Here are my notes from the seminar. They may or may not be completely understandable, but hopefully they will provide some help for those who couldn't make it. Cory
Layers of mail: --------------- MTA - mail transfer agent, moves mail from one machine to another (sendmail, exim, qmail, exchange server..) MDA - mail delivery agent, delivers mail to an account on a system. (procmail, mail) MUA - mail user agent, mail client program (mutt, outlook express, kmail, eudora, pine...) Mail Store - where mail is placed. (mbox: berkley design - one large text file, qmail style: directories with individual files) Standards: ---------- RFC 822 - defines the format of a mail message, including all headers and formats for proper email pieces. Spammers often send incompliant mail messages. MIME - a standard for detailing how to attach files to a text email. Pop vs. Imap ------------ These are methods of accessing a mail box remotely. Pop is the older standard, good for low bandwidth, etc. Rather limited compared to Imap. Imap allows for folders, stay connected, manipulate messages. Types of imap: UWMap - Includes pop as an option. A little simpler, uses the mbox format on the back end. Cyrus - A more complicated, but more stable system. Webmail ------- www to imap/pop3 gateway. Products such as squirrelmail. Secure mail: ------------ Authentication models: clear text (not encrypted at all) kerberos (sign on once, and given a session key that allows you to use it wherever. Each time you sign on, you get a new key. Possible for someone to grab your key, if they were listening on the wire before hand.) SSL/TLS (Secure socket layer, a good method. Requires a little processing, public key cryptography). Cram (challenge/response system. A single sided key system. You respond in a way that only you should be able to respond. ) SSH - secure shell. Port management secure 'layer'. Like a telnet client but encrypted over the wire. Can also forward ports for other applications. See www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH-2.html Store passwords: passwd file shadow file sql database ldap Mail filters: ------------- Client side mail filter outlook rules, etc. pine rules... filters based on subject, to, from, move to folders, etc.. But we don't want the 'bad' mail to even hit the client. Server side mail filter (incoming only. outgoing is possible, but more difficult) Procmail - need to know regular expressions. (ie ^Seth.*Here$) Sieve - (the cyrus imap server has an implementation of this). Has a failry simple rule set. Why filter? Viruses Spam Abuse Viruses: joke.exe iloveyou.vbs happy99.exe annakor.jpg.vbs worddoc.doc How to scan ? #1 Signature - usually not worth the time for someone to keep this updated for free. #2 Score - have a program that reads through the macro code on a word document. For every delete or file modification or certain key word, or other patterns, it gains some 'points'. If it has a score of X it may be a problem. Such as write, write, write, delete, this is probably a dangerous file to let through. #3 Poison types - extensions. No pif, exe, scr, vbs, joke.exe, happy99.exe, files with mutliple 'dots' in the mail (such as march.2001.doc, or annakor.jpg.vbs) Seth says if there are more than one periods, viruses (which are really small) may hide behind them. #4 Mangle - rename attachments, etc. Seth may strip or mangle <html> email, primarily because there are too many ways that html can break your system. He lets attached pictures through, but no java script, <src img=... etc. jokecory.exe mangled to: jokecory.defanged73217exe See www.impsec.org/email-tools/procmail-security.html for a bunch of procmail filters. Takes about 5 minutes to install. This has saved Seth 2-300 hours of time! IMpsec.org/email-tools will mangle extensions such as: html?|exe|com|cmd|bat|pif|sc[rt]|lnk\dll\ocx\do[ct]\xl[swt]|p[po]t|rtf|vg[se]?|hta|p[lm]sh[bs]... (this is half the list. RBL - maps orbs Realtime blocking list Incoming email will be checked against the source domain name/ip address. If the ip address is on a black hole list, the mail is flagged for warning, or rejected. This list contains many open relays, and may help block spam. However it can also block a lot of legitimate email. Email accounts on many servers (and should be on yours!): root@ (unix systems) abuse@ often found on big companies (ie [EMAIL PROTECTED]), not required postmaster@ by rfc each mailserver is required to have this hostmaster@ for domain name managers webmaster@ for webmasters
