Webmail Security Tutorial

A, mail address deception

e-mail address spoofing is very simple and easy, with an attacker targeting the user's e-mail address, taking a similar e-mail name, and configuring the sender name in the webmail mailbox configuration to be the same as the user's sender name (some webmail systems do not provide this feature), Then posing as the user to send e-mail, when others receive the message, often do not from the e-mail address, the message of the first class to do a careful check, from the sender's name, the content of the message and so on above see no strange, mistaken truth, the attackers to achieve the purpose of deception. For example, a user's e-mail name is Wolfe, and an attacker will cheat by taking similar e-mail names like W0lfe, Wo1fe, Wolfee, and Woolfe. While the free lunch is getting worse, many users are using a free email address, and by registering, an attacker can easily get similar e-mail addresses.

People usually assume that the e-mail address is the sender's address, but in fact, the sender address and the reply address are clearly defined in RFC 822, and users who are familiar with the e-mail client will understand this, when configuring account properties or composing messages, You can specify a reply address that is different from the sender's address. Because when a user receives a message, although the sender's address is checked for authenticity, the reply is not carefully checked when replying, so, if used with SMTP spoofing, the sender's address is the e-mail address of the user to attack, and the reply address is the attacker's own e-mail address. This makes it more deceptive to trick someone into sending a message to an attacker's e-mail address.

The so-called harmful heart can not be, the heart of the people can not be, in view of the easy realization of e-mail address spoofing and the danger, we have to always beware, lest deceived. For webmail systems, service technologies such as message header content checking, SMTP authentication (if the messaging system supports SMTP) are necessary to minimize the harm caused by e-mail address spoofing. For the mail users, it is very important to check the email address, the sender's IP address, the reply address and so on.

Second, webmail violent crack

The interaction between client and server on the Internet, basically by the client in the form of submission to the server program (such as CGI, ASP, etc.) processing to implement, webmail password authentication is so, the user in the browser form elements entered account name, password and other information and submitted, The service side verifies it, if correct, welcome the user to enter own webmail page, otherwise, return an error page to the client.

In this, the attackers with some hacker tools, and constantly try to login with different passwords, by comparing the return of the page similarities and differences, so as to determine whether the mailbox password cracked successfully. There are a number of tools to help attackers complete such brute force cracking, such as Wwwhack, Banyan Snow, and so on, especially the function of the most powerful, it is already a full-featured browser, through the analysis and extraction of the page form, to the corresponding form elements hanging dictionary file, Then determine if the crack was successful based on the error flag returned after the form was submitted.

Of course, we also see that the web detectors such as webmail, you can detect not only the password, such as forums, chat rooms and so on all the authentication through the form of the account password can be detected.

For the webmail of violence, many webmail systems have taken corresponding precautionary measures. If an account is incorrectly logged in for a short period of time, the account is considered to be violently cracked, and the precautionary measures are generally as follows: three.

1, disable the account: The brute force to break the account is prohibited for a period of time to log in, usually 5-10 minutes, but if the attacker is always trying to brute force, then the account has been in a disabled state can not log on, resulting in real users can not access their own mailboxes, thus creating a Dos attack

2, prohibit the IP address: The brute force to crack the IP address ban for a period of time can not use webmail. This solves the problem of "disabling an account" to some extent, but the bigger problem is that it is bound to cause users who share the same IP address in Internet cafes, companies, schools and even some metropolitan areas to access the Internet without using the webmail. If an attacker uses multiple proxy addresses, or even a distributed crack attack, the "Prohibit IP address" is difficult to prevent.

3, Login inspection: This kind of preventive measures generally with the above two preventive measures combined with the use, in the prohibition can not log in at the same time, returned to the client page contains a random test string, only the user in the corresponding input box correctly entered the string in order to login, This will effectively avoid the negative impact of the above two kinds of preventive measures. However, attackers still have the opportunity to develop the appropriate tool to extract the return page of the test string, and then the test string as a FORM element value submission, then can form an effective webmail brute force. If the validation string is contained in a picture, and the file name of the picture is randomly generated, then it is difficult for an attacker to develop the tools to brute force, and at this point, Yahoo email is an excellent example.

Although Webmail's brute force has many precautions, it is hard to avoid altogether, and if the webmail system makes five false logins in one minute a brute force, the attacker would have only four logon attempts in a minute. Therefore, the prevention of webmail violence is also mainly rely on the user to adopt a good password policy, such as the password is complex enough, not with the same password, password changes, such as regular, so that attackers can not be violent to crack success.