WEBVTT

00:00.000 --> 00:12.000
I have everyone, I'm going to tell you about my two DMARC Rooney, which analyzes DMARC reports.

00:12.000 --> 00:23.000
I love if you might know about DMARC. Some probably more than me, but just to make sure that we're on the same page.

00:23.000 --> 00:29.000
I would like to say that DMARC is a standard that allows you to monitor the deliverability of your email.

00:29.000 --> 00:37.000
By adding one or two lines in the DNS zone file, you should start getting XML reports from each domain you or someone's moving you as contact with.

00:37.000 --> 00:41.000
At least the mother ones that adhere to the standard.

00:41.000 --> 00:49.000
There are two types of DMARC reports. You can ask for forensic reports. They give you information about the emails that didn't get delivered.

00:49.000 --> 00:54.000
And there are aggregated reports, and they are what I'll be talking about today.

00:54.000 --> 01:01.000
These aggregated reports contain information about the amount of email sent, divided by each IP address.

01:01.000 --> 01:08.000
But they also say how many of them passed the DMARC, the total reporting period, and if they got delivered or not.

01:08.000 --> 01:15.000
They all start by adding a DMARC policy to your DNS.

01:15.000 --> 01:22.000
These policies instruct people about what you want to happen with your mail when it hits their server.

01:23.000 --> 01:29.000
DMARC is just about reporting. The heavy lifting is done by two other standards, namely SPF and DKM.

01:29.000 --> 01:32.000
SPF allows you to whitelist IP addresses.

01:32.000 --> 01:38.000
If any emails are sent from these IP addresses, the receiver may assume that it is use sending them an email.

01:38.000 --> 01:44.000
Obviously this regarding broken implementations that were available to SMTP smuggling.

01:45.000 --> 01:51.000
DKM is a much more recent standard that follows another form of logic.

01:51.000 --> 01:57.000
The receiver can check if the email they received really came from you because it carries cryptographic signature.

01:57.000 --> 02:06.000
These two are complementary, SPF restricts when aware in the network emails can come from, and DKM provides a proof of origin on the envelope.

02:06.000 --> 02:13.000
They break in a different way, and so you want to have both act as each others fall back.

02:13.000 --> 02:22.000
If your email does not carry your signature and it doesn't come from one of your own email server address, you probably don't want anybody thinking you actually sent it.

02:22.000 --> 02:25.000
That is why you need to add a DMARC policy.

02:25.000 --> 02:29.000
The first policy is none, in other words, do nothing.

02:29.000 --> 02:33.000
This is the dry run, you turn on just because you start getting serious.

02:33.000 --> 02:40.000
You start getting all the reports to monitor your email traffic until you are 100% certain that everything is configured right.

02:40.000 --> 02:45.000
All emails should be accepted, whether they are positive and SPF or not.

02:45.000 --> 02:54.000
None means that you are still really found the world of spoofing and run the risk of large spam, and malware being sent from your domain name.

02:54.000 --> 03:00.000
The next policy, guaranteeing, instructs recipients to guarantee the email.

03:00.000 --> 03:07.000
What guaranteeing actually means is not well defined, it can be a custom implementation at a two-folder names spam or something else.

03:08.000 --> 03:14.000
To reject policies, says that any receiver should just outright reject any emails not passing the email or SPF.

03:14.000 --> 03:17.000
This is where you ideally want to be.

03:17.000 --> 03:29.000
To make sure that you can switch to these policies, to a guaranteeing or reject policy, you want to make sure that the emails you sent yourself pass both the email and SPF.

03:29.000 --> 03:36.000
For this, you want to analyze the reports sent to you by your context, but nobody wants to read all raw XML files themselves.

03:36.000 --> 03:39.000
This is where my project fits in.

03:39.000 --> 03:50.000
Before I started working on day macaroni, I couldn't find any false tooling to analyze and visualize this data well.

03:50.000 --> 03:58.000
There was one really basic tool, but it just didn't written in Python, but it just didn't have the features needed.

03:58.000 --> 04:05.000
And there are some proprietary tools, but that would mean that you would need to send access to your data about all the people you sent emails to.

04:05.000 --> 04:10.000
How often do you do, and who might be trying to impersonate you.

04:10.000 --> 04:12.000
So that's why it is needed for the ecosystem.

