Webmail attack and defense practices

Webmail is a service or technology that uses web browsers to send and receive emails. webmail can be used as long as it can access the Internet without using the client, this greatly facilitates sending and receiving emails. Webmail is an indispensable choice for users who are not familiar with the mail client or who are inconvenient to use the mail client in Internet cafes. Email can be the most widely used network service on the internet today, and webmail is indispensable.

Improper use or poor development of the webmail system may cause more security threats to the use of webmail. Similarly, as an important part of today's email system, webmail security cannot be ignored.

1. Email Address Spoofing
Email Address Spoofing is very simple and easy. Attackers can obtain a similar email name for users' email addresses, in the webmail mailbox configuration, set "sender name" to the same sender name as the user (Some webmail systems do not provide this function), and then impersonate the user to send an email, when others receive an email, they often do not perform a careful check on the email address and top-level email information. The sender's name and email content cannot be used to identify the difference, attackers can cheat the system. For example, if a user's email name is wolfe, attackers can use similar email names such as w0lfe, wo1fe, wolve, and woolfe to cheat. Although free lunch is getting harder and harder to eat, many users still use free email. Through registration application, attackers can easily get similar email addresses.

People usually think that the reply address of an email is its sender address. Otherwise, the sender address and reply address can be clearly defined in RFC 822, users familiar with the email client will also understand this. When configuring account attributes or writing emails, you can specify a different reply address than the sender address. When receiving an email, the user checks whether the sender address is real, but does not check the reply address carefully. Therefore, if you use smtp spoofing, the sender address is the email address of the user to be attacked, and the reply address is the attacker's own email address, which will be more deceptive, trick others into sending emails to the attacker's email address.

The so-called heart of the victim cannot exist, and the heart of the Defender cannot be lost. In view of the ease of implementation and danger of email address spoofing, we have to be careful from time to avoid being cheated. For the webmail system, it provides service technologies such as checking the mail Information header content and smtp authentication (if the mail system supports smtp, it is necessary to minimize the harm caused by email address spoofing. For mail users, it is very important to carefully check the sender's email address, Sender's IP address, reply address, and other mail Information header content.

Ii. Webmail brute-force cracking
The interaction between the client and the server on the Internet is basically implemented by submitting forms to the server programs (such as CGI and ASP) on the client, this is the case for webmail password verification. After the user enters the account name, password, and other information in the form element of the browser and submits the information, the server will verify it. If yes, you are welcome to enter your webmail page. Otherwise, an error page is returned to the client.

Therefore, attackers constantly use different passwords to log on using some hacking tools. By comparing the similarities and differences on the returned page, they can determine whether the email password is successfully cracked. There are many tools to help attackers perform such brute-force cracking attacks, such as wwwhack and Xiao Rong's Xiaoxue. In particular, Xiaoxue has the most powerful functions and is already a fully functional browser, analyze and extract forms on the page, attach a dictionary file to the corresponding form elements, and then judge whether the cracking is successful based on the error mark returned after the form is submitted.

Of course, we can also see that web detectors such as qingxue can detect not only webmail passwords, all accounts and passwords used to verify Logon Through forms, such as forums and chat rooms, can be detected.

Many webmail systems have taken corresponding preventive measures for brute-force webmail cracking. If an account has been mistakenly logged on multiple times in a short period of time, the account is considered to have been cracked by brute force. There are generally three preventive measures:

1. disable accounts: Prohibit accounts under brute-force cracking from logging on for a period of time, which is generally 5 to 10 minutes. However, if attackers attempt brute-force cracking, this account has been disabled and cannot log on. As a result, real users cannot access their mailboxes, resulting in DOS attacks.

2. IP address prohibited: Disable the IP address for brute-force cracking for a period of time and cannot use webmail. This solves the problem caused by "disabling accounts" to some extent, but the bigger problem is that, this will inevitably prevent internet users who share the same IP address in internet cafes, companies, schools, and even some man networks from using this webmail. If attackers use multiple proxy address rounds and even distributed cracking attacks, it is difficult to prevent "prohibit IP addresses.

3. logon check: this measure is generally used in combination with the preceding two preventive measures. When Logon is prohibited, the page returned to the client contains a random check string, the user can log on only when the user correctly enters the string in the corresponding input box, which can effectively avoid the negative impact of the above two preventive measures. However, attackers still have the opportunity to extract the validation string from the returned page by developing corresponding tools, and then submit the validation string as the form Element value, then it can form an effective webmail brute-force cracking. If the check string is contained in the image and the image file name is randomly generated, it is difficult for attackers to develop corresponding tools for brute force cracking, yahoo Mail is an outstanding example.

