ncan see, there are three abbreviations, well and
Dialogue: 0,0:03:12.45,0:03:18.74,Default,,0000,0000,0000,,SMTP and out of this, SPF, DKIM and DMARC\Nactually two are i don't even remember the
Dialogue: 0,0:03:18.74,0:03:25.57,Default,,0000,0000,0000,,whole name for them. But still, they are\Nall important. And of course, this problem
Dialogue: 0,0:03:25.57,0:03:28.95,Default,,0000,0000,0000,,that there are too many buzzwords, too\Nmany technologies, and it's not clear
Dialogue: 0,0:03:28.95,0:03:34.59,Default,,0000,0000,0000,,which one which ones we should use, it's\Nnot specific to email. And we have this
Dialogue: 0,0:03:34.59,0:03:39.76,Default,,0000,0000,0000,,across the industry and, ah, security\Nindustry, i think by now we have found at
Dialogue: 0,0:03:39.76,0:03:47.88,Default,,0000,0000,0000,,least one way to solve it. And it is\Npenetration testing. So when the
Dialogue: 0,0:03:47.88,0:03:53.37,Default,,0000,0000,0000,,penetration test has been run properly and\Nthe results have been published, then we
Dialogue: 0,0:03:53.37,0:03:58.19,Default,,0000,0000,0000,,can start talking. We can shift the\Nconversation from talking about whether
Dialogue: 0,0:03:58.19,0:04:03.51,Default,,0000,0000,0000,,your organization prefers technology A or\Ntechnology B we can instead start talking
Dialogue: 0,0:04:03.51,0:04:09.62,Default,,0000,0000,0000,,about the questions that really matter,\Nsuch like: Is it possible for someone for
Dialogue: 0,0:04:09.62,0:04:15.31,Default,,0000,0000,0000,,some third party to spoof your\Norganization's e-mails and to send such
Dialogue: 0,0:04:15.31,0:04:20.99,Default,,0000,0000,0000,,e-mails to your, for example, customers or\Nyour partners or to media organizations in
Dialogue: 0,0:04:20.99,0:04:24.97,Default,,0000,0000,0000,,such a way that they will think that the\Nemails really came from within your
Dialogue: 0,0:04:24.97,0:04:31.81,Default,,0000,0000,0000,,organization? So that's why penetration\Ntesters are the key audience for this
Dialogue: 0,0:04:31.81,0:04:36.02,Default,,0000,0000,0000,,talk. However, I hope that any blue\Nteamers in the audience also will find
Dialogue: 0,0:04:36.02,0:04:40.65,Default,,0000,0000,0000,,this talking interesting. I'm sure that\Nyou already know all the basics about the
Dialogue: 0,0:04:40.65,0:04:43.62,Default,,0000,0000,0000,,email and about these technologies, but\Nlooking at the problem from the different
Dialogue: 0,0:04:43.62,0:04:50.44,Default,,0000,0000,0000,,side from attacker's perspective sometimes\Ncan really put things into perspective. It
Dialogue: 0,0:04:50.44,0:04:54.82,Default,,0000,0000,0000,,can help for you understand what you\Nshould focus on when protecting your
Dialogue: 0,0:04:54.82,0:05:01.01,Default,,0000,0000,0000,,environment. And finally, the SMTP\Nprotocol. The technology that runs
Dialogue: 0,0:05:01.01,0:05:07.72,Default,,0000,0000,0000,,underneath our e-mail conversations is\Nactually relatively easy to understand.
Dialogue: 0,0:05:07.72,0:05:14.06,Default,,0000,0000,0000,,And so. And also the lessons learned from\Nall of this journey from SMTP, how it
Dialogue: 0,0:05:14.06,0:05:20.98,Default,,0000,0000,0000,,became and how it's possible to spoof it\Nand all the technologies that are trying
Dialogue: 0,0:05:20.98,0:05:27.53,Default,,0000,0000,0000,,to prevent spoofing. I think it's a\Ninteresting case study and it should be
Dialogue: 0,0:05:27.53,0:05:33.72,Default,,0000,0000,0000,,interesting to follow even for people who\Nare new to e-mail. Um, finally. Threat
Dialogue: 0,0:05:33.72,0:05:41.40,Default,,0000,0000,0000,,landscape. So email security is quite a\Nwide topic. And so today I will only focus
Dialogue: 0,0:05:41.40,0:05:47.65,Default,,0000,0000,0000,,on one small part of it, which is\Nsuccessful spoofing of e-mails. Tampering
Dialogue: 0,0:05:47.65,0:05:54.69,Default,,0000,0000,0000,,attacks. And I know that many, penetration\Ntesters already, incorporate some part of
Dialogue: 0,0:05:54.69,0:06:01.25,Default,,0000,0000,0000,,phishing or spear phishing, emulation\Ninto their engagements and. But as far as
Dialogue: 0,0:06:01.25,0:06:07.07,Default,,0000,0000,0000,,I know, they mostly do it from the, social\Nengineering perspective using such tools
Dialogue: 0,0:06:07.07,0:06:13.09,Default,,0000,0000,0000,,as a social engineering toolkit, for\Nexample. And it's, uh, I don't want to
Dialogue: 0,0:06:13.09,0:06:16.95,Default,,0000,0000,0000,,argue, though, that it's important to do\Nthat and to demonstrate to the customer
Dialogue: 0,0:06:16.95,0:06:23.86,Default,,0000,0000,0000,,that what risks are in regards with social\Nengineering. However, I think you're doing
Dialogue: 0,0:06:23.86,0:06:28.10,Default,,0000,0000,0000,,a disservice to the customer if that's the\Nonly thing that you are testing from the
Dialogue: 0,0:06:28.10,0:06:32.65,Default,,0000,0000,0000,,email perspective, because from the\Ncustomers, from managers perspective that
Dialogue: 0,0:06:32.65,0:06:38.87,Default,,0000,0000,0000,,are reading your reports, if they only\Nmention social engineering attacks, then
Dialogue: 0,0:06:38.87,0:06:44.65,Default,,0000,0000,0000,,the logical conclusion is, that the best\Nway to mitigate these threats is by
Dialogue: 0,0:06:44.65,0:06:51.59,Default,,0000,0000,0000,,educating your personnel, especially those\Nthat are least technical, as you will see
Dialogue: 0,0:06:51.59,0:06:55.38,Default,,0000,0000,0000,,in this talk. There are quite a lot of\Nattacks and many organizations are
Dialogue: 0,0:06:55.38,0:07:00.23,Default,,0000,0000,0000,,susceptible to them, which are much better\Nthan that. And no amount of user education
Dialogue: 0,0:07:00.23,0:07:03.89,Default,,0000,0000,0000,,will help here because we can't expect\Nusers to check headers, for example,
Dialogue: 0,0:07:03.89,0:07:10.70,Default,,0000,0000,0000,,manually. So we actually need to improve\Nour e-mail infrastructure. No way around
Dialogue: 0,0:07:10.70,0:07:17.01,Default,,0000,0000,0000,,it. And finally, before we move on to\Nactual technical stuff, there's a little
Dialogue: 0,0:07:17.01,0:07:21.89,Default,,0000,0000,0000,,secret, which I think might help people\Nthat are not working in the email industry
Dialogue: 0,0:07:21.89,0:07:28.16,Default,,0000,0000,0000,,understand why we have such problems and\Nis that, for email admins historically,
Dialogue: 0,0:07:28.16,0:07:38.04,Default,,0000,0000,0000,,um, they value availability of their\Nsystem and reliable reliability much more
Dialogue: 0,0:07:38.04,0:07:44.68,Default,,0000,0000,0000,,than security. And that's because that's\Nnot an ideological decision. It's a very
Dialogue: 0,0:07:44.68,0:07:50.47,Default,,0000,0000,0000,,pragmatic one. So, for example, if you are\Nan e-mail an email admin in an
Dialogue: 0,0:07:50.47,0:07:56.09,Default,,0000,0000,0000,,organization and some of your customers\Nstop receiving invoices, your management
Dialogue: 0,0:07:56.09,0:08:01.47,Default,,0000,0000,0000,,will find you and will inform you about it\Nand will ask you a really nicely to fix it
Dialogue: 0,0:08:01.47,0:08:06.21,Default,,0000,0000,0000,,as soon as possible, even if it's not your\Nfault, if it might happen that the problem
Dialogue: 0,0:08:06.21,0:08:13.51,Default,,0000,0000,0000,,is on the other side of the email. Not on\Nyour server. And the for example, if,
Dialogue: 0,0:08:13.51,0:08:20.45,Default,,0000,0000,0000,,other example, if you, if some of your,\Nsome of your employees can't receive
Dialogue: 0,0:08:20.45,0:08:24.97,Default,,0000,0000,0000,,e-mail soon enough, for example, to\Nrestore the password or to verify the
Dialogue: 0,0:08:24.97,0:08:30.19,Default,,0000,0000,0000,,email or to use multi factor\Nauthentication token and they can't log
Dialogue: 0,0:08:30.19,0:08:33.97,Default,,0000,0000,0000,,into some important systems again, they\Nwill find you on though you will need to
Dialogue: 0,0:08:33.97,0:08:39.54,Default,,0000,0000,0000,,solve that. But if your system is has some\Nsecurity vulnerabilities, if it's assessed
Dialogue: 0,0:08:39.54,0:08:45.54,Default,,0000,0000,0000,,susceptible to spoofing attacks and so on,\Nthen not users, no management will
Dialogue: 0,0:08:45.54,0:08:50.67,Default,,0000,0000,0000,,normally notice it. You might not not\Nnotice it, but you are. You have this
Dialogue: 0,0:08:50.67,0:08:55.93,Default,,0000,0000,0000,,vulnerability. So that's why obviously\Npenetration testers are important. Okay.
Dialogue: 0,0:08:55.93,0:09:01.25,Default,,0000,0000,0000,,Now we can finally start talking about the\Ntechnical stuff. So and we will start with
Dialogue: 0,0:09:01.25,0:09:07.19,Default,,0000,0000,0000,,the short introduction to SMTP protocol.\NSMTP is the protocol that underlies all
Dialogue: 0,0:09:07.19,0:09:12.36,Default,,0000,0000,0000,,email communications and it's actually\Npretty easy to follow. So here's a data
Dialogue: 0,0:09:12.36,0:09:18.37,Default,,0000,0000,0000,,flow of what's happening when one person\Nsends e-mail to another person. For
Dialogue: 0,0:09:18.37,0:09:21.27,Default,,0000,0000,0000,,example Alice is sending to Bob and\Nthey're using different they are working
Dialogue: 0,0:09:21.27,0:09:24.97,Default,,0000,0000,0000,,for different companies. They use\Ndifferent domains. So what's happening
Dialogue: 0,0:09:24.97,0:09:29.29,Default,,0000,0000,0000,,here is that both of them would say use\Nemail clients such as Outlook or
Dialogue: 0,0:09:29.29,0:09:34.58,Default,,0000,0000,0000,,Thunderbird. And Alice is sending email.\NIt's going through this protocol SMTP to
Dialogue: 0,0:09:34.58,0:09:41.74,Default,,0000,0000,0000,,Alice's mail server. But important to note\Nis that this is an outgoing e-mail server.
