SOGGy Monthly Meeting: October 2018

This month, we started a new format: Having a 30-minute Tech Talk at the start of the meeting. With this format, those people who want to only hear the Tech Talk and not stay for dinner can arrive early and then leave after the talk; those people who do not want to hear the Tech Talk can arrive at 6:30 for dinner. So far, this format is working well…

Kristoff Marshall presented a Tech Talk on the topic of SMTP (Simple Mail Transport Protocol); basically, Email. SMTP is based on 1977 RFC1733 (reference supplied by Gunnar).

As a preface to this summary of Kristoff’s SMTP Tech Talk, here are some useful acronyms:

RFC: Request For Comments; specification memorandum.
IETF: Internet Engineering Task Force; controlling organization for Internet standards.
MSA: Mail Submission Agent; receptionist for Email from a Mail User Agent.
MUA: Mail User Agent; Email client.
MTA: Mail Transfer Agent; transfers Email messages from one computer to another.
MX: Mail Exchange; verified resource record in the DNS.
DNS: Domain Name System; hierarchical decentralized naming system for Internet.
SPF: Sender Policy Framework; Email validation protocol.
WV: Weight Value: a value used to determine statistical preference of a server.
TELNET: a command line-level program used to connect to public servers; IETF STD 8.
SPAM: Something Posing As Mail

Initiating an Email
When you send an Email, your computer talks to what’s called an MSA; that is actually within your Email program. EX: Thunderbird has an MSA; port 587.

Receiving an Email
The MSA looks up the MTA on the Recipient side. On linux machines, you could have an agent at the Operating System (O.S.) level like PostFix; this could technically be your MTA. The MTA receives the Email from your program and figures out what to do with it; IOW, how to route the message within the receiving computer.

Locating the Recipient’s Mail Server
The first thing the MTA does is to look at the To: Address; then look up the domain and then look in the DNS Record for an MX Record for that domain. Your computer has an MX record that points to various utility addresses for a website. The MX Record identifies the name of the recipient’s mail server. The MX Records can have different precedences; an MX Record has a Weight Value (WV) along with the actual value of the record. Example: An MX Record with a WV of 10 indicates to try out this server first. An MX Record with a WV of 20 is second, and so on. The Weight Value tells the MTA Server which server to use. This is a statistical thing.

Most installations (or, sites) have only one mail server; some have more. All servers may have different Weight Values, or you might have multiple servers with the same Weight Values; it’s up to the MTA to figure out which server to use. The process proceeds in random order—or it could go in alphabetical order; it’s configurable.

Importance of Weight Values
Weight Values are something important to think about because a tactic that spammers used to employ is to take the highest Weight Value. The lower the Weight Value, the more precedence that server would have. Historically, if you have a Weight Value of 90, that’s the last server that someone’s going to hit. So a lot of spammers will use an MX with a high Weight Value because those servers are usually behind on patches; in general, they’re usually not as up-to-date as other servers with lower Weight Values.

The Process

MTA figures out how to route Email.
DNA looks up MX.
MX announces, “Hey! This is my mail server.” Then it provides the Weight Value, and that WV in the record tells MTA which server to use; could be random or configurable.

Weight Values are important! Spammers select a server with a high Weight Value because the lower the WV, the more precedence the message has. Spammers sneak in via high WVs because those servers are usually not as up-to-date on their patches.

You can also use TELNET (at the command-line level) to send an Email: TELNET to a server. SMTP runs on port 25. Then you can say, “Hello” followed by the domain name.

Email Elements

To: the Email Address; the only required value in SMTP.
Subject: field is optional; it’s actually stored within the Message space, along with the Email Header.
Message (Data): field is optional; contains the Email Header.
From: Email Address; can be anything! The receiver has to call your bluff.

Distribution List Processing
When you send one Email to a list of recipients, the MTA breaks out the whole distribution list into separate Emails. The local client (e.g., Thunderbird) is the process that breaks up the one Email into individual Emails; producing one copy for each person on the list before it hits the MTA.

