Preventing email spoofing with SPF

The very first email was sent about 45 years ago, in 1971 by Ray Tomlinson. Tomlinson is internationally known and credited as the inventor of email. The Internet Hall of Fame in account of his work commented “His email program brought about a complete revolution, fundamentally changing the way people communicate”.

Fast forward 45 years…

Over the last two decades, email has indeed revolutionised the way we communicate.

There are over 4.3 billion email accounts in the world and of all the emails being sent, about 141 million emails were classified as spam by SpamCop in the last 12 months alone!

Email is abused every day in the form of spam or phishing emails which may distribute viruses, malware, spyware, ransomware or attempt to steal information by disguising as someone else.

Make the Internet work better.

The Internet is best defined by Wikipedia as a global system of interconnected computer networks to link billions of devices worldwide. Every server on the internet can make the internet work better by following some standards to prevent abuse.

What most don’t know of, is the existence of Internet Engineering Task Force (IETF). IETF develops and promotes voluntary internet standards with the mission to make the Internet work better. These internet standards are published as RFC’s which stand for Request for Comments.

35 years after the first email, IETF published RFC 4408 in 2006 which describes Sender Policy Framework, commonly known as SPF. The original SPF document was then replaced by another version RFC 7208 published in 2014.

Sender Policy Framework (SPF) is amongst the widely adopted ways of preventing email abuse.

So, what does SPF do?

SPF is a simple email validation system designed to detect email spoofing and provides a mechanism for email servers to check the incoming email to verify whether it originated from a trusted source.

It allows your domain name administrator to publish your authorised email source servers, and provides a way for receiving email servers verify the email origin. It then evaluates the test and produces results such as Pass, Neutral, Fail amongst others and lets the servers email policies decide what to do.

Email Policies

Anyone setting up or managing an email server needs to set some sort of policies. These policies help protect the email system from abuse of resources. Luckily, most of these policies already come bundled in with the mail server software including Exim and Microsoft Exchange Server or hosted services such as cPanel hosting, Office 365 and Google Apps for Work.

However, SPF fail policy needs to be configured. There are 3 choices:

  1. Reject the email (recommended)
  2. Accept and deliver the email with additional actions (move to Junk Mail, change the subject line, and so on)
  3. Accept, but delete the email (not recommended)

This is well documented in Appendix G2 of RFC 7208.

What is the best way to handle unauthorised email messages?

The most logical way to handle unauthorised email messages (SPF fail) is to reject it before it is received. This protects the system from unnecessary handling of incoming email including data transfer of the email content as well as other processes such as spam filtering and email delivery.

Doing this, also notifies the sender that their email was rejected because it failed SPF check and, if the sender is legitimate, they will appropriately rectify their systems.

Can someone spoof my emails, even after deploying SPF?

Yes, someone can still spoof your emails. SPF does not define the standard of sending email itself, but rather a standard for checking if the sender server is trusted.

Prevent unauthorised emails to go out in the first place.

It’s unfortunate to see many servers allow emails to be sent without authentication, either through website scripts or SMTP. Any email that goes out from an email system should be authenticated to prevent abuse. Doing so makes it easier for system administrators to block that user in the event of a SPAM outbreak.

At Extreme Web Technologies, we block a simple PHP mail function that is commonly used to send out unauthenticated emails. It is widely used in contact forms. When a website is compromised, a spammer can leverage that function to send out large volumes of spam email.

We also properly reject emails that are not from a trusted source. I have come across some email servers that do not have the appropriate reject policy set for SPF failure. They are putting their users at risk of receiving spoofed emails from untrusted sources.

I hope that future RFC revisions will be in favor of rejecting the email message, instead of allowing the option for it to be handled by email policies. Till then, the best way to prevent email abuse is to use a strong SPF record, and have DKIM setup too, host your emails & website with a professional hosting company and HOPE that the recipients use a mailserver with realistic mail policies!

This blog post was written by Mohsin Sumar (@mohsinsumar) who is the co-founder and CEO of Extreme Web Technologies. Mohsin with his Customer Happiness team constantly strive to deliver top notch quality web hosting in Tanzania.

