Email & Email Security

Welcome to the Email & Email Security module of your Ethical Hacking class! In this session, we'll
delve deep into the intricacies of email communication, understand its components, explore the
protocols that govern it, and examine the security measures that protect it. Through detailed
explanations and live examples, you'll gain a robust understanding of how emails function and how to
secure them against various threats.
Table of Contents

1. Email Basics

o Email Header

o Email Body

o Subject, To, CC, BCC

o SPAM

2. Email Components

o MUA (Mail User Agent)

o MTA (Mail Transport Agent)

o MDA (Mail Delivery Agent)

3. Email Protocols & Their Ports

o SMTP

o POP3

o IMAP

o MIME

o HTTP & HTTPS

4. Email Security & Assurance

o SPF

o DKIM

o DMARC

5. Advanced Topics

o Phishing & Spoofing

o Email Encryption

6. Practical Exercises

o Exercise 1: Analysing an Email Header

o Exercise 2: Simulating a Phishing Attack

o Exercise 3: Setting Up SPF, DKIM, and DMARC

7. Live Demonstrations

o Demo 1: Viewing and Interpreting Email Headers

o Demo 2: Creating a DKIM Signature

8. Conclusion & Assignment

 1. Email Basics
Understanding the foundational elements of email is crucial before diving into security aspects. Let's break down
the primary components of an email.

Email Header
Definition: The email header contains metadata about the email, providing essential information about the
sender, recipient, and the path the email has taken.

Key Components of an Email Header:

• From: Sender's email address.

• To: Primary recipient's email address.

• CC (Carbon Copy): Additional recipients who receive a copy of the email.

• BCC (Blind Carbon Copy): Recipients who receive the email without their addresses being visible to
others.

• Subject: Brief summary of the email's content.

• Date: Timestamp when the email was sent.

• Message-ID: Unique identifier for the email.

• Return-Path: Address to which undeliverable messages are sent.

• Received: Trace of the email's journey through various servers.

Live Example:
Let's examine a sample email header:

Explanation:
• Return-Path: Indicates the sender's address for bounce messages.

• Received: Shows that the email was sent from mail.example.com to smtp.receiver.com.

• From, To, CC, BCC: Lists the sender and all recipients.

• Subject: Summarizes the email topic.

• Date: Timestamp of when the email was sent.

• Message-ID: Unique identifier for tracking the email.

Email Body
Definition: The main content area of an email where the actual message is written. It can contain:

• Plain Text: Simple text without formatting.

• HTML Content: Richly formatted text with images, links, and styles.

• Attachments: Files like documents, images, or videos sent alongside the email.

Live Example:
Plain Text Email Body:

Hi Bob,

I wanted to update you on the project's progress. We've completed the initial phase and are moving into testing.

Best,

Alice

HTML Email Body:

<html>

<body>

<p>Hi Bob,</p>

<p>I wanted to update you on the <strong>project's progress</strong>. We've completed the initial phase and are moving into
<em>testing</em>.</p>

<p>Best,<br>Alice</p>

</body>

</html>

Subject, To, CC, BCC

• Subject: Acts as the email's title, helping recipients understand the purpose at a glance. It should be
concise and relevant.

Example: "Meeting Agenda for September 25"

• To: Primary recipients who are directly addressed by the email.

Example: Sending an email to your manager with project updates.

• CC (Carbon Copy): Used to send copies to secondary recipients who should be informed but are not
directly involved.

Example: Sending an update to your manager (To) and copying your team members (CC).

• BCC (Blind Carbon Copy): Sends copies to recipients without revealing their addresses to others,
maintaining privacy.

Example: Sending a newsletter to multiple subscribers without exposing their email addresses to each other.
SPAM
Definition: Unsolicited and often irrelevant or malicious emails sent in bulk. SPAM can clutter inboxes and pose
security risks through phishing links or malware attachments.

Characteristics of SPAM:
• Generic greetings (e.g., "Dear User")

• Unsolicited offers or promotions

• Suspicious links or attachments

• Requests for personal or financial information

Live Example:
A SPAM email might look like this:

From: "Lucky Winner" <[email protected]>

To: <[email protected]>

Subject: Congratulations! You've Won $10,000!

