more mailserver fun

I’m still working through my quarantine folders. There are about 300 emails in each folder, and there are 62 folders. The folders are named 0-9, a-z, and A-Z. I don’t know why SpamAssassin / Amavisd on Debian does it that way, but it does.

Anyway going through them one at time with zless, and then rm was a bit of a pain. So I wrote a quick little one-liner to help:

The problem is, not all of the files are in gzip format, so it didn’t display those. And going in and out of the page system for Less was an annoying flash between the pager system and the normal terminal output.

So I improved it, using zcat, because I had some issues with zgrep not supporting some grep switches, like recursive.

Now it didn’t launch the pager, so no flashing. The second thing it did was give me just the To, From, Subject, and Date fields, and I could decide to delete or not based on block of info provided. Downside was it still didn’t handle the non-gzip files.

So when I got up today, I thought why not create a shell script to do this. And I can add in the feature to release false positives that SpamAssassin put in the folders.

So I now have a Mail Administration script in my DFIR repository on GitHub, that will check if it is gzip or not. Use the right form of grep, show info, and ask what to do with the file, release or delete (or nothing if you don’t use r or d as the answer).

Still some minor issues with the script:

  1. Must be ran as root, or someone else that has access to the virusmail sub-directories. in my case that means root since the mail accounts have /bin/false set up for shells.
  2. To be more portable it has to be called from spam sub-directory. In my case spam is in /var/lib/amavis/virusmails/. Which means I have to go there, and then in to one of the 0-9, a-z, or A-Z directories first. Like so:

     
  3. I still have 300 or so emails in each folder so I’d rather work 1 folder at a time right now to clear them.

Future plans for the script:
Ask the user where their spam folder is, so the script can be called outside of those folders, and enumerate all the sub-folders.

I also have to find out if the 0-9a-zA-Z is the same for all versions of software or if that is just a Debian thing.

SPF, DKIM, DMARC, and ADSP

For a while now, I’ve been having problems with DKIM. It wasn’t working. My logs always had the same error:

And I’d look for a fix but never find anything useful.

Today I decided to go through my mail quarantine folders. In them I found several emails from a friend who is having problems with spammers using his email address. None of them are going through his mail server, they’re all spoofed. We’ve compared our SPF records and they look right. So I went and looked up why I’m seeing all these mails.

Turns out that not all mail admins have set up their servers right to look at SPF and block. That was my problem.

So I went and found a howto for my operating system to fix SPF with my Mail Transfer Agent (MTA). The document, provided by my VPS hosting provider, had how to set up SPF, how to configure my MTA to quarntine emails that fail SPF, a DKIM walk through, a ADSP howto, and a DMARC howto, all on the same page.

First things first. I fixed the SPF inbound. Now it should do the stuff it needs to. Then I figured since I still had time, I’d go after the DKIM problem.

So I backed up my existing files and followed along. AND NOTHING WORKED!. Still the same problem. Heck even the same error message.

So an

later and I started completely fresh. Nothing old, not even the old backup files.

And it still didn’t work. sysctrl status -l opendkim.service and journalctrl -xe were not much help either. Neither one gave enough information on what was wrong.

I did some searching through the logs, and found that even after changing the port to a local socet for Milter it still couldn’t work. But this time I found that it couldn’t see the files, and searching the directory that local socket should be in, it wasn’t there. After much googling I found an old bug report for Debian (my OS of choice). If the socket and pid files were missing, do this:

And suddenly everything was working. I sent test emails to test services, and they seem to be working. At least they told me that everything works.

Then I went why not and set up the ADSP and DMARC stuff in DNS.

Really just happy to get past the problem where dkim isn’t working. Now to go finish clearing out the quarantine files.

The Road Home book review.

As I said in a previous blog post, I’m kicking myself for not having spent more learning about Emcomm, and have gotten some books to help me learn. Again I’m starting small and simple, at the personal level and moving up to larger.

The second book I read, was also by Andrew Baze (Amazon affiliate link) . This one is called The Road Home (Amazon affiliate link). This is a teen / young adult novel on the basics of prepping, with a heavy focus on Ham Radio. While I agreed with some of the stuff covered, I didn’t agree with all of the ways the characters were portrayed.

Continue reading

Personal Emergency Communications book review.

After Hurricane Maria hit Puerto Rico, and the U.S. Virgin Islands, the ARRL asked for volunteers. They were relaying the request from the American Red Cross. I wanted to volunteer, but I lacked all the requirements. I never used WinLink and I haven’t done much HF work. In fact the only HF work I’ve done was at Field Day 2 years ago. Though I am familiar with the National Traffic System and have even successfully sent traffic to the West coast, and got a response back through NTS. But my experience wasn’t good enough, so I thought I’d fix that.

TL;DR: Read Personal Emergency Communications (links below the fold), by Andrew Baze. It was good book.