Dialogue: 0,0:09:41.74,0:09:44.79,Default,,0000,0000,0000,,Usually organizations will have two types\Nof servers, one for incoming transactions
Dialogue: 0,0:09:44.79,0:09:48.68,Default,,0000,0000,0000,,and one for outgoing and for smaller\Norganizations it might be one server, but
Dialogue: 0,0:09:48.68,0:09:52.47,Default,,0000,0000,0000,,again, it's important for penetration\Ntester to think of this as different
Dialogue: 0,0:09:52.47,0:09:56.68,Default,,0000,0000,0000,,systems because they will have even if\Nit's physically one machine, it will have
Dialogue: 0,0:09:56.68,0:10:00.62,Default,,0000,0000,0000,,different configuration for outgoing mail\Nand for incoming mail. So as a penetration
Dialogue: 0,0:10:00.62,0:10:04.90,Default,,0000,0000,0000,,tester you need to check both of them.\NOkay. Now, when Alice's server tries to
Dialogue: 0,0:10:04.90,0:10:11.94,Default,,0000,0000,0000,,send email to Bob's server, there is sort\Nof a problem in that the server needs to
Dialogue: 0,0:10:11.94,0:10:16.48,Default,,0000,0000,0000,,somehow automatically find what is the\Nother server to send the email and it is
Dialogue: 0,0:10:16.48,0:10:25.22,Default,,0000,0000,0000,,done through this blue box MX which is DNS\Nspecific DNS record type MX. So that's
Dialogue: 0,0:10:25.22,0:10:29.68,Default,,0000,0000,0000,,something that is maintained by Bob's\Norganization. So Bob's organization, if
Dialogue: 0,0:10:29.68,0:10:35.36,Default,,0000,0000,0000,,they want to receive e-mail, they create\Nthis DNS record. And I say that. Okay. If
Dialogue: 0,0:10:35.36,0:10:38.83,Default,,0000,0000,0000,,you want to send e-mail to us, please use\Nthis particular server. So it should point
Dialogue: 0,0:10:38.83,0:10:44.29,Default,,0000,0000,0000,,to Bob's server. And Alice's outgoing\Nserver knowing Bob's incoming server
Dialogue: 0,0:10:44.29,0:10:50.67,Default,,0000,0000,0000,,address can communicate to that. And then\Nlater, Bob, will receive its e-mail. So
Dialogue: 0,0:10:50.67,0:10:54.97,Default,,0000,0000,0000,,the part that we as penetration testers\Nwill be trying to breach is actually
Dialogue: 0,0:10:54.97,0:10:59.84,Default,,0000,0000,0000,,between Alice's server and between Bob\NServer. And then we need to think about
Dialogue: 0,0:10:59.84,0:11:03.51,Default,,0000,0000,0000,,the second example, which is the opposite\Nway. And you might think that it's a
Dialogue: 0,0:11:03.51,0:11:07.11,Default,,0000,0000,0000,,pointless example because we are just\Nbasically changing the direction of
Dialogue: 0,0:11:07.11,0:11:11.45,Default,,0000,0000,0000,,traffic. But the important part here is\Nfor us as penetration testers to
Dialogue: 0,0:11:11.45,0:11:17.22,Default,,0000,0000,0000,,understand that our client only controls\Npart of this transaction. If our client,
Dialogue: 0,0:11:17.22,0:11:20.76,Default,,0000,0000,0000,,let's say, for the rest of this\Npresentation is Alice or Alice's
Dialogue: 0,0:11:20.76,0:11:26.75,Default,,0000,0000,0000,,organization, then in the second example\Nwhen we are sending mail from Bob to
Dialogue: 0,0:11:26.75,0:11:34.60,Default,,0000,0000,0000,,Alice, then we'll be sending emails only.\NBasically, part of this transaction will
Dialogue: 0,0:11:34.60,0:11:40.98,Default,,0000,0000,0000,,go through Alice's servers. In the first\Nexample, if we were sending email from
Dialogue: 0,0:11:40.98,0:11:45.94,Default,,0000,0000,0000,,Alice to Bob, it wouldn't be so. So if\Nit's a bit confusing, that's okay. We will
Dialogue: 0,0:11:45.94,0:11:51.60,Default,,0000,0000,0000,,return to that a bit later. And finally,\Nthere is a third example which looks
Dialogue: 0,0:11:51.60,0:11:56.26,Default,,0000,0000,0000,,similar, but not quite. And that's if\NAlice is communicating. Alice is our
Dialogue: 0,0:11:56.26,0:12:01.07,Default,,0000,0000,0000,,customer. And if she is communicating with\Nher coworkers, which are using the same
Dialogue: 0,0:12:01.07,0:12:04.32,Default,,0000,0000,0000,,organization, same e-mail server, same\Ndomain. In that example, again, there will
Dialogue: 0,0:12:04.32,0:12:09.00,Default,,0000,0000,0000,,be to at least logically two email\Nservers, outgoing server and incoming
Dialogue: 0,0:12:09.00,0:12:15.85,Default,,0000,0000,0000,,server. But both of them will belong to\Nour customer. So right now, if you are not
Dialogue: 0,0:12:15.85,0:12:20.15,Default,,0000,0000,0000,,familiar with e-mail, you can. It's\Njust interesting to try to think which of
Dialogue: 0,0:12:20.15,0:12:27.74,Default,,0000,0000,0000,,these scenarios, three scenarios, which of\Nthem are easier to protect? And a bit
Dialogue: 0,0:12:27.74,0:12:31.77,Default,,0000,0000,0000,,later we will see how it's actually\Nhappening. Okay. And then we need to look
Dialogue: 0,0:12:31.77,0:12:38.41,Default,,0000,0000,0000,,at what actually is being sent, when email\Nis being sent. So again, it's using SMTP
Dialogue: 0,0:12:38.41,0:12:44.79,Default,,0000,0000,0000,,protocol and it's really nice protocol you\Ncan. As you can see, it's just text. So
Dialogue: 0,0:12:44.79,0:12:48.03,Default,,0000,0000,0000,,it's plain text protocol and it's very\Neasy to play around because you can just
Dialogue: 0,0:12:48.03,0:12:54.41,Default,,0000,0000,0000,,open telnet connection to the right server\Nand you can try writing down the commands
Dialogue: 0,0:12:54.41,0:12:58.68,Default,,0000,0000,0000,,just with your hands. So you can try\Nmangling something or modifying or trying
Dialogue: 0,0:12:58.68,0:13:05.15,Default,,0000,0000,0000,,different, different, different types and\Nsee in real time how it was going on. So
Dialogue: 0,0:13:05.15,0:13:11.21,Default,,0000,0000,0000,,on the left side we see here two parts\Nwhich are defined by SMTP. So first of
Dialogue: 0,0:13:11.21,0:13:14.72,Default,,0000,0000,0000,,all, there comes SMTP envelope, which\Nbasically you connect the server, say
Dialogue: 0,0:13:14.72,0:13:22.07,Default,,0000,0000,0000,,hello, then you say what. Specify the\Nsender of email and recipient. "mail from"
Dialogue: 0,0:13:22.07,0:13:26.98,Default,,0000,0000,0000,,is sender. Recipient is Bob, for example.\NAnd then the second part starts with data
Dialogue: 0,0:13:26.98,0:13:32.16,Default,,0000,0000,0000,,and ends with quit. And that's the part\Nwhich is called Content/Message. So just
Dialogue: 0,0:13:32.16,0:13:35.48,Default,,0000,0000,0000,,if you want to play around with it, a bit\Nmore, this is defined by a different
Dialogue: 0,0:13:35.48,0:13:38.03,Default,,0000,0000,0000,,standard, which is not that important for\Npenetration testers but if you want to
Dialogue: 0,0:13:38.03,0:13:43.89,Default,,0000,0000,0000,,look into details and it might be\Nimportant. And this internal message,
Dialogue: 0,0:13:43.89,0:13:49.07,Default,,0000,0000,0000,,which is called either Content or SMTP\Nmessage, it again, it contains two parts.
Dialogue: 0,0:13:49.07,0:13:53.30,Default,,0000,0000,0000,,One is headers and another is body. And I\Nthink some people might not be familiar
Dialogue: 0,0:13:53.30,0:13:57.57,Default,,0000,0000,0000,,with email, but probably everyone is\Nfamiliar in this audience with HTTP and
Dialogue: 0,0:13:57.57,0:14:02.60,Default,,0000,0000,0000,,this looks quite, quite the same. So easy\Nto understand. But the interesting part
Dialogue: 0,0:14:02.60,0:14:08.55,Default,,0000,0000,0000,,here is that you might have noticed that\Nwe have Alice's and Bob's addresses twice.
Dialogue: 0,0:14:08.55,0:14:14.35,Default,,0000,0000,0000,,Right. For example, Alice's is specified\Non the second line "mail from". And then
Dialogue: 0,0:14:14.35,0:14:19.71,Default,,0000,0000,0000,,we have the same address. alice @ her\Norganization in "From" header. The red
Dialogue: 0,0:14:19.71,0:14:26.81,Default,,0000,0000,0000,,ones are the headers. And the same goes\Nfor Bob. So why is that? Well, it comes
Dialogue: 0,0:14:26.81,0:14:33.47,Default,,0000,0000,0000,,down to how we see e-mail. I as a normal\Nregular person who has used email in
Dialogue: 0,0:14:33.47,0:14:39.14,Default,,0000,0000,0000,,past quite a lot, i usually see them as\Ndescribed on the left side, which is a
Dialogue: 0,0:14:39.14,0:14:44.98,Default,,0000,0000,0000,,sort of postcard. So on a postcard there\Nis someone who has sent it. The sender.
Dialogue: 0,0:14:44.98,0:14:48.98,Default,,0000,0000,0000,,There is the recipient. That's usually me.\NI'm receiving. And then there's some
Dialogue: 0,0:14:48.98,0:14:53.57,Default,,0000,0000,0000,,message. So at least that's how I\Nperceived it before I learned a bit more
Dialogue: 0,0:14:53.57,0:14:58.67,Default,,0000,0000,0000,,about it. But email admins and the\Nstandard bodies, they see this situation
Dialogue: 0,0:14:58.67,0:15:04.61,Default,,0000,0000,0000,,as the one which is shown on the right,\Nwhich is. There is an envelope and inside
Dialogue: 0,0:15:04.61,0:15:10.48,Default,,0000,0000,0000,,the envelope then there is this message or\Na postcard maybe. So you have two
Dialogue: 0,0:15:10.48,0:15:15.35,Default,,0000,0000,0000,,addresses in this scenario. You specified\Nthe address from and to whom you are
Dialogue: 0,0:15:15.35,0:15:20.73,Default,,0000,0000,0000,,sending the envelope, which is the part\Nthat post office, for example, will look.
Dialogue: 0,0:15:20.73,0:15:24.59,Default,,0000,0000,0000,,But post office won't look generally\Ninside your envelope and inside the
Dialogue: 0,0:15:24.59,0:15:28.88,Default,,0000,0000,0000,,envelope there is another message, and\Nthat is the internal message is actually
Dialogue: 0,0:15:28.88,0:15:33.89,Default,,0000,0000,0000,,meant for a recipient. So actually, you\Ncould do even more and you could even put
Dialogue: 0,0:15:33.89,0:15:40.06,Default,,0000,0000,0000,,the whole envelope with the message of the\Npostcard inside another envelope. And this
Dialogue: 0,0:15:40.06,0:15:46.50,Default,,0000,0000,0000,,sounds crazy to me as a regular person,\Nbut actually e-mail allows that. And in
Dialogue: 0,0:15:46.50,0:15:50.03,Default,,0000,0000,0000,,the RFC the standard document, there are\Nsome examples why that would be necessary.
Dialogue: 0,0:15:50.03,0:15:56.94,Default,,0000,0000,0000,,Why why such why such things are allowed.\NBut but they are confusing. And so as a
Dialogue: 0,0:15:56.94,0:16:03.01,Default,,0000,0000,0000,,result, it is the here in this first\Nexample, we see that we generally we are
Dialogue: 0,0:16:03.01,0:16:07.94,Default,,0000,0000,0000,,specifying the same address twice. But as\Na penetration tester the question that
Dialogue: 0,0:16:07.94,0:16:12.17,Default,,0000,0000,0000,,we should be asking is: So is that\Nrequired, actually? Is that always true or
Dialogue: 0,0:16:12.17,0:16:17.12,Default,,0000,0000,0000,,is it just like a wishful thinking? And\Nit's actually wishful thinking. So
Dialogue: 0,0:16:17.12,0:16:20.87,Default,,0000,0000,0000,,standards specifically do not say that you\Nshould be specifying the same address for
Dialogue: 0,0:16:20.87,0:16:27.14,Default,,0000,0000,0000,,recipient or for "From" from the sender on\Nthe envelope and inside a message. So you
Dialogue: 0,0:16:27.14,0:16:32.30,Default,,0000,0000,0000,,could actually tweak them and send\Ndifferent, different stuff. So, actually,
Dialogue: 0,0:16:32.30,0:16:38.52,Default,,0000,0000,0000,,there are much more headers than what I\Nshowed. The ones I showed I think are just
Dialogue: 0,0:16:38.52,0:16:42.85,Default,,0000,0000,0000,,the ones that we all have experience\Nbecause even if you are just using e-mail,
Dialogue: 0,0:16:42.85,0:16:45.92,Default,,0000,0000,0000,,that's usually the stuff that you see or\Nsee the date, you see the subject, you see
Dialogue: 0,0:16:45.92,0:16:52.68,Default,,0000,0000,0000,,who has who sent you something and to whom\Nit was sent. Usually yourself. And there
Dialogue: 0,0:16:52.68,0:16:57.80,Default,,0000,0000,0000,,might be, of course, more recipients. Oh,\Nyeah. And the question then another
Dialogue: 0,0:16:57.80,0:17:03.77,Default,,0000,0000,0000,,question is: Which one is actually, if we\Nhave specified for some reason by accident
Dialogue: 0,0:17:03.77,0:17:07.30,Default,,0000,0000,0000,,or especially if we have specified\Ndifferent addresses in this envelope in
Dialogue: 0,0:17:07.30,0:17:11.89,Default,,0000,0000,0000,,the message which one the user will see\Nthe recipient, it's actually the header.
Dialogue: 0,0:17:11.89,0:17:18.01,Default,,0000,0000,0000,,So inside that the message is the one\Nwhich is intended for the user. OK. So and
Dialogue: 0,0:17:18.01,0:17:22.51,Default,,0000,0000,0000,,as I was saying, there are actually\Nstandards allow a bit more headers. And
Dialogue: 0,0:17:22.51,0:17:25.88,Default,,0000,0000,0000,,actually 3 headers "From", "Sender",\N"Reply to" which are semantically really
Dialogue: 0,0:17:25.88,0:17:31.08,Default,,0000,0000,0000,,close and in the standard it's actually\Nexplains when you should be using which
Dialogue: 0,0:17:31.08,0:17:34.04,Default,,0000,0000,0000,,one. And the funny thing for me is that,\Nfor example "From" header, which is
Dialogue: 0,0:17:34.04,0:17:39.31,Default,,0000,0000,0000,,usually the one with that we see it might\Ncontain . By reading the RFC you will see
Dialogue: 0,0:17:39.31,0:17:44.45,Default,,0000,0000,0000,,that you shouldn't have more than one such\Nheader, but the header itself might
Dialogue: 0,0:17:44.45,0:17:48.02,Default,,0000,0000,0000,,contain multiple addresses. Personally,\NI've never received an email which would
Dialogue: 0,0:17:48.02,0:17:53.11,Default,,0000,0000,0000,,come from different people, but that's\Nallowed. But the important thing to
Dialogue: 0,0:17:53.11,0:17:57.53,Default,,0000,0000,0000,,understand here again is the backwards\Ncompatibility that I mentioned before. So
Dialogue: 0,0:17:57.53,0:18:02.48,Default,,0000,0000,0000,,even though standards explain how you\Nshould use the each header and that you
Dialogue: 0,0:18:02.48,0:18:07.13,Default,,0000,0000,0000,,shouldn't have more than one of each of\Nthese headers in practice actually can
Dialogue: 0,0:18:07.13,0:18:12.48,Default,,0000,0000,0000,,send malformed email. You could send email\Nwith multiple headers, the same header
Dialogue: 0,0:18:12.48,0:18:17.04,Default,,0000,0000,0000,,"From" header multiple times, or you could\Nsend header which does not contain "From"
Dialogue: 0,0:18:17.04,0:18:21.24,Default,,0000,0000,0000,,but contain "Sender" according to RFC\Nthat's incorrect. But in practice it will
Dialogue: 0,0:18:21.24,0:18:27.55,Default,,0000,0000,0000,,work. Most organizations, most e-mail\Nservice will try their best to pass your
Dialogue: 0,0:18:27.55,0:18:33.72,Default,,0000,0000,0000,,completely malformed email because they\Nreally are concerned about lowering the
Dialogue: 0,0:18:33.72,0:18:37.58,Default,,0000,0000,0000,,support costs. So if something does not\Nwork, then you will come to them. So it is
Dialogue: 0,0:18:37.58,0:18:42.16,Default,,0000,0000,0000,,better to make that everything is working\Nmost of the time. Of course, for
Dialogue: 0,0:18:42.16,0:18:45.67,Default,,0000,0000,0000,,penetration testers that means that you\Ncan play around with this because there
Dialogue: 0,0:18:45.67,0:18:49.48,Default,,0000,0000,0000,,are different implementations and it's\Nexactly which header, for example, if you
Dialogue: 0,0:18:49.48,0:18:53.83,Default,,0000,0000,0000,,have two headers, will be shown or will be\Nused for some algorithm. It depends on the
Dialogue: 0,0:18:53.83,0:18:59.15,Default,,0000,0000,0000,,particular implementation. So because\Nthere are so many implementations, they
Dialogue: 0,0:18:59.15,0:19:03.72,Default,,0000,0000,0000,,are interconnected in different ways. You\Ncould and you should as a penetration
Dialogue: 0,0:19:03.72,0:19:09.27,Default,,0000,0000,0000,,tester try various things, for example,\Nadd the same header multiple times. OK.