Dear User,

We are excited to inform you that you have won $10,000 in our annual lottery. To claim your prize, please click the link below and
provide your banking details.

[Claim Your Prize](http://malicious-link.com)

Best regards,

Lottery Team

Why It's SPAM:

• Unsolicited claim of winning money.

• Urgent call to action.

• Suspicious link aiming to steal personal information.

 2. Email Components
Understanding how emails are processed involves knowing the roles of various agents that handle email creation,
transport, and delivery.

MUA (Mail User Agent)

Definition: Software or application used by users to compose, send, receive, and read emails.

Examples:

• Desktop Clients: Microsoft Outlook, Mozilla Thunderbird

• Webmail Interfaces: Gmail, Yahoo Mail, Outlook Web Access

• Mobile Apps: Apple Mail, Gmail App

Live Example:

Using Gmail (Webmail MUA):

1. Compose an Email: Click on "Compose" to write a new email.

2. Send the Email: After writing, click "Send" to dispatch the email through Gmail's servers.

MTA (Mail Transport Agent)

Definition: Server software responsible for transferring emails from the sender's MUA to the recipient's MTA.
MTAs use protocols like SMTP to route emails across the internet.

Examples:

• Sendmail

• Postfix

• Exim

• Microsoft Exchange

Live Example:

When you send an email from Gmail:

1. MUA Action: You compose and send the email via Gmail's interface.

2. MTA Role: Gmail's MTA (e.g., Google SMTP servers) processes the email and determines the recipient's
mail server.

3. Email Transfer: The email is sent over the internet to the recipient's MTA using SMTP.

MDA (Mail Delivery Agent)

Definition: Software responsible for delivering emails from the MTA to the recipient's mailbox. MDAs handle
the final placement of emails into the user's inbox.

Examples:

• Dovecot

• Procmail

• Courier

• Microsoft Exchange Server

Live Example:

Continuing from the previous example:

1. MTA Action: The recipient's MTA receives the email.

2. MDA Role: The MDA on the recipient's server (e.g., Dovecot) delivers the email to the recipient's
mailbox.

3. MUA Access: The recipient accesses the email via their MUA (e.g., Outlook).
 3. Email Protocols & Their Ports
Email communication relies on specific protocols that define how data is transmitted between servers and clients.
Each protocol has standard ports, with secure (encrypted) and insecure (unencrypted) variants.

SMTP (Simple Mail Transfer Protocol)

Purpose: Used for sending emails from a client (MUA) to a server (MTA) or between MTAs.

Ports:

• Insecure: 25

• Secure:

o 465: SMTPS (SMTP Secure) - Deprecated but still used by some servers.

o 587: Submission port with STARTTLS - Recommended for secure email submission.

Live Example:
Sending an Email via SMTP:

1. Client Action: Your email client (e.g., Thunderbird) connects to the SMTP server (smtp.example.com)
on port 587.

2. Authentication: The client authenticates using your username and password.

3. Email Transfer: The email is sent securely using STARTTLS to encrypt the connection.

POP3 (Post Office Protocol version 3)

Purpose: Allows email clients to retrieve emails from the server. Typically downloads emails to the client and
deletes them from the server.

Ports:

• Insecure: 110

• Secure:

o 995: POP3S (POP3 Secure) - Encrypted retrieval.

Live Example:
Retrieving Emails via POP3:

1. Client Action: Your email client connects to pop3.example.com on port 995.

2. Authentication: The client authenticates securely.

3. Email Retrieval: Emails are downloaded to your device and removed from the server.

IMAP (Internet Message Access Protocol)

Purpose: Allows email clients to access and manage emails directly on the server, enabling synchronization across
multiple devices.

Ports:

• Insecure: 143

• Secure:

o 993: IMAPS (IMAP Secure) - Encrypted access.

Live Example:
Accessing Emails via IMAP:

1. Client Action: Your email app connects to imap.example.com on port 993.

2. Authentication: Secure login using SSL/TLS.

3. Email Management: Emails remain on the server, accessible from multiple devices, with actions like
read/unread status synchronized.

MIME (Multipurpose Internet Mail Extensions)

Purpose: Extends the format of emails to support text in character sets other than ASCII, attachments, multimedia
content, and more.

