E-mail authentication has become a big problem and many methods are being incorporated by e-mail servers across the world to overcome this problem. There are many techniques which have been used these days for managing challenges related to e-mail authentication and spam. We will discuss three main techniques here:
1. DomainKeys identified mail (DKIM). This is a method for e-mail authentication that allows a person to verify the e-mail received in which the e-mail claims to have arrived from a particular domain. The need for this type of authentication arises because spam often has forged headers.
For example, a message claims in its ‘From:’ header to be from firstname.lastname@example.org. But the e-mail is not actually from the 22.214.171.124 domain. In this scenario, the recipient can raise a complaint to the system administrator for 126.96.36.199 domain, but even then there will be no solution for the same. It also becomes difficult for recipients to establish whether such domains are good or bad. And system administrators may have to deal with complaints about spam that appears to have originated from their systems, but did not.
DKIM is one such solution which uses public-key cryptography to allow the sender to electronically sign legitimate e-mails in a way that can be verified by recipients. Prominent e-mail service providers implementing DKIM include Yahoo and Gmail. Any mail originating from these domains carries a DKIM signature, and if the recipient knows this, he can discard mail that has not been signed, or that has an invalid signature.
DKIM also guards against tampering with mail, offering almost end-to-end integrity from a signing to a verifying mail transfer agent (MTA). In most cases, the signing MTA acts on behalf of the sender by inserting a DKIM-signature header, and the verifying MTA on behalf of the receiver, validating the signature by retrieving a sender’s public key through the DNS. DKIM adds a header named ‘DKIM-Signature’ that contains a digital signature of the contents (headers and body) of the mail message. The default parameters for the authentication mechanism use SHA-256 as the cryptographic hash and RSA as the public key encryption scheme, and encode the encrypted hash using Base64.
The receiving simple mail transfer protocol (SMTP) server then uses the name of the domain from which the mail originated, the string _domainkey and a selector from the header to perform a DNS lookup. The returned data includes the domain’s public key. The receiver can then decrypt the hash value in the header field and at the same time recalculate the hash value for the mail message (headers and body) that was received. If the two values match, this cryptographically proves that the mail originated at the purported domain and has not been tampered with in transit. The DKIM is depicted in Fig. 7.
2. SPF. Sender policy framework (SPF) is an e-mail authentication system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the domain name system (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.
SPF can be implemented in three steps:
1. Publish a policy. Domains and hosts identify the machines authorised to send e-mail on their behalf. They do this by adding additional records to their existing DNS information. Each and every domain name or host that has an ‘A’ record or ‘MX’ record should have an SPF record specifying the policy if it is used either in an e-mail address or as HELO/EHLO argument. Hosts which do not send mail should have an SPF record published that indicates such (“v=spf1 -all”). For validating the SPF record, one can use the testing tools provided on the SPF project Web page.
2. Check and use SPF information. Receivers use ordinary DNS queries, which are typically cached to enhance performance. Receivers then interpret the SPF information as specified and act upon the result.
3. Revise mail forwarding. Plain mail forwarding is not allowed by SPF. The alternatives are:
Re-mailing. Original sender is replaced with one belonging to the local domain.
Refusing. Reply 551 is given which says that user not local; for example, please try email@example.com
Whitelisting. Done on the target server, so that it will not refuse a forwarded message
Sender rewriting scheme. Yet another option
Thus, the key issue in SPF is the specification for the new DNS information that domains set and receivers use. The records laid out below are in typical DNS syntax. Note that RFC 4408 recommended that both SPF and TXT records be used (during the transitional period), although either by itself was acceptable.
The sample SPF records are displayed below:
rakesh.com. IN TXT “v=spf1 a mx -all”
rakesh.com. IN SPF “v=spf1 a mx -all”
‘v=’ defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The ‘a’ and ‘mx’ specify the systems permitted to send messages for the given domain. The ‘-all’ at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
Comparing SPF and DKIM, we can say that SPF validates the message envelope (the SMTP bounce address), not the message contents (header and body). It is orthogonal and complementary to DKIM, which signs the contents (including headers). In brief, SPF validates MAIL FROM versus its source server; DKIM validates the ‘From:’ message header and a mail body by cryptographic means.