Dialogue: 0,0:19:09.27,0:19:13.99,Default,,0000,0000,0000,,Now that we have covered these basics,\Nlet's actually look into how you would try
Dialogue: 0,0:19:13.99,0:19:18.36,Default,,0000,0000,0000,,to spoof an e-mail, for example. Yeah. And\Nhere we are again, we are coming back to
Dialogue: 0,0:19:18.36,0:19:23.93,Default,,0000,0000,0000,,this diagram that we have seen before. And\Nfor example, in the first example about
Dialogue: 0,0:19:23.93,0:19:29.96,Default,,0000,0000,0000,,Alice is sending email to Bob. Let's say\Nwe are, Chuck. So we are a third party. We
Dialogue: 0,0:19:29.96,0:19:33.70,Default,,0000,0000,0000,,are penetration tester licensed, we have\Nan arrangement that we are allowed to do
Dialogue: 0,0:19:33.70,0:19:38.92,Default,,0000,0000,0000,,this and we are trying to send spoofed\Ne-mail to Bob. And in this example, we are
Dialogue: 0,0:19:38.92,0:19:44.44,Default,,0000,0000,0000,,trying to spoof Alice's message. So our\Nintention is that Bob wants Bob receives
Dialogue: 0,0:19:44.44,0:19:52.58,Default,,0000,0000,0000,,email. It should look to them, to the Bob,\Nthat email was sent by Alice. So risk for
Dialogue: 0,0:19:52.58,0:19:57.58,Default,,0000,0000,0000,,this. Okay. I will not cover the risk. I\Nthink you can imagine that. So, for
Dialogue: 0,0:19:57.58,0:20:01.43,Default,,0000,0000,0000,,example, you could do fake news is one of\Nthe problems that we have seen in Latvia.
Dialogue: 0,0:20:01.43,0:20:06.33,Default,,0000,0000,0000,,It's one this was used against government\Nbodies. And when someone sent a fake news
Dialogue: 0,0:20:06.33,0:20:13.66,Default,,0000,0000,0000,,e-mail to other people, organizations and\Nso on, and were trying to impersonate some
Dialogue: 0,0:20:13.66,0:20:19.51,Default,,0000,0000,0000,,some government person. And of course, you\Ncould could imagine yourself how it's not
Dialogue: 0,0:20:19.51,0:20:23.71,Default,,0000,0000,0000,,a good thing if you if it's possible. But\Nthe interesting thing here is that even
Dialogue: 0,0:20:23.71,0:20:28.45,Default,,0000,0000,0000,,though Chuck is doing attack, it depends\Non your perspective. It might look like
Dialogue: 0,0:20:28.45,0:20:32.48,Default,,0000,0000,0000,,attack on Alice or on Bob. But in this\Ncase, email won't go through Alice's
Dialogue: 0,0:20:32.48,0:20:37.59,Default,,0000,0000,0000,,systems. As you can see, Chuck is sending\Ne-mail directly to Bob's incoming
Dialogue: 0,0:20:37.59,0:20:44.49,Default,,0000,0000,0000,,server. Now, there is a second type of\Nattack that will be looked at. If we are
Dialogue: 0,0:20:44.49,0:20:48.54,Default,,0000,0000,0000,,sending e-mail in other direction from Bob\Nto Alice. And our customer is Alice. So we
Dialogue: 0,0:20:48.54,0:20:52.90,Default,,0000,0000,0000,,are testing Alice's server. And in this\Ncase, we are trying, again we are Chuck.
Dialogue: 0,0:20:52.90,0:20:58.57,Default,,0000,0000,0000,,We are sending e-mail. In this case,\Ne-mail will go through Alice's systems. So
Dialogue: 0,0:20:58.57,0:21:03.79,Default,,0000,0000,0000,,interesting question is, which is easier\Nto protect. It might seem that since in
Dialogue: 0,0:21:03.79,0:21:07.27,Default,,0000,0000,0000,,the second example, e-mail is actually\Ngoing through Alice's systems, that means
Dialogue: 0,0:21:07.27,0:21:11.88,Default,,0000,0000,0000,,that Alice has more power to do something,\Nto do some additional checks and balances
Dialogue: 0,0:21:11.88,0:21:16.19,Default,,0000,0000,0000,,and so on. But actually, as you will see\Nin the future, it's easier to protect the
Dialogue: 0,0:21:16.19,0:21:21.71,Default,,0000,0000,0000,,first example. So even though our customer\Nis Alice, we're trying to protect Alice,
Dialogue: 0,0:21:21.71,0:21:26.54,Default,,0000,0000,0000,,but it's easier to protect in practice\Nthis example where someone is selling,
Dialogue: 0,0:21:26.54,0:21:32.80,Default,,0000,0000,0000,,sending e-mail, trying to impersonate\NAlice. Okay. Oh, yeah. That there is the
Dialogue: 0,0:21:32.80,0:21:37.69,Default,,0000,0000,0000,,third example, which is if Alice is\Ncommunicating with her colleagues inside
Dialogue: 0,0:21:37.69,0:21:41.82,Default,,0000,0000,0000,,the same organization. Again, we are Chuck\Nin this case. Again, we will only send the
Dialogue: 0,0:21:41.82,0:21:47.59,Default,,0000,0000,0000,,e-mail to Alice's incoming server. Not to\Noutgoing server. Right. So important thing
Dialogue: 0,0:21:47.59,0:21:54.46,Default,,0000,0000,0000,,to note. And again, in principle, this\Nthird example is the easiest to notice,
Dialogue: 0,0:21:54.46,0:21:59.79,Default,,0000,0000,0000,,because Alice's organization presumably\Nknows that her e-mails always should come
Dialogue: 0,0:21:59.79,0:22:03.79,Default,,0000,0000,0000,,from this particular outgoing server.\NRight. Like if we are sending e-mail from
Dialogue: 0,0:22:03.79,0:22:08.78,Default,,0000,0000,0000,,Alice's colleague, then incoming server in\Nprinciple should have all the power, even
Dialogue: 0,0:22:08.78,0:22:15.61,Default,,0000,0000,0000,,without any standards and stuff like that.\NBut in practice, sometimes actually quite
Dialogue: 0,0:22:15.61,0:22:24.14,Default,,0000,0000,0000,,often there will be a specific whitelist\Nfor Alice's own organization. So some
Dialogue: 0,0:22:24.14,0:22:28.88,Default,,0000,0000,0000,,checks won't happen if incoming server for\NAlice is receiving email, which is coming
Dialogue: 0,0:22:28.88,0:22:34.61,Default,,0000,0000,0000,,from, again, Alice. And by the way,\Nthere's this example. We've seen that for
Dialogue: 0,0:22:34.61,0:22:38.73,Default,,0000,0000,0000,,the past few years. I think it's not\Nspecific to Latvia. So here, for example,
Dialogue: 0,0:22:38.73,0:22:43.59,Default,,0000,0000,0000,,is Canada and others,if you can see. This\Nare these emails which are fake like
Dialogue: 0,0:22:43.59,0:22:48.29,Default,,0000,0000,0000,,ransomware stuff. Basically, they are\Ntelling you that they have hacked your
Dialogue: 0,0:22:48.29,0:22:53.82,Default,,0000,0000,0000,,computer or your email. In this case, and\Nthey have arranged all sorts of financial
Dialogue: 0,0:22:53.82,0:22:59.16,Default,,0000,0000,0000,,activity or have some blackmailing you.\NAnd please send them the money. Your
Dialogue: 0,0:22:59.16,0:23:04.52,Default,,0000,0000,0000,,money. I mean, your money in bitcoins to\Ntheir address. So, these e-mails.
Dialogue: 0,0:23:04.52,0:23:08.92,Default,,0000,0000,0000,,Interesting part about these e-mails is,\Nthat they are usually in order to prove to
Dialogue: 0,0:23:08.92,0:23:13.21,Default,,0000,0000,0000,,you that they have access to your e-mail\Naccount. They are sending e-mail from your
Dialogue: 0,0:23:13.21,0:23:20.10,Default,,0000,0000,0000,,address to your address. So and for many\Npeople, that works. So they see that
Dialogue: 0,0:23:20.10,0:23:22.73,Default,,0000,0000,0000,,someone has hacked their account,\Nobviously, because they've received e-mail
Dialogue: 0,0:23:22.73,0:23:28.62,Default,,0000,0000,0000,,from themselves. So as you will see a bit\Nlater, it's actually easy to spoof such
Dialogue: 0,0:23:28.62,0:23:34.10,Default,,0000,0000,0000,,e-mails if there haven't been any\Nprotections, haven't been put in place. So
Dialogue: 0,0:23:34.10,0:23:38.12,Default,,0000,0000,0000,,the important thing, I hope that now no\None in this audience is falling for such
Dialogue: 0,0:23:38.12,0:23:43.91,Default,,0000,0000,0000,,scam. But if you have some friends or\Ncolleagues that have contacted you and
Dialogue: 0,0:23:43.91,0:23:48.23,Default,,0000,0000,0000,,told you about such e-mails that they have\Nreceived. But one of the things besides
Dialogue: 0,0:23:48.23,0:23:53.11,Default,,0000,0000,0000,,checking the passwords is starting using\Nmore effective authentification on is a
Dialogue: 0,0:23:53.11,0:23:57.77,Default,,0000,0000,0000,,just maybe you could tell them that they\Nshould contact their email administrators
Dialogue: 0,0:23:57.77,0:24:03.47,Default,,0000,0000,0000,,or IT team and ask them about anti\Nspoofing protection, because obviously if
Dialogue: 0,0:24:03.47,0:24:09.02,Default,,0000,0000,0000,,they are able to receive such e-mail and\Nit's not filtered, something is wrong.
Dialogue: 0,0:24:09.02,0:24:16.99,Default,,0000,0000,0000,,Okay, and now let's see a spoofed SMTP\Nconversation, so that's example similar to
Dialogue: 0,0:24:16.99,0:24:22.09,Default,,0000,0000,0000,,previous one. But in this now we are\Nactually Chuck. So this is sent by Chuck
Dialogue: 0,0:24:22.09,0:24:25.92,Default,,0000,0000,0000,,to Bob, but we are pretending to be Alice.\NThe question is, can you see the
Dialogue: 0,0:24:25.92,0:24:30.11,Default,,0000,0000,0000,,difference how this is different from from\Nthe previous one? And it's hard to see the
Dialogue: 0,0:24:30.11,0:24:33.23,Default,,0000,0000,0000,,difference because there is none\Ndifference. That is the same conversation.
Dialogue: 0,0:24:33.23,0:24:39.54,Default,,0000,0000,0000,,So the point here is that SMTP protocol by\Nitself it actually it doesn't have any
Dialogue: 0,0:24:39.54,0:24:43.64,Default,,0000,0000,0000,,protection. So, yeah, you could just for\Nexample, if you are that guy that is
Dialogue: 0,0:24:43.64,0:24:49.58,Default,,0000,0000,0000,,sending the fake ransom letters, you can\Njust write down this text and just dump it
Dialogue: 0,0:24:49.58,0:24:55.83,Default,,0000,0000,0000,,to telnet and it will work for many\Norganizations. Not for all. And of course,
Dialogue: 0,0:24:55.83,0:25:01.21,Default,,0000,0000,0000,,the email admins know this stuff, know\Nthat SMTP is not very reliable in this
Dialogue: 0,0:25:01.21,0:25:05.07,Default,,0000,0000,0000,,regard. That's easy to spoof and so on.\NAnd there have been many attempts to add
Dialogue: 0,0:25:05.07,0:25:11.52,Default,,0000,0000,0000,,some protection, just like ad hoc way. So\Nno standards just to ransom, add some
Dialogue: 0,0:25:11.52,0:25:15.95,Default,,0000,0000,0000,,additional filters and stuff into your own\Nmail. And some of these protections
Dialogue: 0,0:25:15.95,0:25:20.64,Default,,0000,0000,0000,,actually break RFC. If you read it, but\Nwho cares? Like RFC is not a sacred text
Dialogue: 0,0:25:20.64,0:25:26.26,Default,,0000,0000,0000,,or it's. I absolutely approve this, for\Nexample. So yeah, go on. But the problem
Dialogue: 0,0:25:26.26,0:25:31.64,Default,,0000,0000,0000,,is that there is not enough information.\NSo if you think back here, if we are Bob
Dialogue: 0,0:25:31.64,0:25:35.10,Default,,0000,0000,0000,,and we are trying to protect our systems.\NSo we are Bob, some system administrator
Dialogue: 0,0:25:35.10,0:25:39.73,Default,,0000,0000,0000,,probably or Bob is a sys admin and we are\Ntrying to add some additional rules and
Dialogue: 0,0:25:39.73,0:25:44.59,Default,,0000,0000,0000,,stuff, then what actually can we do? So\None example that I listed here is doing
Dialogue: 0,0:25:44.59,0:25:49.98,Default,,0000,0000,0000,,this SMTP callback, and that means that we\Nare just the when we receive e-mail from
Dialogue: 0,0:25:49.98,0:25:56.97,Default,,0000,0000,0000,,Alice, we actually check does that email\Nexist at all? Because many spammers, what
Dialogue: 0,0:25:56.97,0:26:02.00,Default,,0000,0000,0000,,they will do, they will just send e-mail\Nfrom non existing emails and it will work
Dialogue: 0,0:26:02.00,0:26:08.64,Default,,0000,0000,0000,,by if you are just running raw SMTP\Nserver. So SMTP callback is basically you
Dialogue: 0,0:26:08.64,0:26:13.30,Default,,0000,0000,0000,,are when you are receiving email from, for\Nexample. Alice, you are trying. You are
Dialogue: 0,0:26:13.30,0:26:17.22,Default,,0000,0000,0000,,running, spawning a separate process which\Nwill try to connect back to Alice, etc.