04:12.000 --> 04:19.000
People running their own mail infrastructure should be able to locally run the tool, giving them insight into the deliverability of their own emails.

04:19.000 --> 04:27.000
But I would also like to tell you why I started working on this because I noted it doesn't sound like a sexy subject that the students would randomly get into.

04:27.000 --> 04:35.000
Our family is pretty technology technology, technology savvy, and we use our own vanity domain name to keep our email independent from ISPs.

04:35.000 --> 04:43.000
You don't want people to not be able to contact you when you want to switch internet service providers, and using Gmail or Outlook is not something that is an option for us.

04:44.000 --> 04:48.000
Our DNS, also has a nice feature where emails forwarded in its traditional manner.

04:48.000 --> 04:53.000
That setup has been in place since before my birth and predates SPF.

04:53.000 --> 04:59.000
Almost two years ago, I applied for the Bachelor of Computer Science and Engineering in ANT over.

04:59.000 --> 05:06.000
In the Netherlands, this is a numbers fixed study, meaning that there are only a limited amount of spots that you need to take in entry exam.

05:06.000 --> 05:10.000
But to my initial application, I didn't hear anything back from them for a few weeks.

05:10.000 --> 05:16.000
I knew they needed some information for me, but I had already provided that the year before.

05:16.000 --> 05:22.000
I did get regular messages from the university about all kinds of other matters, so I had no reason to doubt my setup.

05:22.000 --> 05:26.000
As you know, only a five minutes left, and so some about the tool.

05:26.000 --> 05:31.000
So it turned out they sent me emails, they got in my currency folder.

05:31.000 --> 05:37.000
I didn't reply, and I got rejected, so I wanted to show them.

05:37.000 --> 05:41.000
I didn't get allowed to make the exam.

05:41.000 --> 05:52.000
So I thought if I would make a tool that shows them that they're email, they're sending.

05:52.000 --> 05:57.000
There's not a peeking on it and didn't arrive at my place.

05:57.000 --> 06:02.000
They might still want me in the program, but they didn't in the end.

06:02.000 --> 06:07.000
I'm studying Electropet Engineering now.

06:07.000 --> 06:17.000
Luckily, yeah, I got a grant from as the end funds to work for furthering this.

06:17.000 --> 06:20.000
So I got to work.

06:21.000 --> 06:23.000
I started with the server side.

06:23.000 --> 06:31.000
It written in the Haskell, which is a functional language and type save.

06:31.000 --> 06:36.000
And it looks a lot like Matt, so it seems perfect to easily manipulate large sets of data.

06:36.000 --> 06:40.000
And it is the first language that I learned so it was easy for me.

06:40.000 --> 06:44.000
The server currently is a command line tool with a dog config file.

06:44.000 --> 06:48.000
There are different types of input you can give it to, although I would like to add also.

06:48.000 --> 06:51.000
I'm at the top three support.

06:51.000 --> 06:57.000
You will end it your raw XML reports or mail files and then it validates the supplied XML with the

06:57.000 --> 07:02.000
Relex and G schema as some big players like Google didn't perfectly comply with the standard.

07:02.000 --> 07:05.000
So I also wrote a more relaxed schema.

07:05.000 --> 07:07.000
Then I aggregate all the data on different levels.

07:07.000 --> 07:09.000
There's an overview level.

07:09.000 --> 07:11.000
There's info per domain and info per report.

07:11.000 --> 07:17.000
I'm at the given IP address to ASN numbers, which basically are their service providers.

07:17.000 --> 07:22.000
And the application, so you can also get information about the place people are moving from.

07:22.000 --> 07:27.000
The tool internally starts the data as XML, but like I said, it can also output in different formats.

07:27.000 --> 07:35.000
Currently, it does XML JSON and CSV, but it's fairly easy to extend that.

07:35.000 --> 07:40.000
Then I wrote a client in L, which is another type save functional programming language inspired by Haskell,

07:40.000 --> 07:43.000
but focused on designing user interfaces.

07:44.000 --> 07:51.000
What's nice is that you write clean functional code and it compiles down to the JavaScript ready for the browser.

07:51.000 --> 07:55.000
It's a weapon that allows you to drill down the data via tables, graphs, and pie charts.

07:55.000 --> 08:00.000
The functionality is currently still focused on analysis of the deliverability.