One of the problems with DKIM is that if the message is significantly modified en route by a forwarding mechanism, such as a list server, the signature may no longer be valid and, if the domain specifies that all e-mail is signed, the message may be rejected. Also, many central antivirus solutions add footer that the e-mail has been scanned and the date of the signature files. Some free e-mail servers also add advertisements at the bottom of the e-mails. Many domains, however, say that only some of their e-mail is signed, and so a missing or broken signature cannot always be used to reject e-mail.
The solution is to sign all your e-mail. If the only modifications en-route involve the addition or modification of headers before the DKIM-Signature: header, the signature should remain valid. Also the mechanism includes features that allow certain limited modifications to be made to headers and the message body without invalidating the signature. We can suggest that this limitation could be addressed by combining DKIM with SPF, because SPF (which breaks when messages are forwarded) is immune to modifications of the e-mail data, and mailing lists typically use their own SMTP error address or Return-Path.
In short, SPF works without problems where DKIM might run into difficulties, and vice versa. Fig. 8 shows the e-mail sent using DKIM and how the DKIM signature looks and how the decision is taken to pass it to inbox or spam. To see the DKIM signature and SPF record, you can go to your e-mail client (Gmail or yahoo) and invoke the view full header option. In Fig. 9, we can see that the DKIM/SPF e-mail authentication failed. SPF shows that there is a permanent error in processing of domain of ICICI bank. The sample e-mail in Fig. 9 is a phishing attack mail which came to the spam folder of my e-mail. It arrived in my spam folder as the SPF/DKIM processing failed. In Fig. 10, we can see an e-mail sent from firstname.lastname@example.org to email@example.com, which is a self-mail sent by me. The e-mail passed both DKIM and SPF.
Now we will discuss some tips which can be address, accessing, browsing and using e-mail and e-mail accounts.
Properly managing your e-mail accounts
1. Using just one e-mail account. E-mail users often think that their e-mail accounts, like their home address, should have only one e-mail address. A good rule of thumb for the average e-mail user is to have separate e-mail accounts for work and personal requirements and an e-mail account for general use like signing up for newsletters and posting e-mail account for online activities, such as blogs and online forums.
2. Closing the browser after logging out. When checking e-mail at a library or cybercafé, one not only needs to log out of the e-mail but also needs to close the browser window completely. Some e-mail services display the username (but not your password) even after logging out. Whilst the service does this for convenience, it compromises your e-mail security.
3. Forgetting to delete browser cache, history and passwords. After using a public terminal, it is important to delete the browser cache, history and passwords. Most browsers automatically keep track of all the Web pages that have been visited, and some keep track of any passwords and personal information that were entered in order to help out to fill similar forms in the future. If this information falls into the wrong hands, it can lead to identity theft and stolen bank and e-mail information.
Because the stakes are so high, it is important that Internet users be aware of how to clear a public computer’s browser cache so that they can delete private information before lurking hackers get hold of it. In Mozilla’s Firefox, simply press Ctrl+Shift+Del. Opera users need to go to Tools>>Delete Private Data. Users of Microsoft’s Internet Explorer need to go to Tools>>Internet Options then click the ‘Clear History,’ ‘Delete Cookies’ and ‘Delete Files’ buttons.
4. Using unsecured e-mail accounts to send and receive sensitive corporate information. Large corporations invest huge amounts of money to ensure that their computer networks and e-mails remain secure. Despite their efforts, careless employees using personal e-mail accounts to conduct company business can pass along sensitive data and can undermine the security measures in place. So ensure that company’s security is not risked by transmitting sensitive company data via personal computer or e-mail address.
E-mailing the right people
1. Use the blind carbon copy (BCC) option. When BCC: option is used, rather than the CC:, none of the recipients can see the addresses of the other e-mail recipients. E-mail users often rely too much on the TO because it is the default way of sending e-mails. This is fine as long as writing to just one person or a few family members. But if you are sending a mail out to a diverse group of people, it raises some serious privacy and security concerns.