Dialogue: 0,0:26:17.22,0:26:24.50,Default,,0000,0000,0000,,And it will try to send email her. If a\Nserver says that. Yeah, that's okay. Such
Dialogue: 0,0:26:24.50,0:26:27.54,Default,,0000,0000,0000,,email exists and so on. You are not like,\Nyou actually stop the conversation. You
Dialogue: 0,0:26:27.54,0:26:31.29,Default,,0000,0000,0000,,don't continue with sending email, but\Nthen your system can automatically find
Dialogue: 0,0:26:31.29,0:26:36.57,Default,,0000,0000,0000,,that actually this e-mail really exists.\NSo another way to do this is through
Dialogue: 0,0:26:36.57,0:26:42.03,Default,,0000,0000,0000,,checking this "Hello". And this is the\Nfirst line and the first line, it's,
Dialogue: 0,0:26:42.03,0:26:48.00,Default,,0000,0000,0000,,normally it should tell you the hostname\Nof the server that is sending email.
Dialogue: 0,0:26:48.00,0:26:52.58,Default,,0000,0000,0000,,Interesting part. So according to RFC\Nagain, you shouldn't check it that you
Dialogue: 0,0:26:52.58,0:26:56.54,Default,,0000,0000,0000,,shouldn't verify. And if it doesn't, if\Nit's a random thing, you should accept
Dialogue: 0,0:26:56.54,0:27:04.52,Default,,0000,0000,0000,,email still. But what many servers will do\Nis they will try to verify that. First of
Dialogue: 0,0:27:04.52,0:27:07.80,Default,,0000,0000,0000,,all, this hostname, which you are telling\Nthat you have this hostname. First of all,
Dialogue: 0,0:27:07.80,0:27:12.80,Default,,0000,0000,0000,,that it really points to the same IP\Naddress and then they do the opposite. So
Dialogue: 0,0:27:12.80,0:27:18.88,Default,,0000,0000,0000,,they will take IP address and try to run a\Nreverse DNS PTR query and they will try to
Dialogue: 0,0:27:18.88,0:27:23.15,Default,,0000,0000,0000,,find whether that IP address really\Nresponds to this hostname. So again, as a
Dialogue: 0,0:27:23.15,0:27:26.52,Default,,0000,0000,0000,,penetration testers we should be aware of\Nthese protections, ad hoc protections,
Dialogue: 0,0:27:26.52,0:27:31.04,Default,,0000,0000,0000,,because they are if you don't know about\Nthem, you will try running something and
Dialogue: 0,0:27:31.04,0:27:34.70,Default,,0000,0000,0000,,it won't work for you. But they are easy\Nif you are aware of them and if you have
Dialogue: 0,0:27:34.70,0:27:40.47,Default,,0000,0000,0000,,to identify that this organization uses\Nthem. They are easy to bypass so that they
Dialogue: 0,0:27:40.47,0:27:44.53,Default,,0000,0000,0000,,don't offer good protection. They are\Nmeant to protect from mass abuse from
Dialogue: 0,0:27:44.53,0:27:52.91,Default,,0000,0000,0000,,spam. OK, so SMTP, as we've seen, by\Nitself does not do does not offer any
Dialogue: 0,0:27:52.91,0:27:59.38,Default,,0000,0000,0000,,protection. So which additions to the\Nprotocol actually can we use to protect
Dialogue: 0,0:27:59.38,0:28:06.86,Default,,0000,0000,0000,,ourselves? One of such protocols is SPF.\NAnd what SPF does is it's trying to be
Dialogue: 0,0:28:06.86,0:28:12.87,Default,,0000,0000,0000,,like mirror MX system. MX system is the\None which basically Alice can use to
Dialogue: 0,0:28:12.87,0:28:18.15,Default,,0000,0000,0000,,Alice's server can use to automatically\Nfind the server that belongs to Bob and
Dialogue: 0,0:28:18.15,0:28:24.58,Default,,0000,0000,0000,,its incoming server. So. SPF is the\Nopposite of that. So that's an idea is
Dialogue: 0,0:28:24.58,0:28:30.27,Default,,0000,0000,0000,,here to run the system automatically on\Nthe Bob's incoming server. And now when
Dialogue: 0,0:28:30.27,0:28:35.72,Default,,0000,0000,0000,,Bob receives the e-mail, they can run\Nagain DNS query and they can find what IP
Dialogue: 0,0:28:35.72,0:28:41.82,Default,,0000,0000,0000,,addresses actually should belong to\NAlice's outgoing server. Right. So it's I
Dialogue: 0,0:28:41.82,0:28:45.78,Default,,0000,0000,0000,,think it's easy to understand it's\Nactually a meaningful way. It sounds
Dialogue: 0,0:28:45.78,0:28:52.57,Default,,0000,0000,0000,,meaningful addition. And the one field\Nthat is checked in this example is this
Dialogue: 0,0:28:52.57,0:28:59.36,Default,,0000,0000,0000,,envelope sender. OK. And here's an example\Nof minimal SPF syntax and the as we can
Dialogue: 0,0:28:59.36,0:29:04.61,Default,,0000,0000,0000,,see. I think it's easy to understand, even\Nif you don't know the syntax is it lists
Dialogue: 0,0:29:04.61,0:29:08.47,Default,,0000,0000,0000,,IP address, which is IP, should be IP\Naddress of outgoing server, legitimate
Dialogue: 0,0:29:08.47,0:29:12.78,Default,,0000,0000,0000,,outgoing server. And then it says this\N"-all" which again, is easy to understand.
Dialogue: 0,0:29:12.78,0:29:18.70,Default,,0000,0000,0000,,In this case, it means that that's the\Nonly one. So if you receive a message,
Dialogue: 0,0:29:18.70,0:29:22.98,Default,,0000,0000,0000,,message comes from this IP address. That's\Ncool. I accept it. If it's something else,
Dialogue: 0,0:29:22.98,0:29:27.19,Default,,0000,0000,0000,,then just drop it. And there are multiple\Nways to specify the IP address. You could
Dialogue: 0,0:29:27.19,0:29:31.61,Default,,0000,0000,0000,,just specify the IP address. You could\Nspecify IP subnet, you could specify DNS
Dialogue: 0,0:29:31.61,0:29:37.07,Default,,0000,0000,0000,,hostname. So it's just for admin. So\Nbasically for a penetration test, it
Dialogue: 0,0:29:37.07,0:29:44.75,Default,,0000,0000,0000,,doesn't do much different, for admins it's\Njust easier to maintain these systems. And
Dialogue: 0,0:29:44.75,0:29:49.62,Default,,0000,0000,0000,,then there are these qualifiers,\Nqualifiers. This is what's something which
Dialogue: 0,0:29:49.62,0:29:56.16,Default,,0000,0000,0000,,you put before the methods. For example,\Nhere in this example, IPv4 before doesn't
Dialogue: 0,0:29:56.16,0:30:00.10,Default,,0000,0000,0000,,have any qualifier. There's no plus or\Nminus or something. That's because plus is
Dialogue: 0,0:30:00.10,0:30:03.91,Default,,0000,0000,0000,,assumed by default. So by default,\Neverything that is listed in SPF record
Dialogue: 0,0:30:03.91,0:30:12.60,Default,,0000,0000,0000,,will should the match some legitimate SMTP\Nserver, outgoing server. However. There
Dialogue: 0,0:30:12.60,0:30:15.85,Default,,0000,0000,0000,,are other options you could use minus\Nwhich is fail. And that means if something
Dialogue: 0,0:30:15.85,0:30:20.38,Default,,0000,0000,0000,,matches this record, for example, minus\Nall is the one which is the most often
Dialogue: 0,0:30:20.38,0:30:26.71,Default,,0000,0000,0000,,used, it means if it matches this one, so\Nthat's usually the last one, then please
Dialogue: 0,0:30:26.71,0:30:32.09,Default,,0000,0000,0000,,drop the mail. It's not real. It's it's\Nfake mail. And then there's this third
Dialogue: 0,0:30:32.09,0:30:37.15,Default,,0000,0000,0000,,option, which is softfail, and that's\Nmeant for testing period. So when you are
Dialogue: 0,0:30:37.15,0:30:42.69,Default,,0000,0000,0000,,just starting to implement SPF, there\Nmight be some. So the problem is that you
Dialogue: 0,0:30:42.69,0:30:47.73,Default,,0000,0000,0000,,might forget, for example, to add some\NSMTP servers. So because you haven't done
Dialogue: 0,0:30:47.73,0:30:52.75,Default,,0000,0000,0000,,it before, maybe you think you have only\None SMTP actually outgoing server. But in
Dialogue: 0,0:30:52.75,0:30:56.36,Default,,0000,0000,0000,,fact, you have multiple of them or\Nmultiple ways to send e-mail. So in that
Dialogue: 0,0:30:56.36,0:31:03.60,Default,,0000,0000,0000,,case, if you were to start set that SPF\Nrecord with "fail" strong policy, then
Dialogue: 0,0:31:03.60,0:31:07.23,Default,,0000,0000,0000,,your users won't be able to send the\Nmessage anymore. So that's why testing is
Dialogue: 0,0:31:07.23,0:31:13.46,Default,,0000,0000,0000,,good. However. Here are some other\Nexamples, a bit more complicated. One of
Dialogue: 0,0:31:13.46,0:31:16.40,Default,,0000,0000,0000,,them is was include. So instead of\Ndefining the policy yourself because
Dialogue: 0,0:31:16.40,0:31:19.27,Default,,0000,0000,0000,,you're using third party, for example,\NGoogle in this example, and then you will
Dialogue: 0,0:31:19.27,0:31:24.72,Default,,0000,0000,0000,,just include whatever Google has\Npublished. And the interesting thing is
Dialogue: 0,0:31:24.72,0:31:31.53,Default,,0000,0000,0000,,this usage of SPF. If we just if we just\Nlook at the amount of domains that have
Dialogue: 0,0:31:31.53,0:31:36.89,Default,,0000,0000,0000,,defined some sort of policy, that the\Nnumber looks pretty okay. I guess that's
Dialogue: 0,0:31:36.89,0:31:42.29,Default,,0000,0000,0000,,for example for most popular domains\Nthat's around 70 percent. But the problem
Dialogue: 0,0:31:42.29,0:31:45.71,Default,,0000,0000,0000,,is that the majority of them are either\Npoorly configured or they just use the
Dialogue: 0,0:31:45.71,0:31:51.79,Default,,0000,0000,0000,,softfail option. And what softfail\Npractically does is nothing. You still can
Dialogue: 0,0:31:51.79,0:31:56.70,Default,,0000,0000,0000,,even if there is policy with softfail, you\Ncan in most cases you can spoof your email
Dialogue: 0,0:31:56.70,0:32:00.72,Default,,0000,0000,0000,,and it will still go because the recipient\Nside will think that it's just in the
Dialogue: 0,0:32:00.72,0:32:07.94,Default,,0000,0000,0000,,testing mode. You shouldn't drop e-mail\Nautomatically. Yeah. So. Actually, the
Dialogue: 0,0:32:07.94,0:32:13.91,Default,,0000,0000,0000,,percentage isn't that great. However, the\Nmost important thing for us as penetration
Dialogue: 0,0:32:13.91,0:32:18.42,Default,,0000,0000,0000,,testers is to understand. So what do we do\Nwhen we see this SPF. That means that now
Dialogue: 0,0:32:18.42,0:32:24.67,Default,,0000,0000,0000,,we can't spoof mail and. No, it does not.\NThat it's game over for us. We can do some
Dialogue: 0,0:32:24.67,0:32:30.06,Default,,0000,0000,0000,,stuff. So first of all, is this softfail\Nthat I mentioned. And that's basically you
Dialogue: 0,0:32:30.06,0:32:33.83,Default,,0000,0000,0000,,have some rules, rules, rules, and then in\Nthe end, you are putting typically just
Dialogue: 0,0:32:33.83,0:32:41.46,Default,,0000,0000,0000,,this softfail at all. So if we as a\Npenetration testers will try spoofing from
Dialogue: 0,0:32:41.46,0:32:46.33,Default,,0000,0000,0000,,some unknown IP address that hasn't been\Nlisted in the previous rules. Then do
Dialogue: 0,0:32:46.33,0:32:51.52,Default,,0000,0000,0000,,nothing. Do nothing. I mean, don't drop\Nemail. That is good for us, right? That
Dialogue: 0,0:32:51.52,0:32:56.72,Default,,0000,0000,0000,,means that we can actually spoof just in\Nthe same old way and it will mostly go. So
Dialogue: 0,0:32:56.72,0:33:02.25,Default,,0000,0000,0000,,the one great one note here is that some\Nsystems are you are not using just this
Dialogue: 0,0:33:02.25,0:33:06.59,Default,,0000,0000,0000,,binary classification, whether something\Nis good or bad, but they are trying to run
Dialogue: 0,0:33:06.59,0:33:11.32,Default,,0000,0000,0000,,some scoring. And then it might be that\Neven if you have this soft fail, they
Dialogue: 0,0:33:11.32,0:33:16.37,Default,,0000,0000,0000,,won't automatically drop your e-mail, but\Nmaybe they will add some like suspicious
Dialogue: 0,0:33:16.37,0:33:22.54,Default,,0000,0000,0000,,level to it. But important thing is that\Nit's not automatically a game over.