08:00.000 --> 08:05.000
I definitely don't think that one tool will cater for all needs and use cases.

08:05.000 --> 08:10.000
Certainly there are people with much more experience writing slick front and stemmy.

08:10.000 --> 08:13.000
That's why I split the server part and the client part.

08:13.000 --> 08:17.000
It would be really nice to see other people creating their own clients.

08:17.000 --> 08:20.000
And of course, doing it in a language of choice.

08:20.000 --> 08:25.000
If anything is needed for that on the server part, a different output format, please let me know.

08:25.000 --> 08:28.000
And of course, veggies are welcome.

08:28.000 --> 08:33.000
Then there is more stuff I would like to see happening.

08:33.000 --> 08:38.000
Next to me learning how to make a better UI and smarter ways to visualize the data.

08:38.000 --> 08:45.000
I also want to make a separate panel focus on spoofing because it should be possible to map our hosters to abuse addresses

08:45.000 --> 08:49.000
that the people can easily contact relevant parties if they need to act on some attack.

08:49.000 --> 08:55.000
I also think it could be insightful to see which domain certain attackers interested in.

08:55.000 --> 08:59.000
Are these random other people or important clients, players or personal friends?

08:59.000 --> 09:06.000
Another roadmap item is to incorporate forensic reports in my analysis because they can provide useful find-grained information

09:07.000 --> 09:10.000
about emails that didn't get delivered.

09:10.000 --> 09:17.000
And I want to write more extensive documentation, of course, and make a desktop mobile at so people can access the relevant information more easily.

09:17.000 --> 09:22.000
Lastly, being able to send notification when something is going wrong, for example, emails not arrived,

09:22.000 --> 09:27.000
which should be or an attack taking place, I think would be useful.

09:27.000 --> 09:31.000
And there could be more logic on this side as well.

09:31.000 --> 09:40.000
I currently analyze things, but automatically flagging trusted sources when your SPF record change or suggesting things like white listing certain IP address

09:40.000 --> 09:49.000
when it consistently passes decam, but it's included in the SPF record might be useful.

09:49.000 --> 09:52.000
Yeah, thank you all very much for listening.

09:52.000 --> 09:55.000
This is all I have to say about you, Mark Rowley for today.

09:55.000 --> 09:59.000
Please check it out at get.isroot.org-alloners.

09:59.000 --> 10:03.000
Once you've returned home safely, you're also my contact details.

10:03.000 --> 10:08.000
If you want to reach me, I hope the name D.Mart Rowley is annoying enough to be memorable.

10:08.000 --> 10:11.000
And it's false software.

10:11.000 --> 10:15.000
So if you think someone you know could benefit to refer them to me.

10:16.000 --> 10:20.000
Once more, thank you as the end funds for the grant.

10:20.000 --> 10:23.000
The people at the end loves for their valuable advice.

10:23.000 --> 10:30.000
The people at Plotterman Internet stand there, I know which I see a 4-4 already giving some more support and talk to me.

10:30.000 --> 10:37.000
And Google the omet Procalix for providing me with VMs for testing the infrastructure.

10:37.000 --> 10:43.000
And the authors of D.Mart with their standard almost earning 10 years old next month.

10:43.000 --> 10:46.000
So thank you very much.

10:46.000 --> 10:51.000
Thank you very much.

10:51.000 --> 10:54.000
Thank you very much.

10:54.000 --> 10:56.000
Thank you very much.

10:56.000 --> 10:58.000
Thank you very much.

10:58.000 --> 10:59.000
Thank you very much.

10:59.000 --> 11:01.000
Thank you very much.

11:01.000 --> 11:03.000
Thank you very much.

11:03.000 --> 11:05.000
Thank you very much.

11:05.000 --> 11:06.000
Thank you very much.

11:06.000 --> 11:07.000
Thank you very much.

11:07.000 --> 11:09.000
Thank you very much.

11:09.000 --> 11:11.000
Thank you very much.

11:12.000 --> 11:21.000
So the question is, if the question is what an acceptable failure rate would be if it's 1% or 5% or something else.

11:21.000 --> 11:32.000
I think I should have decided it depends on who is who uses the tool.

11:32.000 --> 11:37.000
Like for me personally, if 1% is derived, I wouldn't bother.