Blocking Emails
When the receiving server denies you, it’s usually after you put in the data; this is following protocol. IOW, it has to receive the whole message before it denies you.

But, for example, GMAIL can simply block an IP Address and not allow a connection to Port 25. This is usually how a blacklist works. Outright deny … read then deny. You can train the system with some sort of a spam solution tool and specify how you want to handle spam.

Sometimes, you don’t want a spammer to know you are blocking them, as with Shadow Banning. The sender does not know they have been Shadow Banned. Spammers send spam from multiple IP Addresses, or even from different ISPs to get around blocking.

SPAM Issues
Types of Spam:

Advertising
phishing
Nigerian Scams (a.k.a. 419 scams because they violate Section 419 of the Nigerian Criminal Code)

SPAM Statistics (from 2010):

81% Pharmaceutical Spam
5.4% Replica Spam (e.g., knockoff watches)
2.3% Enhancers (pharmacy products)
2.3% Phishing
1.3% College Degrees
1.0% Casino
0.4% Weight Loss

NOTE: Combatting spam costs an estimated $10 billion per year.

Phishing
Phishing is a huge issue these days. Kristoff told of an issue one of his customers had after purchasing some equipment from a Chinese supplier with whom they had a close relationship. One day, the C.E.O. received an Email from that supplier indicating that their bank routing number had changed … so … threats can be disguised

Sender Policy Framework (SFP); Combatting SPAM
Your From: Address on an Email can be anything! Literally any address you want. The receiving server has to call your bluff as to whether this is a legitimate address. This is SPF; Sender Policy Framework. So, if you send an Email from Yahoo.com, the SPF will look at the IP Address from which you’re sending the Email and then go to Yahoo.com and look up their SPF Record (which is simply another DNS Record; technically a .txt record), and in this DNS SPF Record, it tells the receiving server which IP Addresses are legitimate; basically, whether it’s OK to accept the Email. So, if you send an Email from Yahoo.com to Gmail.com, the Google Server will look up the SPF for Yahoo.com and, if the IP Address you’re sending from is not listed as a legitimate IP Address in the SPF for Yahoo.com, Gmail will not accept the Email. The SPF is relatively new. If you had tried this spoof ten years ago, more than likely, it would have worked. SPF has been around for a while, but has only been implemented heavily within the past five years.

Question: What are phishing scams phishing for?
Financial information; credit card numbers.

Question: How do spammers get my Email Address?
When you use your Email to sign up for services on some website (instead of User Names), that’s one easy way for scammers to grab an Email Address.

Suggestions:

Use a User Name instead of your Email Address
Use a different Email Address for some sites
Use different passwords for every site.

Question: What’s the value of all the information they scoop up?
The people who harvest credit card numbers simply sell (e.g., for Bitcoins) lists to the Dark Web. The fresher the list, the higher the cost. Use it now. As time goes by and others purchase the list, it becomes less valuable.

Value of Information
Here’s a link to a recent CyberSecurity Tech Talk hosted by CORE Business Services; worth reading!

Testing Employee Security Threats
Companies are now testing their employees’ tendencies to click on spam to discover which employees present a threat—to their company’s proprietary data and financial well-being; think Ransomware.

Question: If you don’t click the link, are you still vulnerable?
If you load an image, the scammer may have already connected a specific image to your Email. The image could be a script that, when you load the image, verifies the Email Address and confirms receipt of their Email.

NOTE: If you click on an Unsubscribe link, you have just verified your Email Address to the sender. This mostly applies to unknown senders, and probably doesn’t apply to a vendor with whom you have done business (like Amazon, for example.)

Thanks, Kristoff!
We wish to thank Kristoff for volunteering his time to present such an informative Tech Talk on SMTP, a process most of us use—and rely upon—daily.