Dialogue: 0,0:33:22.54,0:33:29.97,Default,,0000,0000,0000,,Another thing is this include. So include\Nis it very convenient when you are using
Dialogue: 0,0:33:29.97,0:33:36.33,Default,,0000,0000,0000,,third parties. But the problem is that\Nit's not what it sounds to some people, at
Dialogue: 0,0:33:36.33,0:33:43.10,Default,,0000,0000,0000,,least even in the standard, it mentions\Nthat it was a poorly chosen name. And the
Dialogue: 0,0:33:43.10,0:33:48.11,Default,,0000,0000,0000,,reason for that is that it's not a macro.\NSo to understand what's happening when
Dialogue: 0,0:33:48.11,0:33:52.72,Default,,0000,0000,0000,,this included, you shouldn't just copy\Npaste everything from inside recursively
Dialogue: 0,0:33:52.72,0:33:58.34,Default,,0000,0000,0000,,to the top level. It's not how it works.\NIt will try running all the checks inside
Dialogue: 0,0:33:58.34,0:34:05.48,Default,,0000,0000,0000,,this include. But then if it fails, it\Nwon't automatically drop the message. It
Dialogue: 0,0:34:05.48,0:34:10.25,Default,,0000,0000,0000,,will go to the one level top and it will\Ntry running the other rules. So the
Dialogue: 0,0:34:10.25,0:34:14.51,Default,,0000,0000,0000,,problem with that is that two cases that\Nare the most common is that either if you
Dialogue: 0,0:34:14.51,0:34:20.57,Default,,0000,0000,0000,,just forget to add this minus all to , or\Nyour system administrator who has
Dialogue: 0,0:34:20.57,0:34:26.47,Default,,0000,0000,0000,,forgotten to do that. In that case, even\Nif they include has minus all, it won't
Dialogue: 0,0:34:26.47,0:34:34.09,Default,,0000,0000,0000,,work because I mean, it would because when\Nthe recipient will be checking it minus
Dialogue: 0,0:34:34.09,0:34:39.57,Default,,0000,0000,0000,,all inside include does not mean the same\Nas it does on the top level. And the
Dialogue: 0,0:34:39.57,0:34:43.80,Default,,0000,0000,0000,,second would be if they have added all but\Ndid softfail all. And some admins might
Dialogue: 0,0:34:43.80,0:34:47.81,Default,,0000,0000,0000,,think that. But that's okay because I'm\Nincluding GMail and GMail has this hard
Dialogue: 0,0:34:47.81,0:34:54.41,Default,,0000,0000,0000,,fail. Doesn't work that way. And then one,\Nwhich actually is I think maybe the most
Dialogue: 0,0:34:54.41,0:35:00.00,Default,,0000,0000,0000,,common case, is that something often you\Nactually see this type of SPF records, but
Dialogue: 0,0:35:00.00,0:35:03.57,Default,,0000,0000,0000,,there is lots of stuff inside there is IP\Naddresses. There are these A records,
Dialogue: 0,0:35:03.57,0:35:07.89,Default,,0000,0000,0000,,there is a MX. There is a pointer.\NBasically, everything that the admins
Dialogue: 0,0:35:07.89,0:35:12.99,Default,,0000,0000,0000,,could think of and the reason is that the\Nmost commonly, they are just not sure how
Dialogue: 0,0:35:12.99,0:35:17.10,Default,,0000,0000,0000,,it works. They're not sure what they\Nshould put inside. So, for example, one
Dialogue: 0,0:35:17.10,0:35:24.84,Default,,0000,0000,0000,,thing that the point that out is if there\Nis a MX record inside the SPF, most
Dialogue: 0,0:35:24.84,0:35:27.93,Default,,0000,0000,0000,,commonly most organizations, unless they\Nare very small and just have one server,
Dialogue: 0,0:35:27.93,0:35:31.06,Default,,0000,0000,0000,,they will have different servers,\Ndifferent IP addresses for outgoing mail
Dialogue: 0,0:35:31.06,0:35:34.50,Default,,0000,0000,0000,,and for incoming mail. That means there is\Nno practical for this organization,here is
Dialogue: 0,0:35:34.50,0:35:41.11,Default,,0000,0000,0000,,no practical reason to include MX into SPF\Nbecause no, no mail should go out through
Dialogue: 0,0:35:41.11,0:35:45.90,Default,,0000,0000,0000,,their incoming mail server. And another\Ncase might be that the admins understand
Dialogue: 0,0:35:45.90,0:35:51.47,Default,,0000,0000,0000,,how it works, but it's really, truly their\Narchitecture is really messy and they are
Dialogue: 0,0:35:51.47,0:35:55.73,Default,,0000,0000,0000,,sending emails from many, many different\Npoints, which is good for penetration
Dialogue: 0,0:35:55.73,0:36:03.36,Default,,0000,0000,0000,,testers. That means that they are not well\Norganized. OK. And then there's another
Dialogue: 0,0:36:03.36,0:36:09.22,Default,,0000,0000,0000,,flaw, which is that granularity isn't very\Nwell suited. So the only thing you can.
Dialogue: 0,0:36:09.22,0:36:13.80,Default,,0000,0000,0000,,There are multiple this record types. But\Nall they do basically are resolve the IP
Dialogue: 0,0:36:13.80,0:36:19.65,Default,,0000,0000,0000,,address. But the as you can imagine, in\Nmany cases, IP is not linked just to mail
Dialogue: 0,0:36:19.65,0:36:24.23,Default,,0000,0000,0000,,server. So on one IP, there might be mail\Nserver and web server or database or
Dialogue: 0,0:36:24.23,0:36:28.07,Default,,0000,0000,0000,,something else. And that means that as a\Npenetration tester, you can exploit this
Dialogue: 0,0:36:28.07,0:36:32.34,Default,,0000,0000,0000,,something else. Not mail server itself,\Nbecause mailserver usually is pretty like
Dialogue: 0,0:36:32.34,0:36:36.74,Default,,0000,0000,0000,,low key. There's not many vulnerabilities\Nthere. You just patch them and that's it.
Dialogue: 0,0:36:36.74,0:36:42.74,Default,,0000,0000,0000,,But those other systems, for example, web,\Nit's easy to exploit. In most cases. So
Dialogue: 0,0:36:42.74,0:36:46.68,Default,,0000,0000,0000,,then you can elevate like in some sort\Nelevate privileges by gaining access
Dialogue: 0,0:36:46.68,0:36:50.81,Default,,0000,0000,0000,,through some other server on that IP\Naddress or IP range. You can start sending
Dialogue: 0,0:36:50.81,0:36:59.86,Default,,0000,0000,0000,,mails. They will pass all SPF filters. OK.\NSo one example is shared hosting, which is
Dialogue: 0,0:36:59.86,0:37:04.95,Default,,0000,0000,0000,,the very common case and the problem with\Nshared hosting is that. In this case.
Dialogue: 0,0:37:04.95,0:37:10.36,Default,,0000,0000,0000,,Okay. You have IP address of SMTP server.\NMaybe that's server only used for sending
Dialogue: 0,0:37:10.36,0:37:15.90,Default,,0000,0000,0000,,mails. But the server itself works not\Njust for you. It works for many domains,
Dialogue: 0,0:37:15.90,0:37:18.85,Default,,0000,0000,0000,,maybe hundreds of thousand domains. That\Nmeans as an attacker, again, you can
Dialogue: 0,0:37:18.85,0:37:24.29,Default,,0000,0000,0000,,exploit at least one of them, or for\Nshared hosting you can just buy. You can
Dialogue: 0,0:37:24.29,0:37:26.94,Default,,0000,0000,0000,,become a customer of that shared hosting.\NYou don't even need to exploit anything.
Dialogue: 0,0:37:26.94,0:37:31.75,Default,,0000,0000,0000,,And then you can potentially start sending\Nemail, which will look good as far as SPF
Dialogue: 0,0:37:31.75,0:37:38.14,Default,,0000,0000,0000,,is concerned, just like their own. So. And\Nthe another one is this checking wrong
Dialogue: 0,0:37:38.14,0:37:44.96,Default,,0000,0000,0000,,identifier. And this is probably the\Nworst, worst problem with SPF. It is that,
Dialogue: 0,0:37:44.96,0:37:49.64,Default,,0000,0000,0000,,as I mentioned before, the one there are\Nat least two identifiers. Typically
Dialogue: 0,0:37:49.64,0:37:53.74,Default,,0000,0000,0000,,envelope sender, the outer one, which\Nlists the sender, and then there is
Dialogue: 0,0:37:53.74,0:37:58.59,Default,,0000,0000,0000,,internal one, which is usually "from"\Nheader. But out of those two SPF only
Dialogue: 0,0:37:58.59,0:38:03.14,Default,,0000,0000,0000,,checks, if SPF is the only technology that\Nyou are using, SPF only checks the first
Dialogue: 0,0:38:03.14,0:38:09.06,Default,,0000,0000,0000,,one: envelope sender. And as I mentioned,\Nin most cases, actual users that will
Dialogue: 0,0:38:09.06,0:38:13.28,Default,,0000,0000,0000,,receive the mail, they won't see envelope\Nsenders. They will see this and this other
Dialogue: 0,0:38:13.28,0:38:17.56,Default,,0000,0000,0000,,one "from" for example, or one of the\Nother headers they mention. So this
Dialogue: 0,0:38:17.56,0:38:22.83,Default,,0000,0000,0000,,behavior is fixed actually by DMARC, which\Nis the technology that I mentioned. But
Dialogue: 0,0:38:22.83,0:38:27.32,Default,,0000,0000,0000,,the majority of SPF installations, domains\Nthat are using SPF do not have DMARC, so
Dialogue: 0,0:38:27.32,0:38:31.33,Default,,0000,0000,0000,,they are not protected by this. So even if\Ntheir SPF is completely great for
Dialogue: 0,0:38:31.33,0:38:36.63,Default,,0000,0000,0000,,attacker, it means that you only need to,\Nwhat you need to do to pass SPF is a to
Dialogue: 0,0:38:36.63,0:38:40.43,Default,,0000,0000,0000,,set envelope sender to something else. For\Nexample, your own controlled address,
Dialogue: 0,0:38:40.43,0:38:49.01,Default,,0000,0000,0000,,which will pass all SPF checks. But then\Ninside the "from" you can show the header
Dialogue: 0,0:38:49.01,0:38:56.78,Default,,0000,0000,0000,,that will match this organization that you\Nwant to pretend to be. Okay. So then there
Dialogue: 0,0:38:56.78,0:39:02.31,Default,,0000,0000,0000,,is another technology which is supposed to\Nfix this and it's DKIM. As we have seen,
Dialogue: 0,0:39:02.31,0:39:11.45,Default,,0000,0000,0000,,SPF is not enough. So DKIM. Sorry, the\Nwrong letters, Domainkeys identified mail.
Dialogue: 0,0:39:11.45,0:39:15.10,Default,,0000,0000,0000,,That's the DKIM and you don't need to\Nremember the long name, just the short
Dialogue: 0,0:39:15.10,0:39:20.22,Default,,0000,0000,0000,,name. And what it does, basically, it uses\Ncryptography, which is nice, right? It's
Dialogue: 0,0:39:20.22,0:39:24.64,Default,,0000,0000,0000,,math. It's hard to break for attackers.\NAnd what it does is it signs every mail so
Dialogue: 0,0:39:24.64,0:39:29.87,Default,,0000,0000,0000,,every mail that is going out through the\NDKIM enabled server will get signature,
Dialogue: 0,0:39:29.87,0:39:35.06,Default,,0000,0000,0000,,which you can, as a recipient, you can\Ncryptographically verify. So as you can
Dialogue: 0,0:39:35.06,0:39:39.94,Default,,0000,0000,0000,,see, how it looks is actually pretty hard\Nto see because it's not meant to be
Dialogue: 0,0:39:39.94,0:39:44.16,Default,,0000,0000,0000,,processed by humans. It's cryptography.\NIt's meant to be processed by computers.