It takes just one spammer to get a hold of the e-mail and immediately everyone on your e-mail list gets spammed. I am not saying that honesty of the group is in question. There are many e-mail programs that are set up to automatically add to the address books any incoming e-mail addresses. That means that some people in the group will inadvertently have added the entire list to their address book and, as a result, if one of their computers is infected with ‘Zombie’ (used for distributed denial of service attack) and silently sends out spam e-mails, it will cause the entire list to get spammed.
2. Using the ‘Reply All’ button. Sometimes the mistake is not in deciding between CC: and BCC: but between hitting ‘Reply All’ instead of ‘Reply.’ When using Reply All, it is to be kept in mind that e-mail message is sent to everyone included on the original e-mail and, if the information is strategic in nature, this step can be disastrous from both a security and personal humiliation perspective.
3. Spamming as a result of forwarding e-mail. Forwarding e-mails can be a great way to quickly bring someone up to speed on a subject without having to write up a summary e-mail but, if proper care is not exercised, forwarding e-mails can create a significant security threat. As an e-mail is forwarded, the recipients of the mail (until that point in time) are automatically listed in the body of the e-mail.
As the chain keeps moving forward, more and more recipient IDs are placed on the list. Unfortunately, if a spammer or someone just looking to make a quick buck gets hold of the e-mail, he can sell the entire list of e-mail ids and then everyone could start receiving spam. It only takes a few seconds to delete all the previous recipient IDs before forwarding a piece of mail. You can this avoid the terrible situation of you being the cause of all your friends or coworkers getting spammed.
Making backups and keeping records
1. Failing to back up e-mails. Many a times e-mails are used to make legally binding contracts, major financial decisions and conduct professional meetings. Just as we keep a hard copy of other important business and personal documents, it is important to regularly back up these important e-mails to preserve a record. This will be helpful in the scenario when an e-mail client crashes and entire data is lost. The frequency of backups depends on e-mail usage, but under no circumstances should it be done less frequently than every three months.
2. Mobile access. Presuming a backup exists. Mobile e-mail access, such as through Android/smart phones/Blackberry, has revolutionised the way we think about e-mail; no longer it is tied to a PC, but rather it can be checked on-the-go anywhere. Many a times, BlackBerry users simply assume that a copy of the e-mails they check and delete off the BlackBerry will still be available on their home or office computer.
But it is important to keep in mind that some e-mail servers and client software download e-mails to the Blackberry device and then delete them from the server. Thus, for some mobile e-mail access devices, if e-mail is deleted from the device, it is deleted from the Inbox. Just be aware of the default settings of e-mail client and ensure to keep a copy of the retained e-mail. It also happens in the case of MS Outlook that the e-mail is downloaded onto the PC. Here I would like to mention that it is the protocol which does it. By protocol I mean POP3, which downloads all the e-mails onto the hard disk and clears them from the e-mail server until explicitly told by the setting. This setting is shown in Fig. 11. By default, this setting is unchecked in MS Outlook, so all the e-mails when downloaded on the local hard disk get deleted from the e-mail server.
3. Thinking that an erased e-mail is gone forever. It is to be noted that even after deleting an e-mail message from Inbox and the Send folder, it often exists in backup folders on remote servers for years, and can be retrieved by skilled professionals. So e-mail can be like a permanent document.
Avoiding fraudulent e-mail
1. Prize/lottery/scam mails. Spammers use a wide variety of clever titles, which often include social engineering to get one to open e-mails which they fill with all sorts of bad things, such as:
(i) Winning of the Irish lotto, the Yahoo lottery, or any other big cash prize
(ii) Nigerian king or prince trying to send $10 million
(iii) Bank account details reconfirmation immediately. This is a common phishing attack
(iv) Unclaimed inheritance
(v) Resending the mail not sent as ‘Returned Mail’
(vi) The news headline e-mail
(vii) Winning an iPod Nano e-mail
2. Not recognising phishing attacks in e-mail content. While never opening a phishing e-mail is the best way to secure your computer, even the most experienced e-mail user will occasionally accidentally open up a phishing e-mail. At this point, the key to limiting your damage is recognising the phishing e-mail for what it is. Phishing is a type of online fraud wherein the sender of the e-mail tries to trick you into giving out personal passwords or banking information. The sender will typically steal the logo from a well-known bank or PayPal and try to format the e-mail to look like it came from the bank.