11:37.000 --> 11:42.000
If 3% is derived, I also might find it okay.

11:42.000 --> 11:48.000
But if I need to send out really important emails, I would want to make sure they arrive.

11:48.000 --> 11:51.000
So that's why the analysis per domain is useful.

11:51.000 --> 12:00.000
So you can actually flag clients or context that are important to you and make sure that all the emails to them arrive.

12:00.000 --> 12:03.000
Yes?

12:03.000 --> 12:06.000
Well, that's a question.

12:06.000 --> 12:07.000
Okay.

12:07.000 --> 12:09.000
Well, yeah, that is.

12:09.000 --> 12:11.000
I have a question.

12:11.000 --> 12:17.000
Like, he won't use the only report when he was about lying on duty, but that is serve or where

12:17.000 --> 12:19.000
you're sending you to.

12:19.000 --> 12:25.000
But if for some reason, but he won't get lost in transit or you're dispelting the main or whatever.

12:25.000 --> 12:28.000
Is there anything that you would like to see happen?

12:28.000 --> 12:37.000
I would like to see if I would like to see if I would like to make an email for whatever reason doesn't

12:37.000 --> 12:39.000
be released and then serve.

12:39.000 --> 12:50.000
So the question is that if the email doesn't arrive at the other person's end, if there would be a possible solution to defend that.

12:50.000 --> 12:52.000
Or to gain insight.

12:52.000 --> 13:02.000
I think working together with an email server, like Staubert or Mox maybe, could be useful to see the outgoing email on the report you get back.

13:02.000 --> 13:10.000
So you can actually see if they also reported on the emails you sent, especially for important clients this would be.

13:10.000 --> 13:12.000
I think we have a direct report.

13:13.000 --> 13:15.000
I don't know what you have to say.

13:32.000 --> 13:35.000
I thought about that.

13:35.000 --> 13:40.000
Okay, do I verify the email reports coming in?

13:40.000 --> 13:42.000
I don't fully yet.

13:42.000 --> 13:45.000
There are some small mechanisms I check.

13:45.000 --> 13:58.000
If the sender matches the sender in reports and if the, like seeing if the report is valid at least, make sure you don't get any information breaking your system.

13:58.000 --> 14:03.000
But I would like to add more verification at the front end.

14:04.000 --> 14:12.000
So just, yeah, I'd like to know if this is simply related to an unsolicited perception of the mark reports, which are an external document.

14:12.000 --> 14:13.000
Yeah, I'm sorry.

14:21.000 --> 14:27.000
Yeah, that, it is needed, but it's currently not any tool yet.

14:27.000 --> 14:29.000
But I will look into it after first.

14:30.000 --> 14:31.000
Thank you.

14:33.000 --> 14:36.000
We are in tracing email that doesn't arrive.

14:36.000 --> 14:40.000
This was the topic at the idea about 20 years ago.

14:40.000 --> 14:48.000
We started in RFC 388, which then, very much didn't get implemented.

14:48.000 --> 14:58.000
It's a very nice standard, not all that it goes to the internet, but people who cared about it didn't care enough to actually go to the internet.

14:59.000 --> 15:00.000
She happens.

15:00.000 --> 15:01.000
Okay.

15:01.000 --> 15:03.000
So maybe just for the microphone.

15:03.000 --> 15:04.000
Yeah.

15:04.000 --> 15:05.000
What was the option?

15:05.000 --> 15:06.000
388.

15:06.000 --> 15:07.000
388.

15:07.000 --> 15:08.000
388.

15:08.000 --> 15:09.000
388.

15:09.000 --> 15:11.000
It's an RFC.

15:11.000 --> 15:14.000
I don't think it's green, but 388.

15:14.000 --> 15:16.000
I don't think it's green, but 388.

15:16.000 --> 15:17.000
Thank you.

15:17.000 --> 15:18.000
Thank you.

15:18.000 --> 15:19.000
All right.

15:19.000 --> 15:20.000
Thank you.

15:20.000 --> 15:21.000
Thank you.

15:21.000 --> 15:22.000
Thank you.

15:22.000 --> 15:23.000
Thank you.

15:23.000 --> 15:24.000
Thank you.

15:24.000 --> 15:25.000
Thank you very much.

15:29.000 --> 15:30.000
Thank you.