Dialogue: 0,0:39:44.16,0:39:48.30,Default,,0000,0000,0000,,But the important part here is basically\Nthe yellow stuff is this cryptographic
Dialogue: 0,0:39:48.30,0:39:55.88,Default,,0000,0000,0000,,signature. But the green part is what's\Ncalled domain identifier. And the red part
Dialogue: 0,0:39:55.88,0:40:02.27,Default,,0000,0000,0000,,is what's called. I don't remember how\Nit's called {\i1}laughs{\i0}. But basically it's
Dialogue: 0,0:40:02.27,0:40:07.16,Default,,0000,0000,0000,,idea is that you can have multiple keys\Nfor your organization, for example, your
Dialogue: 0,0:40:07.16,0:40:12.39,Default,,0000,0000,0000,,organization might be sending mails from\Nyour original SMTP server, then you might
Dialogue: 0,0:40:12.39,0:40:17.65,Default,,0000,0000,0000,,have a backup one or you might have might\Nbe sending some messages from Google or
Dialogue: 0,0:40:17.65,0:40:21.76,Default,,0000,0000,0000,,some marketing campaign and so on. And\Nthen each of them might have different
Dialogue: 0,0:40:21.76,0:40:26.97,Default,,0000,0000,0000,,"red", this parameter. The problem is and\Nthen the recipient will need to run DNS
Dialogue: 0,0:40:26.97,0:40:32.53,Default,,0000,0000,0000,,query, which is the second example using\Nthis combination of green and red one. And
Dialogue: 0,0:40:32.53,0:40:36.99,Default,,0000,0000,0000,,then they will get the public key and they\Ncan use this public key to verify the
Dialogue: 0,0:40:36.99,0:40:43.80,Default,,0000,0000,0000,,signature. So it's sounds really nice. The\Nproblem here is no, another problem yet.
Dialogue: 0,0:40:43.80,0:40:48.73,Default,,0000,0000,0000,,So how to use it? I think it's easy if you\Nunderstand the public cryptography. So on
Dialogue: 0,0:40:48.73,0:40:52.44,Default,,0000,0000,0000,,the sender side, you need to first\Ngenerate public and private keypairr. Then
Dialogue: 0,0:40:52.44,0:40:56.27,Default,,0000,0000,0000,,you publish the public part in the DNS.\NThen you use private key to sign each
Dialogue: 0,0:40:56.27,0:41:00.48,Default,,0000,0000,0000,,message. Now recipient does sort of the\Nopposite. They once they receive the
Dialogue: 0,0:41:00.48,0:41:04.38,Default,,0000,0000,0000,,email, they figure out from this red and\Ngreen part they figured out the correct
Dialogue: 0,0:41:04.38,0:41:09.00,Default,,0000,0000,0000,,DNS record to run, run it, get the public\Nkey and then compare whether this public
Dialogue: 0,0:41:09.00,0:41:12.53,Default,,0000,0000,0000,,key corresponds to the signature. So it\Nsounds really nice, right? What's the
Dialogue: 0,0:41:12.53,0:41:19.17,Default,,0000,0000,0000,,problem? So customers. Selectors, that's\Nthe name. So the problem with that is that
Dialogue: 0,0:41:19.17,0:41:27.31,Default,,0000,0000,0000,,the selectors there might be multiple\Nselectors as a DKIM when you are doing
Dialogue: 0,0:41:27.31,0:41:31.67,Default,,0000,0000,0000,,configuration, you can select as many of\Nthis custom selectors as you want, and the
Dialogue: 0,0:41:31.67,0:41:37.17,Default,,0000,0000,0000,,recipient doesn't know whether you\Nactually should have used a selector and
Dialogue: 0,0:41:37.17,0:41:41.60,Default,,0000,0000,0000,,what selector you should have used. So the\Nproblem is that while, if we are talking
Dialogue: 0,0:41:41.60,0:41:48.69,Default,,0000,0000,0000,,just about the vanilla DKIM, modifying\Nexisting signature is hard for penetration
Dialogue: 0,0:41:48.69,0:41:52.63,Default,,0000,0000,0000,,tester or for an attacker. But it's easy\Nto just remove it because if you have
Dialogue: 0,0:41:52.63,0:41:57.62,Default,,0000,0000,0000,,removed DKIM at all the header, the\Nrecipient doesn't know that it should have
Dialogue: 0,0:41:57.62,0:42:03.55,Default,,0000,0000,0000,,been there because in order to check, they\Nneed to. So here, for example, in order to
Dialogue: 0,0:42:03.55,0:42:08.64,Default,,0000,0000,0000,,check the signature, I need to know this\Ngreen part. This domain identifier and the
Dialogue: 0,0:42:08.64,0:42:14.71,Default,,0000,0000,0000,,selector which are part of this header.\NRight. So that's a huge problem. And that
Dialogue: 0,0:42:14.71,0:42:20.82,Default,,0000,0000,0000,,means that. Yeah. That means that we can\Nactually while we can't spoof DKIM itself,
Dialogue: 0,0:42:20.82,0:42:26.70,Default,,0000,0000,0000,,we can just trim DKIM, send the message\Nwithout it. And if the DKIM was the only
Dialogue: 0,0:42:26.70,0:42:31.50,Default,,0000,0000,0000,,thing which protected this system, it will\Nwork. So it might not get the green
Dialogue: 0,0:42:31.50,0:42:37.31,Default,,0000,0000,0000,,checkmark or whatever, but it will get to\Nthe recipient. So. And another thing is
Dialogue: 0,0:42:37.31,0:42:43.04,Default,,0000,0000,0000,,this domain selector. Why do we even need\Nto set that? Because the best practice, of
Dialogue: 0,0:42:43.04,0:42:48.28,Default,,0000,0000,0000,,course, is that you have envelope sender\Nequal to "from" header equal to this DKIM
Dialogue: 0,0:42:48.28,0:42:52.43,Default,,0000,0000,0000,,domain selector. Right. So if you are if I\Nam sending from Alice, then all three
Dialogue: 0,0:42:52.43,0:42:59.03,Default,,0000,0000,0000,,should be Alice.org or whatever. The\Nproblem is that it's not mentioned in RFC
Dialogue: 0,0:42:59.03,0:43:04.03,Default,,0000,0000,0000,,that that should be the case. So what\Nexactly happens when it is not that way?
Dialogue: 0,0:43:04.03,0:43:09.62,Default,,0000,0000,0000,,For example, on the right side there is\Nsome real domain which was using Gmail,
Dialogue: 0,0:43:09.62,0:43:17.47,Default,,0000,0000,0000,,Google Apps, Google suite, and in that case\Nthe default by default Google suite will
Dialogue: 0,0:43:17.47,0:43:22.43,Default,,0000,0000,0000,,sign all messages. But if you do not do\Nyour own configuration, it will sign them
Dialogue: 0,0:43:22.43,0:43:28.37,Default,,0000,0000,0000,,with domain it controls, which is this\N"gappssmtp". And what it means is that
Dialogue: 0,0:43:28.37,0:43:32.58,Default,,0000,0000,0000,,although technically something has been\Nsigned with DKIM, it wasn't signed in the
Dialogue: 0,0:43:32.58,0:43:36.41,Default,,0000,0000,0000,,way that you can trace back to your\Norganisation. It's something completely
Dialogue: 0,0:43:36.41,0:43:40.07,Default,,0000,0000,0000,,else. What exactly recipient should do in\Nthat case? Should they just ignore it?
Dialogue: 0,0:43:40.07,0:43:43.86,Default,,0000,0000,0000,,Should they reject the message or\Nsomething? So the correct way would be not
Dialogue: 0,0:43:43.86,0:43:49.38,Default,,0000,0000,0000,,to reject it, but just consider it not\Nvalid, at least not not a valid DKIM, but
Dialogue: 0,0:43:49.38,0:43:53.83,Default,,0000,0000,0000,,it actually depends. So some validators\Nwill just see any DKIM, will validate it
Dialogue: 0,0:43:53.83,0:44:01.23,Default,,0000,0000,0000,,and will say that's cool that matches RFC.\NSo but now the interesting part. Modifying
Dialogue: 0,0:44:01.23,0:44:06.71,Default,,0000,0000,0000,,DKIM, which I don't have time for. But the\Nidea is that in some cases this is not
Dialogue: 0,0:44:06.71,0:44:11.34,Default,,0000,0000,0000,,always but sometimes you actually can\Nmodify. The easiest part to modify in the
Dialogue: 0,0:44:11.34,0:44:17.19,Default,,0000,0000,0000,,messages are headers because DKIM, since\Nit's placed in headers itself, it does not
Dialogue: 0,0:44:17.19,0:44:21.30,Default,,0000,0000,0000,,automatically sign old headers. There's\Nlike a chicken and egg problem. So by
Dialogue: 0,0:44:21.30,0:44:26.17,Default,,0000,0000,0000,,default it only signs one or two headers\Nand you can specify more headers that need
Dialogue: 0,0:44:26.17,0:44:30.91,Default,,0000,0000,0000,,to be signed, but it doesn't happen\Nautomatically. So the easy part for
Dialogue: 0,0:44:30.91,0:44:35.57,Default,,0000,0000,0000,,attacker is to add another header. If\Nthat's somehow helps you in your like
Dialogue: 0,0:44:35.57,0:44:40.40,Default,,0000,0000,0000,,plan, then that's easy to do. You just add\Nanother header. An interesting part is,
Dialogue: 0,0:44:40.40,0:44:43.94,Default,,0000,0000,0000,,although the RFC, as I mentioned before,\Nmentions that some headers such as
Dialogue: 0,0:44:43.94,0:44:49.18,Default,,0000,0000,0000,,"subject" or "from" should only be present\Nin one copy. Actually you could add more
Dialogue: 0,0:44:49.18,0:44:53.09,Default,,0000,0000,0000,,than one for example "from" header, and\Nwhat happens in that case is pretty
Dialogue: 0,0:44:53.09,0:44:59.37,Default,,0000,0000,0000,,interesting. DKIM will match if you have\Ntold to DKIM that "from" header should be,
Dialogue: 0,0:44:59.37,0:45:04.15,Default,,0000,0000,0000,,for example, signed, then it will match\Nand sign first "from" header from the
Dialogue: 0,0:45:04.15,0:45:11.28,Default,,0000,0000,0000,,bottom. But quite a lot of software in our\Nsoftware email clients will actually only
Dialogue: 0,0:45:11.28,0:45:16.81,Default,,0000,0000,0000,,display to the user first from the other\Nside, from the up side. So what it means
Dialogue: 0,0:45:16.81,0:45:23.94,Default,,0000,0000,0000,,is that the attacker can mangle or\Noverwrite headers by just adding new
Dialogue: 0,0:45:23.94,0:45:29.55,Default,,0000,0000,0000,,headers to the top. And the this actually\Nproblem is mentioned in the DKIM RFC and
Dialogue: 0,0:45:29.55,0:45:33.09,Default,,0000,0000,0000,,the protection that they propose is this\Ncode Over-Signing or you can go and read
Dialogue: 0,0:45:33.09,0:45:38.88,Default,,0000,0000,0000,,the RFC. But not everyone is doing that\Nactually. And however, that only goes to
Dialogue: 0,0:45:38.88,0:45:44.92,Default,,0000,0000,0000,,the headers. So sometimes that is good.\NSometimes that's not good. Modifying
Dialogue: 0,0:45:44.92,0:45:49.50,Default,,0000,0000,0000,,message body is actually much harder to\Ndo. Basically the naiv way do it through
Dialogue: 0,0:45:49.50,0:45:54.07,Default,,0000,0000,0000,,cryptography, which we don't want to do.\NAnd another way is through this one
Dialogue: 0,0:45:54.07,0:45:58.14,Default,,0000,0000,0000,,parameter, which is body length, and\Nthat's actually like questionable
Dialogue: 0,0:45:58.14,0:46:05.12,Default,,0000,0000,0000,,functionality that DKIM has. Sometimes you\Ncan specify that the hash like. For
Dialogue: 0,0:46:05.12,0:46:08.79,Default,,0000,0000,0000,,signing purposes, we shouldn't consider\Nthe whole body, but only first something
Dialogue: 0,0:46:08.79,0:46:13.79,Default,,0000,0000,0000,,bytes. So that's actually useful in some\Ncases regarding was a mailing list, but
Dialogue: 0,0:46:13.79,0:46:18.87,Default,,0000,0000,0000,,for the most part that's not useful. And\Nin practice, most email software does not
Dialogue: 0,0:46:18.87,0:46:24.50,Default,,0000,0000,0000,,do this. If it does, then it is\Nsusceptible to potentially to this
Dialogue: 0,0:46:24.50,0:46:28.87,Default,,0000,0000,0000,,overwriting body as well. You could add\Nanother mime type and then then modify
Dialogue: 0,0:46:28.87,0:46:34.24,Default,,0000,0000,0000,,headers to show that different mime type\Nand it will pass DKIM. So in this case, it
Dialogue: 0,0:46:34.24,0:46:37.57,Default,,0000,0000,0000,,actually will show, for example, the green\Nbutton or whatever, because DKIM, it will
Dialogue: 0,0:46:37.57,0:46:42.63,Default,,0000,0000,0000,,be valid. So now there's the third\Ntechnology, which is called DMARC. And
Dialogue: 0,0:46:42.63,0:46:47.64,Default,,0000,0000,0000,,again, there is the full name, which is\Nlong, but in this case actually it means
Dialogue: 0,0:46:47.64,0:46:52.42,Default,,0000,0000,0000,,something. There are two key words:\Nreporting and conformance. Reporting is
Dialogue: 0,0:46:52.42,0:46:56.66,Default,,0000,0000,0000,,the one which most admins are familiar\Nwith because that's how DMARC I think
Dialogue: 0,0:46:56.66,0:47:01.62,Default,,0000,0000,0000,,often is being sold to them. Reporting\Nmeans that when you have some problems in
Dialogue: 0,0:47:01.62,0:47:08.39,Default,,0000,0000,0000,,this case, you actually get get to tell\Nother side what to do in that case. So
Dialogue: 0,0:47:08.39,0:47:13.31,Default,,0000,0000,0000,,basically you tell them to send you\Nreports either once per day or every time
Dialogue: 0,0:47:13.31,0:47:16.89,Default,,0000,0000,0000,,and so on. So for penetration testers,\Nit's not that useful. Potentially we could
Dialogue: 0,0:47:16.89,0:47:20.51,Default,,0000,0000,0000,,use that to understand what sort of\Nconfiguration is running on the other
Dialogue: 0,0:47:20.51,0:47:25.00,Default,,0000,0000,0000,,side. But the currently this functionality\Nactually is not that widely implemented.