Image credits: Background vector designed by Dooder – Freepik.com; modified by Mohsin Sumar.

Using find to compress new or modified files after a particular date

One of our customers had a unique challenge of moving web servers. Their site was huge, with one directory having over 200GB of images. They opted to do a partial migration, copying over the website as is first before the final switch over.

The final switch over required to copy over only the latest files created or modified after a particular date.

The most efficient way would have been the rsync utility. Unfortunately, this was not an option as we did not have SSH access on the new service, so we had to find an alternate way.

The objective was simple;

  • Find the files
  • Archive/compress them

There are two commands that required to be run, the first one was to search for new or modified files after a particular date and the second one was to create a tar file.

The dry run command looked like so:

find /path/to/folder -type f -newermt '2017-04-01T00:00:00' -print0

Let’s break this down:

  • find /path/to/folder
    • This defines where to search
  • -type f 
    • We’ll be looking for files only, recursively.
  • -newermt ‘2017-04-01T00:00:00’ 
    • The date from where we want to search from
  • -print0
    • This outputs the files so it can be piped into the tar command

For the second objective, we piped in the tar command to accept the output from the first. This would be appended to the original command.

  • | tar -czvf /backup/archive-name.tar -T –
    • Begin piping into the tar
    • The tar will compress and output the progress (verbose)
    • -T – takes in the files to archive from the previous output

Here is the final command:

find /path/to/folder -type f -newermt '2017-04-01T00:00:00' -print0 | tar -czvf /backup/archive-name.tar -T -

I hope this will be useful for anyone with a similar requirement.

A shark in your tank

The Japanese have always loved fresh fish, but the water close to Japan has not held many fish for decades.

So to feed the Japanese population, fishing boats got bigger and went farther than ever. The further the fishermen went, the longer it took to bring the fish. If the return trip took more time, the fish were not fresh.

To solve this problem, fish companies installed freezers on their boats. They would catch the fish and freeze them at sea. Freezers allowed the boats to go farther and stay longer.

However, the Japanese could taste the difference between fresh and frozen fish and they did not like the taste of frozen fish. The frozen fish brought a lower price. So, fishing companies installed fish tanks.

They would catch the fish and stuff them in the tanks, fin to fin. After a little thrashing around, they were tired, dull, and lost their fresh-fish taste. The fishing industry faced an impending crisis!

But today, they get fresh-tasting fish to Japan. How did they manage…?

To keep the fish tasting fresh, the Japanese fishing companies still put the fish in the tanks but with a small shark. The fish are challenged and hence are constantly on the move. The challenge they face keeps them alive and fresh!

Have you realized that some of us are also living in a pond but most of the time tired and dull….? Basically in our lives, sharks are new challenges to keep us active.

If you are steadily conquering challenges, you are happy. Your challenges keep you energised. Don’t create Success and revel in it in a state of inertia.

You have the resources, skills and abilities to make a difference. Put a shark in your tank in the year 2016 and see how far you can really go. Best wishes for a challenging, highly energized and active year in 2016.

Sources: Shreya Bhatt; CiteHR; Photo by Zac Wolf (edited by Mohsin Sumar to add the title of the post);

Improve your company’s productivity in 2016

Along with the entire customer happiness team at Extreme Web Technologies; I wish you a Happy New Year 2016!

As 2016 sets in, its time to put those new year resolutions in effect. Did your new year resolution include improving your productivity as a business? If not, make sure to list it down because your employees could be wasting 24% of their day on useless email.

Useless email are SPAM emails that clutter our email inbox every day. It may be cheap for spammers to send SPAM, however, it is very costly for a business on the other end. The following costs are usually associated with SPAM emails:

  • Productivity loss, or waste of time of your employees in reviewing and deleting spam emails.
  • The cost of anti-spam technology.
  • Wasted storage and server resources.
  • Internet data.

Here’s a report from one of our customers account using professional spam filter. They have seen an improvement of 35% emails being blocked by the filter. Think about it for a second, how many is 35% on the report below? That’s 25,000 emails blocked over 3 month period.