Although webmail brute-force cracking has many preventive measures, it is still difficult to avoid completely. If the webmail system regards five wrong logins within one minute as brute-force cracking, then the attacker will only perform four logon attempts within one minute. Therefore, the prevention of webmail brute-force cracking mainly relies on users to adopt good password policies, such as complex passwords, not the same as other passwords, and regular password changes, it is difficult for attackers to crack the attack.

Iii. Mailbox password recovery
It is inevitable that a user will lose his or her email password. In order to allow the user to retrieve the password and continue using his or her own mailbox, most webmail systems will provide the user with a mailbox password restoration mechanism, allowing the user to answer a series of questions, if the answer is correct, the user will be asked to restore the password of his/her mailbox. However, if the password recovery mechanism is not reasonable and secure, attackers can exploit it to easily obtain others' Email passwords.

The following are the password recovery steps adopted by the password recovery mechanism of many webmail systems. Only when the user answers the correct answers to the questions in each step will the next step be taken. Otherwise, the error page will be returned for each step, attackers have the following opportunities:

Step 1: Enter the account: after entering the password recovery page, the user is first prompted to enter the email account for password recovery. This step is not a problem for the attacker. The email account is the target of the attack.

Step 2: enter your birthday: prompt you to enter your birthday by year, month, or day. This step is also very easy for attackers, and the combination of year, month, and day is very small. With tools such as qingxue, the system can quickly crack the problem. Therefore, it is necessary for the webmail system to take preventive measures against brute-force cracking. In addition, each user must note that the attacker may not come from the other end of the earth, but may be the people around you. Maybe these people want to know the secrets in your mailbox, but they need to find out that your birthday is often a breeze. Didn't you have a birthday party yesterday? Didn't you just hand over a copy of your ID card to the personnel department? Therefore, for mailbox security, do users need to use real birthdays as email registration information, and do users need to enter real birthdays as registration information in the webmail system? This remains to be considered.

Step 3: Answer the question: Ask the user to answer the question you have set. The answer is also the one you have set. In this step, attackers often only rely on guesses. Unfortunately, many users' questions and answers are so simple that they can easily guess, for example, the question is only a knowledgeable question, and the question is the same as the answer. Attackers are more familiar with users and more likely to succeed. For example, if a user asks "Where is your boyfriend?", the attacker is her boyfriend. Therefore, it is critical for a user to set a question as the answer he or she knows, so that the attacker is difficult to succeed. However, do not forget the answer; otherwise, the loss will be worth the candle.

After the preceding steps are completed correctly, the webmail system will allow the user to restore the password of his/her email account. Password recovery methods are different. Generally, there are several methods with different security levels:

1. Return to the page: the user's email password is displayed on the returned page. This makes it easy and easy to handle. However, if attackers get a password, they can use the user's mailbox without disturbing the user, so that attackers can monitor users' mailbox usage for a long time, it brings more security risks to users.

2. Email sending: Send the password to another email address registered during user registration. For attackers who have been busy for a long time, they still get nothing, unless they continue to attack another mailbox. for users, receiving a password from another mailbox is a warning, it indicates that an attacker guessed that his email password was prompted, and forced the user to change his password as soon as possible.

However, if the user is not registered with a correct email address or the email address has expired, it is not only an attacker, but the user will never get the password. Some webmail systems require users to register the correct email address during registration, and send the verification information activated by the mailbox to this email address, however, this still does not prevent users from restoring their mailbox passwords after the mailbox becomes invalid.

3. Password resetting: Ask the user to reset a password. Compared with the "Page return" method, after the attacker resets the password, the user is unable to log on to his or her mailbox and can detect the attack, which is more secure; however, compared with the "email sending" method, the attacker can modify the email password immediately, with a lower level of security.

The password returned by "Page return" or "email" clearly shows that the email system keeps the password of the email account in the database or LDAP server without encryption. This poses a great security risk. webmail system administrators or database intrusion attackers can easily obtain users' email passwords without knowing them. Therefore, in order to increase confidentiality, it is necessary to encrypt the mailbox password and then store it in the database as the ciphertext. It is best to use an irreversible one-way encryption algorithm, such as md5.

Whether the mailbox password recovery mechanism is secure depends on the question raised by the webmail System and the question-and-answer method. For example, you can put forward the questions raised in multiple password recovery steps in one step, this will increase the difficulty of attackers to improve security. Sohu mail, Sina mail, yahoo Mail, and so on are some disappointing examples.

4. malicious HTML mail
There are two formats for Email: plain text (txt) and plain text (html ). Html emails are written in the html language. When you log on to webmail via an html-supported email client or log on to webmail via a browser, fonts, colors, links, images, and sounds are displayed, many spam advertisements are sent in html mail format.

Attackers can access html emails.