Dialogue: 0,0:47:25.00,0:47:30.31,Default,,0000,0000,0000,,However, the other part conformance, it's\Nactually really, really, really powerful.
Dialogue: 0,0:47:30.31,0:47:35.25,Default,,0000,0000,0000,,What it does, that it corrects these major\Nflaws that I mentioned in SPF and DKIM. So
Dialogue: 0,0:47:35.25,0:47:39.38,Default,,0000,0000,0000,,first of all, DKIM had this massive\Nproblem that if you just strip down the
Dialogue: 0,0:47:39.38,0:47:43.11,Default,,0000,0000,0000,,header, then the recipient has no way of\Nknowing whether you whether there was
Dialogue: 0,0:47:43.11,0:47:49.38,Default,,0000,0000,0000,,should have been DKIM in first place. If\Nyou are using DKIM alongside with DMARC
Dialogue: 0,0:47:49.38,0:47:55.27,Default,,0000,0000,0000,,that fixes the problem, because DMARC\Nspecifies just that you have DMARC itself.
Dialogue: 0,0:47:55.27,0:47:59.22,Default,,0000,0000,0000,,It means that you're automatically at\Nleast one of the SPF or DKIM should pass.
Dialogue: 0,0:47:59.22,0:48:03.58,Default,,0000,0000,0000,,So automatically DKIM is like measure\Nproblem solved. The other thing that
Dialogue: 0,0:48:03.58,0:48:08.60,Default,,0000,0000,0000,,changes is, it changes the semantics for\NSPF. Now, SPF, if you have both SPF and
Dialogue: 0,0:48:08.60,0:48:13.15,Default,,0000,0000,0000,,DMARC, it means that SPF should be checked\Nagainst "from" header. And as I mentioned,
Dialogue: 0,0:48:13.15,0:48:17.32,Default,,0000,0000,0000,,that was the major flaw with SPF, because\Nif you're using SPF itself, even, it is
Dialogue: 0,0:48:17.32,0:48:21.44,Default,,0000,0000,0000,,the hard to fail mode and so on, it means\Nthat attackers can modify "from" headers
Dialogue: 0,0:48:21.44,0:48:26.71,Default,,0000,0000,0000,,still and the recipient won't know any\Nbetter. So a minimal example of DMARC is
Dialogue: 0,0:48:26.71,0:48:31.21,Default,,0000,0000,0000,,really, really small. And I think it's\Neasy to understand. You have just a DMARC
Dialogue: 0,0:48:31.21,0:48:36.89,Default,,0000,0000,0000,,reject. You need to like find out the\Nright place to specify. But it's easy and
Dialogue: 0,0:48:36.89,0:48:40.74,Default,,0000,0000,0000,,all you have to do is create this one DNS\Nrecord. And the benefit for that is even
Dialogue: 0,0:48:40.74,0:48:46.19,Default,,0000,0000,0000,,if you don't have DKIM and DMARC, if you\Nhave created. Sorry if you don't have SPF
Dialogue: 0,0:48:46.19,0:48:50.68,Default,,0000,0000,0000,,and DKIM, but you have created DMARC,\Neffectively what it means is that this
Dialogue: 0,0:48:50.68,0:48:57.55,Default,,0000,0000,0000,,domain should not send any mail because\Nfor recipient to consider a mail valid at
Dialogue: 0,0:48:57.55,0:49:02.28,Default,,0000,0000,0000,,least SPF or DKIM should be valid as well.\NIf they are not, then they can't be valid.
Dialogue: 0,0:49:02.28,0:49:07.48,Default,,0000,0000,0000,,So in fact what it means is that most\Ndomains out there should consider enabling
Dialogue: 0,0:49:07.48,0:49:15.47,Default,,0000,0000,0000,,DMARC. That's just the right thing to do.\NOK. So there are more tags. So in the
Dialogue: 0,0:49:15.47,0:49:22.02,Default,,0000,0000,0000,,wild, these DMARC records might be much\Nlonger, but it's not of much use to
Dialogue: 0,0:49:22.02,0:49:26.01,Default,,0000,0000,0000,,penetration testers. So important part\Nhere is again, this is this policy which
Dialogue: 0,0:49:26.01,0:49:31.18,Default,,0000,0000,0000,,can be three values "none", "quarantine"\Nand "reject". And if it is "quarantine",
Dialogue: 0,0:49:31.18,0:49:39.11,Default,,0000,0000,0000,,that means if the, if there is a failure,\Nthe message should go to the spam folder.
Dialogue: 0,0:49:39.11,0:49:42.62,Default,,0000,0000,0000,,If it's "reject", it should be rejected\Noutright. And if it's "none", it means
Dialogue: 0,0:49:42.62,0:49:47.96,Default,,0000,0000,0000,,it's in investing mode. So and this is the\Npicture that I showed in before, which
Dialogue: 0,0:49:47.96,0:49:52.40,Default,,0000,0000,0000,,shows that actually even though DMARC is\Nreally like the best technology out of
Dialogue: 0,0:49:52.40,0:49:59.66,Default,,0000,0000,0000,,these three, it's not really widely used,\Nunfortunately for defenders. Quite a nice
Dialogue: 0,0:49:59.66,0:50:05.07,Default,,0000,0000,0000,,fact for all penetration testers out\Nthere. That means that you can, in fact
Dialogue: 0,0:50:05.07,0:50:14.55,Default,,0000,0000,0000,,spoof most of the mails out there. Okay.\NSo how do we work around it? Sorry. So.
Dialogue: 0,0:50:14.55,0:50:18.48,Default,,0000,0000,0000,,What happens if actually someone has\Nimplemented DMARC? Does that mean that now
Dialogue: 0,0:50:18.48,0:50:23.53,Default,,0000,0000,0000,,penetration testers can't do anything? You\Ndon't don't even need to do any research?
Dialogue: 0,0:50:23.53,0:50:29.04,Default,,0000,0000,0000,,No, it doesn't. So in practice, if someone\Nhas implemented both DKIM and DMARC, but
Dialogue: 0,0:50:29.04,0:50:33.86,Default,,0000,0000,0000,,not SPF, so they have only two of them.\NThat's a really cool combination. DKIM is
Dialogue: 0,0:50:33.86,0:50:38.47,Default,,0000,0000,0000,,pretty powerful and the major flaw that it\Nhad DMARC solves. So this combination is
Dialogue: 0,0:50:38.47,0:50:44.68,Default,,0000,0000,0000,,really cool in theory. In practice, the\Nproblem is that in order to protect your
Dialogue: 0,0:50:44.68,0:50:49.75,Default,,0000,0000,0000,,own mails, the recipient side should\Nvalidate both DKIM and DMARC and
Dialogue: 0,0:50:49.75,0:50:53.93,Default,,0000,0000,0000,,unfortunately, quite a lot of software\Nstill does not do that. One such software
Dialogue: 0,0:50:53.93,0:50:57.92,Default,,0000,0000,0000,,is Microsoft Exchange. And even if you are\Nnot running Microsoft Exchange, chances
Dialogue: 0,0:50:57.92,0:51:02.05,Default,,0000,0000,0000,,are good that some of the partners that\Nyou are communicating with are running
Dialogue: 0,0:51:02.05,0:51:05.70,Default,,0000,0000,0000,,Microsoft Exchange, and by default it\Ndoesn't have any functionality to parse
Dialogue: 0,0:51:05.70,0:51:12.62,Default,,0000,0000,0000,,DKIM. So in fact, most systems still need\Nto enable SPF just for practical purposes,
Dialogue: 0,0:51:12.62,0:51:16.61,Default,,0000,0000,0000,,which is good for penetration testers\Nbecause if SPF and DMARC as enabled by
Dialogue: 0,0:51:16.61,0:51:21.50,Default,,0000,0000,0000,,default together, then again that fixes\None of the major problems with SPF, but
Dialogue: 0,0:51:21.50,0:51:25.86,Default,,0000,0000,0000,,does not automatically fix other problems\Nbecause there's not enough granularity and
Dialogue: 0,0:51:25.86,0:51:32.12,Default,,0000,0000,0000,,the potential for misconfiguration. So.\NAnd the interesting fact is that DMARC
Dialogue: 0,0:51:32.12,0:51:37.97,Default,,0000,0000,0000,,only requires that one of the other\Ntechnologies SPF or DKIM is passed in
Dialogue: 0,0:51:37.97,0:51:42.75,Default,,0000,0000,0000,,order to consider email valid. There is no\Nway in DMARC, even though there are many
Dialogue: 0,0:51:42.75,0:51:45.68,Default,,0000,0000,0000,,others like selectors. There is no way to\Nspecify that both of them should be valid
Dialogue: 0,0:51:45.68,0:51:50.02,Default,,0000,0000,0000,,or that DKIM should be preferred to SPF.\NIn practice, what it means is that for
Dialogue: 0,0:51:50.02,0:51:54.95,Default,,0000,0000,0000,,most systems that enable all three of\Nthem, which is a good practical solution
Dialogue: 0,0:51:54.95,0:51:59.85,Default,,0000,0000,0000,,from penetration tester side we can just\Nignore DKIM outright and just focus on SPF
Dialogue: 0,0:51:59.85,0:52:05.17,Default,,0000,0000,0000,,because the SPF is the weakest link in\Nthis situation. Okay. So just a minute for
Dialogue: 0,0:52:05.17,0:52:11.56,Default,,0000,0000,0000,,recap. I'm not sure if I have any more\Ntime. Not many time I have. Okay. So
Dialogue: 0,0:52:11.56,0:52:17.14,Default,,0000,0000,0000,,sorry. Yeah. So one really important note\Nis, when you are testing the systems,
Dialogue: 0,0:52:17.14,0:52:22.27,Default,,0000,0000,0000,,consider both scenarios. So don't focus\Njust on send. If you are, for example,
Dialogue: 0,0:52:22.27,0:52:27.60,Default,,0000,0000,0000,,testing Alice. Alice is the organisation\Nthat is your customer. Don't just focus on
Dialogue: 0,0:52:27.60,0:52:33.57,Default,,0000,0000,0000,,testing emails sent impersonating Alice,\Nbut also as the other side. Because in
Dialogue: 0,0:52:33.57,0:52:38.67,Default,,0000,0000,0000,,this here you can see that it's easy to\Nimplement for example, SPF and DMARC
Dialogue: 0,0:52:38.67,0:52:43.96,Default,,0000,0000,0000,,because for both of them only you only\Nneed DNS configuration. Just one record
Dialogue: 0,0:52:43.96,0:52:48.78,Default,,0000,0000,0000,,per each. However actually testing them\Nlike well validating them properly is
Dialogue: 0,0:52:48.78,0:52:52.64,Default,,0000,0000,0000,,harder. For the first you need the\Nsoftware support, you need to configure it
Dialogue: 0,0:52:52.64,0:52:56.58,Default,,0000,0000,0000,,correctly as well. So in practice it might\Nbe that many of organisations that have
Dialogue: 0,0:52:56.58,0:53:01.50,Default,,0000,0000,0000,,enabled DMARC or SPF on the DNS side for\Noutgoing mails, they are not actually
Dialogue: 0,0:53:01.50,0:53:07.96,Default,,0000,0000,0000,,properly validating it. Yeah. Okay. Sorry,\NI don't have time for that. So probably.
Dialogue: 0,0:53:07.96,0:53:16.01,Default,,0000,0000,0000,,That's it. Sorry. Maybe some questions.
Dialogue: 0,0:53:16.01,0:53:24.60,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:53:24.60,0:53:29.72,Default,,0000,0000,0000,,Herald: Thanks, Andrew, for this nice\Ntalk. Sure. We have time for a couple of
Dialogue: 0,0:53:29.72,0:53:33.84,Default,,0000,0000,0000,,questions. So there I already see one\Nperson, microphone number two.
Dialogue: 0,0:53:33.84,0:53:40.15,Default,,0000,0000,0000,,M2: Hey, thanks a lot. Do you know some\Ngood tools to monitor DMARC reports that I
Dialogue: 0,0:53:40.15,0:53:44.34,Default,,0000,0000,0000,,get sent by my recipients?\NA: Yeah. So this is a really good
Dialogue: 0,0:53:44.34,0:53:49.94,Default,,0000,0000,0000,,question. We as a CERT, we are really\Nsuggesting everyone to enable this tool,
Dialogue: 0,0:53:49.94,0:53:55.19,Default,,0000,0000,0000,,but unfortunately, as far as I know, all\Nthe tools that are popular on the
Dialogue: 0,0:53:55.19,0:53:59.67,Default,,0000,0000,0000,,Internet, they are collecting some data on\Nyou. So they are using it for marketing
Dialogue: 0,0:53:59.67,0:54:04.41,Default,,0000,0000,0000,,purposes, do they are not very good for\Nprivacy, if you are concerned about that.
Dialogue: 0,0:54:04.41,0:54:07.88,Default,,0000,0000,0000,,So you need to implement something\Nyourself or you need to look at some,
Dialogue: 0,0:54:07.88,0:54:12.18,Default,,0000,0000,0000,,start some open source project maybe.\NHerald: OK. Microphone number one, please.
Dialogue: 0,0:54:12.18,0:54:16.43,Default,,0000,0000,0000,,M1: Thank you for the good talk. Me\Nmyself, I would consider myself an mail
Dialogue: 0,0:54:16.43,0:54:23.61,Default,,0000,0000,0000,,administrator. I sometimes get advised to\Nshorten your SPF record because if it's
Dialogue: 0,0:54:23.61,0:54:28.86,Default,,0000,0000,0000,,too long, it gets dropped anyway. For\Nthat, I sometimes get advised to drop the
Dialogue: 0,0:54:28.86,0:54:34.93,Default,,0000,0000,0000,,PTR record. But in your talk, you say the\NPTR record is useful for reverse DNS
Dialogue: 0,0:54:34.93,0:54:39.55,Default,,0000,0000,0000,,checking, which I find very useful as\Nwell. How are you about shortening your
Dialogue: 0,0:54:39.55,0:54:42.92,Default,,0000,0000,0000,,SPF and how are you about the PTR record\Nin general?
