“Hacked” – or why you should use SPF.
I have been running an amount of mailservers for the past years – mainly for my firm (as an entrepreneur). A small part is personal, eg, h3artbl33d.nl runs it's own mailserver.
Over the time, I outgrew the scenario where a single (or two, with a fallback) server is feasible. Rather than throwing more resources on it, or moving to a more powerful server, I deliberately chose to add additional servers. Not only does this help in setting up a more resilient mail infrastructure, segmentation also benefits security.
In a very early stage, I implemented technologies like SPF, DKIM and DMARC. Most likely, those abbreviations do ring a bell. If not, here is a small explanation:
- SPF is a technique used on DNS records, it's basically a list of the mailservers that are allowed to send mails from a certain domain.
- DKIM adds encryption on top of that. It allows to verify whether the sender is allowed to send from a particular domain, by using public key cryptography.
- DMARC is the newest addition, it not only adds another layer of sender verification, but also handles what action should be taken once a sender fails verification and to whom it should be reported.
These three techniques are a tremendous help in mitigating spoofing. Let's take my domain as an example: h3artbl33d.nl.
If SPF, DKIM and/or DMARC aren't setup at all, anyone could spoof that domain and portray to be me – eg, use email@example.com as the sender.
This goes for virtually any domain. Eg, without these techniques and some provider-level filtering, anyone could spoof messages as if they were sent from Microsoft.com, NSA.gov, Whitehouse.gov, etc.
Occasionally, I like to experiment with technology. The same goes for email spoofing. In order to have some fun, I stripped an old, deprecated e-mail domain of SPF, DKIM and DMARC. Additionally, the domain I am referring to produces quite some hits on HIBP (Have I Been Pwned).
Next thing, I configured a catch-all on the domain – meaning every single address would be valid and routed to a single inbox – a “Pandora's Box” if you will.. This setup catches around 500 messages a day – all SPAM. The messages vary from offers of drugs on prescription, to SEO offers; from viagra to so called 'lost contacts'.
Sometimes, I start an effort to scam the scammers – mainly inspired by James Veich, by replying and actually spoofing like I was an actual victim.
Over time, I received quite a number of e-mails like this one:
Though the phrasing varies, but it always boils down to that the victim is supposedly hacked. The webcam was supposedly turned on, all digital activities were tracked and logged – including passwords, porn viewing, etc.
While it might be peanuts for a tech-savvy person to prevent or even see it's a scam in the blink of an eye, the same cannot be said for regular users. Heck, it might be really scary to receive such an e-mail.
To put it in perspective, I received a phone call last week, from an alerted customer, that received one of these e-mails. The respective customer does use an e-mail address supplied by the ISP that have a pretty shitty mailserver setup.
The thing that set off the alarm bells was the mention that the webcam was hacked – the customer in question doesn't have a webcam, so it was all sorted out pretty quickly. But nevertheless – receiving such emails can almost cause an heart-attack if you are not able to tell whether it's a scam.
The reason I am writing this blogpiece, is to raise awareness. If you are managing a mailserver – or if you know folks that do, please implement (or ask the person responsible to do so) SPF, DKIM and DMARC. It isn't something you likely do within five minutes for the first time – but having these techniques can save you from quite the headache!
Let's make the web great again!