Key Features:

• Encoding: Converts binary data to text for safe transmission.

• Content Types: Defines types like text/plain, text/html, image/jpeg, etc.

• Multipart Messages: Allows emails to contain multiple parts (e.g., text and attachments).

Live Example:
Sending an Email with an Attachment:

1. Compose Email: Attach a PDF file to your email in Outlook.

2. MIME Encoding: The email client encodes the PDF using Base64 and includes it as a separate MIME
part.

3. Transmission: The email is sent with a multipart/mixed content type, allowing the attachment to be
included alongside the text.

HTTP & HTTPS

Purpose: Primarily used by webmail services to provide email access via web browsers.

Ports:

• HTTP: 80 (Insecure)

• HTTPS: 443 (Secure) - Encrypts data between the browser and server.

Live Example:
Accessing Gmail via HTTPS:

1. Open Browser: Navigate to https://mail.google.com.

2. Secure Connection: The browser establishes an encrypted connection over port 443.

3. Email Access: You log in securely and access your emails through the web interface.
 4. Email Security & Assurance
With the prevalence of email-based attacks like phishing and spoofing, securing email communication is
paramount. Various protocols and standards help verify the authenticity and integrity of emails.

SPF (Sender Policy Framework)

Purpose: Prevents email spoofing by specifying which mail servers are authorized to send emails on behalf of a
domain.

How It Works:

1. DNS Record: Domain owners publish SPF records in DNS, listing authorized sending IP addresses.

2. Email Sending: When an email is sent, the recipient's server checks the SPF record to verify if the
sender's IP is authorized.

3. Verification: If the IP matches, the email passes SPF; otherwise, it may be marked as suspicious or
rejected.

Live Example:
Setting Up an SPF Record:

1. DNS Entry: Add the following TXT record to your domain's DNS settings:

1. Email Signing: Configure your MTA to sign outgoing emails with the private key.

2. Verification: When a recipient's server receives the email, it uses the public key to verify the signature.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

Purpose: Builds on SPF and DKIM to provide domain owners with the ability to publish policies on how to
handle unauthenticated emails and receive reports about email authentication.

How It Works:

1. DNS Record: Domain owners publish a DMARC policy in DNS specifying actions (none, quarantine,
reject) for emails failing SPF/DKIM checks.

2. Alignment: Ensures that the domain in the "From" header aligns with SPF and DKIM authenticated
domains.

3. Reporting: Receivers send aggregate and forensic reports back to the domain owner.

Live Example:
Setting Up a DMARC Policy:

1. DNS Entry: Add the following TXT record:

_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:dmarc-

[email protected]; adkim=s; aspf=s"

o v=DMARC1: Indicates DMARC version 1.

o p=reject: Policy to reject emails failing DMARC.

 o rua: Aggregate reports email address.

o ruf: Forensic reports email address.

o adkim, aspf: Strict alignment for DKIM and SPF.

2. Policy Enforcement: If an email from [email protected] fails SPF and DKIM checks, recipient servers
will reject it based on the DMARC policy.
 5. Advanced Topics
Phishing & Spoofing
Phishing:

• Definition: Fraudulent attempts to obtain sensitive information by disguising as a trustworthy entity in

electronic communication.

• Techniques:

o Email Phishing: Fake emails mimicking legitimate organizations to steal credentials.

o Spear Phishing: Targeted phishing attacks aimed at specific individuals or organizations.

Spoofing:

• Definition: Forging email headers to make an email appear as if it originated from a different source.

• Techniques:

o Sender Address Spoofing: Changing the "From" address to deceive recipients.

o Display Name Spoofing: Altering the display name to appear as a known contact.

Live Example:
Phishing Email Example:

From: "IT Support" <[email protected]>

To: <[email protected]>

Subject: Urgent: Password Reset Required

Dear User,

Our records indicate unusual activity in your account. Please reset your password immediately by clicking the link below:

[Reset Password](http://malicious-link.com/reset)

Thank you,

IT Support Team

Spoofing Detection:

1. Check SPF: Verify if the sending IP is authorized via SPF.

2. Inspect DKIM Signature: Ensure the email's integrity.

3. Analyze DMARC Policy: See if the email aligns with DMARC requirements.

Email Encryption
Purpose: Protects the content of emails from being read by unauthorized parties during transit.