Spam Filter Report for 3 Months

 

Improve the productivity of your business by using a professional spam filter. For a limited time, DOUBLE your storage when you add professional spam filter to your account! Contact us by sending us an email to support (at) extreme.co.tz for more information.

Improve your company's productivity in 2016 with professional spam filter.

This article was first published on Extreme Web Technologies Blog. This article was written by Mohsin Sumar (@mohsinsumar) and serves as the Technical Director of Extreme Web Technologies. Mohsin with his Customer Happiness team constantly strive to deliver top notch quality web hosting in Tanzania.

.tz Marketing Workshop

I attended a marketing workshop representing Extreme Web Technologies, top performing .TZ accredited registrar on 10th & 11th December 2015 which was organised by tzNIC in collaboration with ICANN. It was held at BOT Conference Room and facilitated by Bob Ochieng and Ali Hussein Kassim.

The workshop aimed to share and provide necessary business skill-sets as well as exposure to the domain industry players to the participants which comprised mostly of .TZ registrars, as well as representatives from various academia, government bodies and students.

The workshop came at a time when African continent of about 1 billion people is striving to grow the ccTLD domain business from about 1.3 Million domains that are in use today.

Key questions that were discussed at the workshop included what should be done to change the situation? What can the ccTLD manager and registrars do to grow the .tz domain business in Tanzania? And finally, what other stakeholders should do to propel the .tz domain name industry?

I was also a panelist of a discussion where we discussed various ways to market the domain business through raising awareness of .tz domain by educating small & medium sized businesses on the importance of their online presence, the need of personalised email addresses and more.

Guide to setup cPanel + CentOS 6.7 with RAID on HP Proliant Server ML310e

HP Proliant ML310e server comes with Intelligent Provisioning built in as well as SMART array controller. A quick overview of what we’ll cover in this post:

  • Configuration of HP Proliant ML310e
  • Configuration of RAID-1
  • Installation of CentOS
  • Installation of HP Dynamic Smart Array Controller B320i
  • Setup of Networking
  • Installation of cPanel

Configuration of HP Proliant ML310e
The server I was working with was 16GB RAM with 2 hard drives, each of 1TB and HP Dynamic Smart Array Controller B320i. The boot up was pretty straight forward, connecting it to a monitor, keyboard and mouse.

Configuration of RAID-1
As the server I was working with had two hard drives, this can allow for RAID-1 configuration which means mirroring. All data is written to both drives at the same time, such that in the event of a hard drive failure, the machine can boot up using the second drive.

During the boot, press F5 when the system recognizes HP Dynamic Smart Array Controller to open up the configuration screen . Use this interface to create a virtual / logical volume such as RAID-1 and include both the hard drives to it. The logical volume would be 1TB of usable space.

Installation of CentOS 6.7
HP Proliant ML310e Server comes with a tool called Intelligent Provisioning. It’s a nifty tool which completes the installation of an operating system in a few easy steps. One caveat is that it does not support CentOS 6.7. The intelligent provisioning tool can be used to install Windows, Red Hat, and a couple of other operating systems.

In order to install CentOS 6.7, we’ll have to go the manual way. Insert Disk 1 into the drive and reboot the server. The server will boot from disk, and take you to the installation screen.

If you’ve done a CentOS installation before, you’d be happy to reach a familiar screen and everything from here should be straight forward, right? When you reach to the screen where you’ve to pick your boot drive, you’d be surprised to see two hard drives instead of the logical volume RAID 1 we created previously.

This means that the operating system is not able to read HP Dynamic Smart Array Controller B320i and a driver for CentOS will be required to proceed forward.

Installation of HP Dynamic Smart Array Controller B320i driver on CentOS 6.7
HP support & drivers website does not provide you with CentOS driver. Luckily, CentOS is built on Red Hat Linux and we can use that driver for our server.