Dialogue: 0,0:54:42.92,0:54:47.53,Default,,0000,0000,0000,,A: Well, it really depends on your\Nparticular use case. So it might be the
Dialogue: 0,0:54:47.53,0:54:51.23,Default,,0000,0000,0000,,case that some organizations really need\Nthis longer SPF and there's not no way
Dialogue: 0,0:54:51.23,0:54:55.80,Default,,0000,0000,0000,,around that you could do. What you could\Ndo is include this, include use includes
Dialogue: 0,0:54:55.80,0:55:01.48,Default,,0000,0000,0000,,because they won't be they are not macros,\Nso they won't get expanded. They do not
Dialogue: 0,0:55:01.48,0:55:07.76,Default,,0000,0000,0000,,like your record doesn't become longer if\Nyou include and use many includes. But the
Dialogue: 0,0:55:07.76,0:55:12.12,Default,,0000,0000,0000,,problem, which I would suggest to you is\Nactually reconsider whether it's a really
Dialogue: 0,0:55:12.12,0:55:16.97,Default,,0000,0000,0000,,whether you really need that many records\Nif it's still long, because they're a very
Dialogue: 0,0:55:16.97,0:55:20.50,Default,,0000,0000,0000,,common problem, is that unless you are\NGoogle or something like that, you don't
Dialogue: 0,0:55:20.50,0:55:26.66,Default,,0000,0000,0000,,really need that long SPF. It's probably\Nsome problem with some. Yeah. So it's
Dialogue: 0,0:55:26.66,0:55:36.49,Default,,0000,0000,0000,,probably an error for most organizations.\NHerald: OK. Well, very. Just briefly.
Dialogue: 0,0:55:36.49,0:55:40.50,Default,,0000,0000,0000,,Number 1\NM1: On the PTI rocker record. I heard that
Dialogue: 0,0:55:40.50,0:55:43.49,Default,,0000,0000,0000,,it's dropped. Not dropped from the\Nstandards, but it's not in the standards.
Dialogue: 0,0:55:43.49,0:55:48.86,Default,,0000,0000,0000,,A: It is in the standard. No. PTR record\Nby itself is if it's really your use case.
Dialogue: 0,0:55:48.86,0:55:53.60,Default,,0000,0000,0000,,I don't I'm not aware that it will be\Nautomatically dropped somewhere. Shouldn't
Dialogue: 0,0:55:53.60,0:55:56.38,Default,,0000,0000,0000,,be a problem.\NHerald: We have a couple of more
Dialogue: 0,0:55:56.38,0:55:59.35,Default,,0000,0000,0000,,questions here. So number six in the very,\Nvery back.
Dialogue: 0,0:55:59.35,0:56:07.42,Default,,0000,0000,0000,,M6: Thank you for your talk. That's not\Ndirectly related, but even it should be
Dialogue: 0,0:56:07.42,0:56:13.80,Default,,0000,0000,0000,,related. If mail server accepts because\NDKIM, DKARC and SPF, everything is fine,
Dialogue: 0,0:56:13.80,0:56:18.78,Default,,0000,0000,0000,,but especially Google for a lot of\Norganizations, the mail is delivered but
Dialogue: 0,0:56:18.78,0:56:24.09,Default,,0000,0000,0000,,classified as spam. It means on the inbox\Nof the recipient, it is not displayed.
Dialogue: 0,0:56:24.09,0:56:28.07,Default,,0000,0000,0000,,Have you a solution to solve this problem\Nagainst Google?
Dialogue: 0,0:56:28.07,0:56:33.63,Default,,0000,0000,0000,,A: Yeah. OK. So I have like different\Nopinions about that because one thing
Dialogue: 0,0:56:33.63,0:56:38.79,Default,,0000,0000,0000,,which actually enables which we actually\Nshould be doing. Thank you Google. Is
Dialogue: 0,0:56:38.79,0:56:42.86,Default,,0000,0000,0000,,that they are so strict because that's the\Nonly reason that we even have this high
Dialogue: 0,0:56:42.86,0:56:47.88,Default,,0000,0000,0000,,percentage of even improperly configured\NSPF. The only reason there are 70 percent
Dialogue: 0,0:56:47.88,0:56:52.83,Default,,0000,0000,0000,,websites are using SPF is because that\Nthey need to communicate with Google. And
Dialogue: 0,0:56:52.83,0:56:56.69,Default,,0000,0000,0000,,Google won't accept your mail if it\Ndoesn't have even SPF on the baseline. So.
Dialogue: 0,0:56:56.69,0:57:04.27,Default,,0000,0000,0000,,I actually I enjoy it as a job that I do.\NI've. I would prefer that Google does what
Dialogue: 0,0:57:04.27,0:57:09.53,Default,,0000,0000,0000,,it does. But I understand the real admins\Nwhich have this problem. Google has the
Dialogue: 0,0:57:09.53,0:57:15.24,Default,,0000,0000,0000,,tool. You probably know about it. Where\Nyou can check what it considers about your
Dialogue: 0,0:57:15.24,0:57:19.32,Default,,0000,0000,0000,,domain. So you need to consider this\Nproblem on a case by case basis. Quite
Dialogue: 0,0:57:19.32,0:57:23.56,Default,,0000,0000,0000,,often what happens is that even though you\Nhave this DKIM, DMARC and so on, it's not
Dialogue: 0,0:57:23.56,0:57:28.58,Default,,0000,0000,0000,,configured correctly. So that's what the\Ntalk was about. So you have it. You
Dialogue: 0,0:57:28.58,0:57:31.26,Default,,0000,0000,0000,,probably think that you have configured it\Ncorrectly, but there are some errors.
Dialogue: 0,0:57:31.26,0:57:35.25,Default,,0000,0000,0000,,Herald: Okay, let's give priority to the\NInternet.
Dialogue: 0,0:57:35.25,0:57:40.17,Default,,0000,0000,0000,,Signal Angel: We have one question from\Nthe Internet. Well, attempting to verify
Dialogue: 0,0:57:40.17,0:57:43.82,Default,,0000,0000,0000,,and address how to handle no reply email\Naddresses.
Dialogue: 0,0:57:43.82,0:57:49.100,Default,,0000,0000,0000,,A: No reply, I'm sorry. Can you read it\Nagain, please?
Dialogue: 0,0:57:49.100,0:57:55.17,Default,,0000,0000,0000,,Signal Angel: When attempting to verify an\Naddress, how to handle noreply Email
Dialogue: 0,0:57:55.17,0:58:04.53,Default,,0000,0000,0000,,addresses.\NA: Maybe it was about the noreply header ?
Dialogue: 0,0:58:04.53,0:58:10.65,Default,,0000,0000,0000,,Or not existing IP addresses ?\NSignal Angel: How to handle email. No
Dialogue: 0,0:58:10.65,0:58:14.81,Default,,0000,0000,0000,,reply email adresses.\NA: I will try to get an answer to how I
Dialogue: 0,0:58:14.81,0:58:21.53,Default,,0000,0000,0000,,understand it. So what often happens is\Nthat what often happens is that the email
Dialogue: 0,0:58:21.53,0:58:25.29,Default,,0000,0000,0000,,will be sent from nonexisting addresses.\NSo maybe that's what the question was. For
Dialogue: 0,0:58:25.29,0:58:29.79,Default,,0000,0000,0000,,example, there is "no reply", and it's not\Nthe problem itself. No reply. The problem
Dialogue: 0,0:58:29.79,0:58:34.34,Default,,0000,0000,0000,,is that it's not an real address. There is\Nno such address. Right. And so I don't
Dialogue: 0,0:58:34.34,0:58:38.82,Default,,0000,0000,0000,,have an answer for that because according\Nto RFC, you should you should still accept
Dialogue: 0,0:58:38.82,0:58:43.63,Default,,0000,0000,0000,,it. Practically, as I said, lots of mail\Nsystems already are dropping this
Dialogue: 0,0:58:43.63,0:58:46.42,Default,,0000,0000,0000,,addresses if you're sending from not\Nexisting unless you are Google or
Dialogue: 0,0:58:46.42,0:58:50.15,Default,,0000,0000,0000,,something large, so you have been put into\Nwhitelist. You just won't be able to do
Dialogue: 0,0:58:50.15,0:58:54.78,Default,,0000,0000,0000,,that. You won't be able to send email from\Nnon-existing address. So if that's your
Dialogue: 0,0:58:54.78,0:59:00.31,Default,,0000,0000,0000,,situation, create the address, make it\Nlike a remove all the email that comes
Dialogue: 0,0:59:00.31,0:59:03.64,Default,,0000,0000,0000,,there, but create the real address so that\Nyour acceptable. If you are on the other
Dialogue: 0,0:59:03.64,0:59:08.27,Default,,0000,0000,0000,,side. So you are receiving this email. It\Ndepends on this particular use case. So
Dialogue: 0,0:59:08.27,0:59:12.10,Default,,0000,0000,0000,,just check what's going on. If you can\Ncontact them, contact them. If you can't
Dialogue: 0,0:59:12.10,0:59:16.22,Default,,0000,0000,0000,,contact them, then you should decide what\Nis the risk, if you are dropping these
Dialogue: 0,0:59:16.22,0:59:23.92,Default,,0000,0000,0000,,addresses, are they important for you? So\Naccording to RFC you should receive and
Dialogue: 0,0:59:23.92,0:59:28.66,Default,,0000,0000,0000,,process this addresses.\NHerald: Okay. Microphone number four,
Dialogue: 0,0:59:28.66,0:59:33.04,Default,,0000,0000,0000,,please.\NM4: Hey, thank you for this talk. Do you
Dialogue: 0,0:59:33.04,0:59:40.63,Default,,0000,0000,0000,,know about effort to solve problems with\Nbig email senders like online booksellers,
Dialogue: 0,0:59:40.63,0:59:47.45,Default,,0000,0000,0000,,which are very great because they don't\Nseem to have their own SPF records, for
Dialogue: 0,0:59:47.45,0:59:53.25,Default,,0000,0000,0000,,example, in in control.\NA: Yeah. So in many cases you can just
Dialogue: 0,0:59:53.25,0:59:56.71,Default,,0000,0000,0000,,contact them. So it's just the question\Nthat they haven't thought about it. Or
Dialogue: 0,0:59:56.71,1:00:01.77,Default,,0000,0000,0000,,maybe no one told them what to do or maybe\Nthey don't know how to do better. Right.
Dialogue: 0,1:00:01.77,1:00:05.25,Default,,0000,0000,0000,,So that's one of the parts that we as a\NCERT we are doing. If you have some some
Dialogue: 0,1:00:05.25,1:00:10.62,Default,,0000,0000,0000,,this problem with some large company in\Nparticular country, I would suggest to
Dialogue: 0,1:00:10.62,1:00:14.47,Default,,0000,0000,0000,,contact CERT. Even if it's not a\Ngovernment organization, for example, in
Dialogue: 0,1:00:14.47,1:00:18.70,Default,,0000,0000,0000,,Latvia, if that will be a latvian company.\NWe would do the triage. We would try to
Dialogue: 0,1:00:18.70,1:00:21.89,Default,,0000,0000,0000,,try to talk to them, explain to them why\Nthey need to change and so on. So that's
Dialogue: 0,1:00:21.89,1:00:26.29,Default,,0000,0000,0000,,maybe one option for you. But the\Npractices that if something looks to you
Dialogue: 0,1:00:26.29,1:00:30.06,Default,,0000,0000,0000,,as a third party, as a wrong\Nconfiguration, that is one I couldn't
Dialogue: 0,1:00:30.06,1:00:34.40,Default,,0000,0000,0000,,mention in this talk. If something isn't\Nperfectly secure, it doesn't mean that
Dialogue: 0,1:00:34.40,1:00:39.46,Default,,0000,0000,0000,,it's wrong. There might be actually\Nbusiness case why it should be this way.
Dialogue: 0,1:00:39.46,1:00:42.23,Default,,0000,0000,0000,,Right. Because, for example, if it's a\Nlarge I don't know, Amazon and some for
Dialogue: 0,1:00:42.23,1:00:46.70,Default,,0000,0000,0000,,something like that. And if they have\Ntested and they know that when they enable
Dialogue: 0,1:00:46.70,1:00:51.70,Default,,0000,0000,0000,,very strict configuration, some percentage\Nof their emails just doesn't come. Not
Dialogue: 0,1:00:51.70,1:00:55.76,Default,,0000,0000,0000,,because of their problem, because of\Nsomeone else's problem. Right. But then
Dialogue: 0,1:00:55.76,1:00:59.76,Default,,0000,0000,0000,,there is actually a real business case\Nthat they they are not. It would be stupid
Dialogue: 0,1:00:59.76,1:01:04.49,Default,,0000,0000,0000,,for them to enable this, you know, to\Nstrict configuration, knowing that it will
Dialogue: 0,1:01:04.49,1:01:08.97,Default,,0000,0000,0000,,damage their business. That makes sense,\Nright?
Dialogue: 0,1:01:08.97,1:01:13.48,Default,,0000,0000,0000,,Herald: Okay. We are unfortunately running\Nout of time for those who are on the
Dialogue: 0,1:01:13.48,1:01:17.76,Default,,0000,0000,0000,,microphones. please just line up with the\Nspeaker next to the desk. He's gonna talk
Dialogue: 0,1:01:17.76,1:01:21.20,Default,,0000,0000,0000,,to you. Perfectly sure. And.
Dialogue: 0,1:01:21.20,1:01:25.16,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,1:01:25.16,1:01:40.96,Default,,0000,0000,0000,,{\i1}36C3 postroll{\i0}
Dialogue: 0,1:01:40.96,1:01:53.00,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!