Types:

• Transport Layer Security (TLS): Encrypts the connection between email servers.

• End-to-End Encryption: Ensures only the sender and recipient can read the email content.

Technologies:

• S/MIME (Secure/Multipurpose Internet Mail Extensions): Uses certificates to encrypt and sign
emails.
 • PGP (Pretty Good Privacy): Uses a web of trust and key pairs for encryption and signing.

Live Example:

Sending an Encrypted Email with PGP:

1. Key Generation: Both sender and recipient generate PGP key pairs.

2. Public Key Exchange: Share public keys with each other.

3. Encrypt Email: Sender encrypts the email content using the recipient's public key.

4. Send Email: The encrypted email is sent and can only be decrypted by the recipient's private key.
 6. Practical Exercises
Hands-on exercises reinforce theoretical knowledge. Below are practical tasks to apply what you've learned.

Exercise 1: Analyzing an Email Header

Objective: Understand how to dissect an email header to identify authentication results and potential spoofing.

Steps:

1. Select an Email: Choose any email from your inbox.

2. View Source:

o Gmail: Open the email, click on the three dots (⋮) next to the reply button, and select "Show
original."

o Outlook: Open the email, go to "File" > "Properties," and view the "Internet headers."

3. Identify Key Sections:

o SPF Results: Look for lines like Received-SPF: pass.

o DKIM Signature: Find DKIM-Signature: headers.

o DMARC Alignment: Check Authentication-Results: for DMARC status.

4. Determine Authenticity:

o Verify if SPF and DKIM passed.

o Check if the "From" domain aligns with authenticated domains.

o Assess if DMARC policy was enforced.

Example Analysis:

Interpretation:

• DKIM: Signature is valid for example.com.

• SPF: Sending IP is authorized for example.com.

• DMARC: Email aligns with policies and passes authentication.

Exercise 2: Simulating a Phishing Attack

Objective: Understand how phishing emails are crafted and recognize their indicators.

Important: Do not perform actual phishing attacks. This exercise is purely for educational purposes in a
controlled environment.

Steps:

1. Create a Fake Email:

o Use an email client or an email simulation tool.

 o Set the "From" address to mimic a trusted entity (e.g., [email protected]).

o Craft a message that prompts urgent action (e.g., "Update your password immediately").

2. Include Phishing Indicators:

o Suspicious links that don't match the legitimate domain.

o Urgent language pressuring immediate action.

o Requests for sensitive information (passwords, credit card numbers).

3. Analyze the Phishing Email:

o Identify signs of spoofing (e.g., mismatched domains).

o Check for lack of SPF/DKIM/DMARC alignment.

o Recognize the absence of proper encryption.

4. Discuss Prevention Techniques:

o Educate users to recognize phishing signs.

o Implement technical safeguards like DMARC policies.

o Use email filtering solutions to detect and block SPAM/phishing attempts.

Example Phishing Indicators:

• From Address Mismatch: The "From" domain doesn't align with the actual sending server.

• Suspicious URLs: Links redirect to unknown or misspelled domains.

• Generic Greetings: Lack of personalized salutations.

Exercise 3: Setting Up SPF, DKIM, and DMARC

Objective: Implement email authentication protocols to secure your domain's email communication.

Steps:

1. Access DNS Management:

o Log in to your domain registrar or DNS hosting provider.

2. Set Up SPF:

o Add a TXT record specifying authorized mail servers.

o Example SPF Record:

o include: Authorizes Google’s mail servers.

o ~all: Soft fail for unauthorized servers.

3. Set Up DKIM:
• Generate a DKIM key pair (public and private keys).

• Add a TXT record with the public key.

 • Example DKIM Record:

• Configure your MTA to sign outgoing emails with the private key.

4. Set Up DMARC:
• Add a TXT record defining DMARC policies.

• Example DMARC Record:

_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:dmarc-

[email protected]; adkim=s; aspf=s"

▪ p=reject: Instructs receivers to reject unauthenticated emails.

▪ rua/ruf: Email addresses for aggregate and forensic reports.

5. Verify Configuration:

• Use online tools like MXToolbox or DMARC Analyzer to check DNS records.