Usually, the phishing e-mail asks to click on a link in order to confirm banking information or password, but it may just ask to reply to the e-mail with personal information. Whatever form the phishing attempt takes, the goal is to fool you into entering your information into something which appears to be safe and secure, but in fact it is just a dummy site set up by the scammer. If you provide the phisher with personal information, the information will help the scammer to steal identity and money from your accounts.
3. Signs of phishing. You can identify a phising e-mail from:
(i) A logo that looks distorted or stretched
(ii) E-mail that refers to as ‘Dear Customer’ or ‘Dear User’ rather than including actual name
(iii) E-mail that warns that an account of yours will be shut down unless you reconfirm your billing information immediately
(iv) An e-mail threatening legal action
(v) E-mail which comes from an account similar but different from the one the company usually uses
(vi) An e-mail that claims ‘security compromises’ or ‘security threats’ and requires immediate action
If you suspect that an e-mail is a phishing attempt, the best defence is to never open the e-mail in the first place. But assuming that the e-mail has been already opened, do not reply or click on the link in the e-mail. verify the message, manually type in the URL of the company into your browser instead of clicking on the embedded link.
4. Sending personal and financial information via e-mail. One should avoid writing to a bank via e-mail with personal and financial information and consider any online store suspicious that requests to send private information via e-mail. The rule of avoiding financial information in e-mails to online businesses also holds true for personal e-mails. If, for example, credit card information has to be shared with your family member, it is far more secure to do so over the phone than via an e-mail.
5. Unsubscribing to newsletters never subscribed to. A common technique used by spammers is to send out thousands of fake newsletters from organisations with an ‘unsubscribe’ link on the bottom of the newsletter. E-mail users who then enter their e-mail into the supposed ‘unsubscribe’ list are then sent loads of spam. So if you do not specifically remember subscribing to the newsletter, you are better off just blacklisting the e-mail address, rather than following the link and possibly picking up a Trojan horse or unknowingly signing for yet more spam.
1. Trusting your friend’s e-mail. Most Internet users are very careful when it comes to e-mails from senders they do not recognise. But when a friend sends an e-mail, all caution goes out of the window as they just assume it is safe because they know that the sender would not intend to hurt them. The truth is, an e-mail from a friend’s ID is just as likely to contain a virus or malware as a stranger’s.
The reason is that most malware is circulated by people who have no idea they are sending it, because hackers are using their computer as a zombie. It is important to maintain and keep updated e-mail scanning and anti-virus software, and to use it to scan all incoming e-mails.
2. Deleting spam instead of blacklisting it. An e-mail blacklist is a user-created list of e-mail accounts that are labelled as spammers. When an e-mail sender is blacklisted, e-mail client stops trusting these e-mails from this particular sender and starts assuming that they are spam. Unfortunately, most Internet users are often timid to use the blacklist feature on their e-mail client, and instead just delete spam e-mails. Whilst not every piece of spam is from repeat senders, a surprising amount of it is. So by training to hit the blacklist/spam button instead of the delete button when confronted with spam, one can, in the course of a few months, drastically limit the amount of spam that reaches Inbox.
3. Disabling the e-mail spam filter. Most e-mail users typically do not start out with a lot of spam in their e-mail account and thus do not value the help that an e-mail spam filter can provide at the beginning of their e-mail usage. Because no spam filter is perfect, initially the hassle of having to look through one’s spam box for wrongly blocked e-mails leads many new e-mail users to instead just disable their e-mail spam filter altogether. However, as an e-mail account gets older, it tends to pick up more spam, and without the spam filter, an e-mail account can quickly become unwieldy.
So instead of disabling the filter early on, Internet users should take the time to whitelist e-mails from friends that get caught up in the spam filter. Then, when the levels of spam start to pick up, the e-mail account will remain useful and fewer and fewer friends will get caught up in the filter.
4. Failing to scan all e-mail attachments. Ninety per cent of viruses that infect a computer reach it through an e-mail attachment. Yet, despite this ratio, many people do not scan all incoming e-mail attachments. May be it is our experience with snail mail, but often when we see an e-mail with an attachment from someone we know, we just assume that the mail and its attachment are safe. Of course that assumption is wrong, as most e-mail viruses are sent by zombies that have infected a computer and caused it to send out viruses without the owner even knowing.