  1. Go to HP Drivers & Software site and search for B320i.
  2. Choose the operating system, I picked Red Hat Enterprise Linux 6 Server (x86-64).
  3. Expand Software – Driver Update
  4. Look for the version 6u7 from the list: hpvsa-1.2.14-103.rhel6u7.x86_64.dd.gz
  5. Download it to your computer

Note: if you are using browser like Safari or Chrome, make sure it does not auto-extract the downloads.

Once you have your file, follow the instructions below to create a flash drive for the driver. The instructions below are for creating the drive in Mac OS X. Open up the terminal using ⌘ + Space, type Terminal, and hit enter and follow the commands below: (all the lines starting with # are comments)

# Assuming the file is in your Downloads folder
cd ~/Downloads

# Extract the file using gunzip command
gunzip hpvsa-1.2.14-103.rhel6u7.x86_64.dd.gz

# Plug in your empty FAT32 flash disk, make sure it is unmounted.
# Use the command below to create the drive
# Make sure your flash disk drive path is correct
# In my case, the disk was available in /dev/disk2
sudo dd if=hpvsa-1.2.14-103.rhel6u7.x86_64.dd of=/dev/disk2

Give it a couple of minutes at most, and your flash drive will be ready. Let’s get back to the CentOS installation, you’ll need to reboot the server.

centos_67_01After you reach the initialisation of CentOS installation screen (as seen on the right), follow these instructions:

  • Press ESC key to reach the boot prompt.
  • Plug in your USB flash drive which contains the driver
  • Type in “linux dd blacklist=ahci” and press ENTER
  • A few moments later, it will ask you if you have a driver disk. Choose yes.
  • Select your disk and browse the disk image: “dd.img” and choose OK
  • Once the driver is installed, it will prompt you whether or not you have more driver disks to install.
  • Choose No and continue with the installation and you’ll now be able to see HP’s Logical Disk you created earlier.

Setup of Networking
Once the operating system is setup, you’d think you’re all set right? Not quite. By default, networking is disabled on CentOS installations so you’ll need to enable it first before you can connect it to the internet.

There are two files responsible for network configuration.

# Amend the first file by opening it using vi editor
vi /etc/sysconfig/network
# Hit “a” key on your keyboard to make edits
# Go to the line NETWORKING and change the setting from no to yes
# Add a line for GATEWAY=192.168.1.1
# Save your changes by pressing “CTRL + c”, typing “:wq” and pressing ENTER key

# Type in the following command to open the second file.
vi /etc/sysconfig/network-scripts/ifcfg-eth0
# You’ll see the contents of this file on your screen. Press “a” key to amend the contents of this file
# Find the line ONBOOT and change it from no to yes
# At the bottom of the file, add the following lines
# IPADDR=192.168.1.240
# NETMASK=255.255.255.0
# To save the changes, press CTRL + c; type “:wq” and press ENTER key

# Setup DNS resolvers
vi /etc/resolv.conf
# This file should be empty
# Populate with the following two lines, press “a” key on your keyboard and type in the below two:
nameserver 8.8.8.8
nameserver 8.8.4.4
# Press CTRL+c; type “:wq” and press ENTER key

# Reboot the server using the command below
shutdown -r now

Your server will reboot with networking configured with the IP: 192.168.1.240 on your network. You can try ping it from another machine on the network.

Installation of cPanel
cPanel requires that your server must be visible on the internet. You’ll need to make sure you’ve a public IP address from your ISP, and configure it accordingly on the server.

For the purpose of this post, I’ll assume you have a public IP address assigned by your ISP on your internet router/modem. You’ll setup a DMZ zone on your router to point to your internal IP address. Check your router manual for more information.

Once you’ve done this, the installation is pretty straight forward and the best guide for it is available in cPanel documentation.

Before you follow the installation, you’ll need to install wget and curl utility. You can quickly do so by typing in the below command:

yum install curl wget

Once installed, type in the command below to download & install cPanel. Depending on your internet connection, this can take anywhere between 30 minutes to a few hours.

cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest

If all goes well, you should be able to access cPanel/WHM via browser and complete the cPanel setup.

All the best! If you get stuck, shout out at me on twitter @mohsinsumar and I’ll try help you out.