• Send test emails and verify authentication results.

Outcome: By completing this exercise, you ensure that your domain's emails are authenticated, reducing the risk
of spoofing and phishing attacks using your domain.
 7. Live Demonstrations
Demo 1: Viewing and Interpreting Email Headers

Objective: Learn how to view email headers and interpret authentication results.

Steps:

1. Open an Email: Choose an email from your inbox.

2. View Headers:

o Gmail: Click on the three dots (⋮) > "Show original."

o Outlook: Open the email, go to "File" > "Properties" > "Internet headers."

3. Identify Key Sections:

o Received Headers: Trace the email's path.

o Authentication-Results: Check SPF, DKIM, DMARC statuses.

o DKIM-Signature: Examine the signature details.

4. Interpret Results:

o Determine if the email passed authentication checks.

o Identify any discrepancies or signs of spoofing.

Live Analysis:
Suppose you receive an email with the following Authentication-Results:

Interpretation:
• SPF: Passed – the sending IP is authorized.

• DKIM: Failed – the signature doesn't match.

• DMARC: Failed – policy dictates rejecting the email.

• Action: The email should be rejected based on DMARC policy.

Demo 2: Creating a DKIM Signature

Objective: Understand how DKIM signatures are generated and added to emails.

Prerequisites:

• Access to your domain's DNS settings.

• An MTA that supports DKIM (e.g., Postfix with OpenDKIM).

Steps:
1. Generate DKIM Keys:
 o Use a tool like opendkim-genkey.

o This generates default.private (private key) and default.txt (public key).

2. Publish Public Key:

• Add the contents of default.txt to your DNS as a TXT record.

3. Configure MTA for DKIM:

• Install and configure OpenDKIM with Postfix.

• Specify the private key and selector in the configuration files.

4. Restart Services:
• Restart OpenDKIM and Postfix to apply changes.

1. Send a Test Email:

o Compose and send an email from your domain.

o View the email headers to verify the DKIM-Signature.

Outcome: The sent email should include a DKIM-Signature header that recipients can verify using your published
public key, ensuring email integrity and authenticity.
8. Conclusion & Assignment
Conclusion
Emails are a fundamental mode of communication but also a significant vector for cyberattacks. Understanding
the components and protocols governing emails is essential for both effective communication and robust security.
By implementing and verifying SPF, DKIM, and DMARC, you can significantly enhance your domain's email
security, protecting both your organization and its users from phishing, spoofing, and other malicious activities.

Assignment
1. Analyze an Email Header:

o Task: Select an email from your inbox and perform a detailed analysis of its header.

o Objectives:

▪ Identify SPF, DKIM, and DMARC results.

▪ Determine if the email is authentic or potentially malicious.

▪ Document your findings and explain your reasoning.

2. Simulate a Phishing Attack:

o Task: In a controlled environment, create a mock phishing email targeting a specific scenario
(e.g., password reset).

o Objectives:

▪ Identify elements that make the email appear legitimate.

▪ Highlight red flags that indicate phishing.

▪ Discuss strategies to prevent such attacks in real-world scenarios.

3. Set Up SPF, DKIM, and DMARC for a Test Domain:

o Task: Using a test domain, configure SPF, DKIM, and DMARC records.

o Objectives:

▪ Ensure proper DNS configurations.

▪ Send test emails to verify authentication.

▪ Document the setup process and any challenges faced.

4. Bonus Task: Implement Email Encryption:

o Task: Configure S/MIME or PGP for your email account.

o Objectives:

▪ Encrypt outgoing emails.

▪ Decrypt received encrypted emails.

▪ Explain the benefits and limitations of the chosen encryption method.

Submission:
• Prepare a report detailing each assignment task, your approach, findings, and conclusions.

• Include screenshots or logs where applicable to support your analysis.

Note: Ensure that all practical exercises, especially those involving security configurations and simulated attacks,
are performed in a safe and ethical manner, respecting all relevant policies and guidelines.

Feel free to reach out with any questions or clarifications as you work through this module.
Understanding email security is a critical skill in ethical hacking, and your proactive engagement will
contribute significantly to your expertise in the field.
Happy Learning!
Best Regards
Jafar Hasan
Appin Technology Lab, Indore