What makes this oversight even more scandalous is the fact that a number of free e-mail clients provide a built-in e-mail attachment scanner. For example, if we use Gmail or Yahoo! for our e-mails, every e-mail and attachment sent or received is automatically scanned. So if an e-mail user does not want to invest in a third-party scanner (although advisable) and the e-mail provider does not provide a built-in attachment scanning system, one should access the attachments through an e-mail provider that offers free virus scanning by first forwarding attachments to that account before opening them.
Keeping hackers at bay
1. Sharing your account information with others. Never ask friends/colleagues to check individual e-mail on one’s behalf. Of course, friends can be trusted, but once the password is known to anybody other than you, your account is no longer as secure as it was. One more real problem which reaps in is that a friend might not use the same security measures that an individual user will do. A particular friend might be accessing e-mails through an unsecured wireless account, he may not have kept his anti-virus software up to date, or he might be infected with a keylogger virus that automatically steals the password once entered.
So ensure that you are the only person that knows your personal access information. Never write down this kind of confidential information such as passwords, ATM pin, etc where it can be seen by someone else.
2. Using simple and easy-to-guess passwords. Hackers or crackers use computer programs that scroll through common names to compile possible user names, and then send spam e-mails to those usernames. When that spam e-mail is opened, a little hidden piece of code in the e-mail sends a message back to the hacker letting him know that the account is valid, at which point they turn to the task of trying to guess your password. Hackers often create programs which cycle through common English words and number combinations in order to try to guess a password. As a consequence, passwords that comprise a single word, a name, or a date are frequently ‘guessed’ by hackers.
So when creating a password, use uncommon number and letter combinations which do not form a word found in a dictionary. A strong password should have a minimum of eight characters, be as meaningless as possible, as well as use both upper and lowercase letters. Creating a tough password means that the hacker’s computer program will have to scroll through billions of options before guessing the password.
3. Failing to encrypt your important e-mails. No matter how many steps you take to minimise the chance that your e-mail is being monitored by hackers, one should always assume that someone else is watching whatever comes in and out of your computer. Given this assumption, it is important to encrypt the e-mails to ensure that if someone is monitoring the account, at least they cannot understand what one is saying. We can go for PGP encryption for personal usage as there is an easy-to-follow step-by-step 20-minute instruction system to install it and it is the most common e-mail encryption standard.
We also have S/MIME but that is more of an industry standard and can be used at official or organisational level. Encrypting all e-mails may be unrealistic, but sensitive e-mails should go in a secure way. Free versions of PGP are widely available on the Internet. Type PGP in www.google.com and you get the link to the PGP site. Download the PGP software and install on your system. PGP is also compatible with e-mail clients like MS Outlook.
4. Not encrypting your wireless connection. Whilst encrypting important e-mails makes it hard for hackers who have access to your e-mails to understand what they say, it is even better to keep hackers from getting access to your e-mails in the first place. One of the most vulnerable points in an e-mail trip is from laptop to the wireless router that has been used to connect to the Internet. Consequently, it is important to encrypt the Wi-Fi network with the WPA2 encryption standard. The upgrade process is relatively simple and straightforward and takes just a few steps. It can be helpful to further enhance your e-mail security.
5. Failing to use digital signatures. The cyber law now recognises e-mail as an important form of communication for major undertakings such as signing a contract or entering into a financial agreement. While the ability to enter into these contracts online has made our life easier, it has also created the added concern of someone forging your e-mails and entering into agreements on your behalf without your consent.
One way to combat e-mail forgery is to use a digital signature whenever you sign an important e-mail. A digital signature will help prove who and from what computer an e-mail came from, and that the e-mail has not been altered in transit.
By establishing the habit of using an e-mail signature whenever you sign important e-mails, you will not only make it harder for the other party to those agreements to try to modify the e-mail when they want to get out of it, but it will also give you extra credibility when someone tries to claim that you have agreed to a contract via an e-mail that you never did. The simple signed and encrypted e-mail flow is shown in Fig. 12.
The author is working in ADRIN, Department of Space as Scientist ‘SF’ and involved in developing applications on network and data security