Pros: It was well thought out, and taught me a few things I didn’t previously know. It also gave me some ideas of where to fix my own emergency planning, outside of communications and introduced me to things I didn’t have in the last power outage I went through.

Cons: It is a little dated, and I would really like to see an update to some sections. Such as eXRS and scanners.

The information is still great. It gets someone thinking about comms and how they matter. A lot of what is discussed here, could easily be carried over in to non-emergency situations and improve company communications during cyber incidents. Especially focusing the items in the first section of the book, such as knowing who to call, and having a calling clock as to when to call them.

Read below for a more in-depth review

Continue reading

Book Review: Extreme Ownership: How U.S. Navy SEALs Lead and Win

After reading about Pirates, I decided to read a little something on leadership. The book I grabbed was Extreme Ownership: How U.S. Navy SEALS Lead and Win by Jocko Willink and Leif Babin (Amazon affiliate link). The book is by two SEALs that worked together in Iraq came back back to the U.S. and started their own Leadership consulting firm.

The key concept is willing to take ownership of not just the successes but also the failures. The key example is the commanding officer, Jacko Willink, “publicly” accepting a horrible failure of a mission, as the ultimate owner of the failure even though several others who made mistakes offered to take the blame. At the the end of the mission it was him not making sure everything was done right that caused the problem, and he owned knowing it could cost him his career.

There are were other things covered. Topics through the book included planning. Keeping the plans simple. Empowering the teams to be able to decentralize their command structure. Lead from the top down and the bottom up. Having disciplined Standard Operating Procedures, that allowed the team in the combat zone the freedom to adjust to the current situation.

The biggest take away though was one scene when Lief Babin was involved in Hell Week, part of SEALs training. The section was on “there are no bad teams, just bad leaders”. The SEALs leading HELL week as trainers showed this by swapping the leaders of the winning and losing race teams. The leading one brought the losing team up to challenge his old team every race after.

The trick was setting way points in the course, and pushing them to each one. Don’t worry about the course as a whole, just the next goal, and let that build to the end.

The other thing I liked about the book, it would show the concept of the chapter in the battle area, broken down in principle, and then finished in a business environment.

The authors at the end said there is nothing really new in the book, just a new way of looking at the concepts. I know I followed some of the concepts in the past, and I picked up a few new ones to go forward with.

One I’ve put in to practice already is the concept of way points. While that wasn’t the goal of no bad teams just bad leaders, it did stick out. I’ve put it in to practice with my classes. While there is still a lot to go, I just have to go from way point to way point, and not worry about the next way point until I get to the one I’m heading for now. I don’t have to worry about the Degree at the end of my current program. Just the last 2 classes before I get to the degree. Of those, I only have to worry about the current class I’m in. Id on’t have to worry about all 12 weeks. Just the week I’m in. And break that week down in to manageable segments.

It really has lifted some of the stress I was feeling.

* Update 2024-10-01: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.

Book Review: Under the Black Flag

I recently read Under the Black Flag by David Cordingly (Amazon affiliate link) it was an interesting book.

It’s a book written in the 90s looking at the history of pirates during the golden age. It talked about some of the romantic myths that raised up around the golden age, and how those myths came to be.

The book shows how pirates lived and died, the difference between Privateers and Pirates. How the line between the two types could be blurred. And, what eventually lead to the down fall of the golden age of piracy.

The most interesting case, though one of the smallest in the book was Captain Kidd. Who was commissioned as a Privateer (complete with letter of Marque), crossed in to Piracy to appease his crew, and paid the price for it at the end. The political intrigue was a nice twist in the rope too.

What really lead to the end of the golden age of piracy was Hunt Teams (multiple ships hunting the pirates down), clemency (though some pirates went back to their former ways),  and visible reminders in ports of what happened to captured pirates. Countries not being at war led to some of the downfall too.

But the thing is, things had to change before piracy ended. The defenses put up around ports and along the gold trails didn’t do much to stop or deter the Privateers or Pirates going for the gold. For example, Henry Morgan’s attacks on Porto Bello, even though there were 3 castles protecting the place, it still fell to Morgan.

Ships carrying arms didn’t do much either, other than anger the pirates. It wasn’t until Naval vessels put on acts as either other Pirate Ships, or as merchant ships, that having armed sea going ships mattered.

The book did give some interesting history lessons, and gave some ideas that could be re-applied to cybersecurity to secure the Net Today. Think of the Internet as the Sea, and hackers as villainous pirates.

I also know I’m not the first person in InfoSec to read the book and draw some parallels between our industry and the Golden age of piracy. Adam Hogan talked about this a few times. I saw his talk at Bsides Columbus in 2017.

While a history book on pirates, it does give some ideas as to how to change how we’re doing InfoSec today. It was worth the time it took read, and gave some interesting thoughts on how to deal with the problems InfoSec faces today.

* Update 2024-10-01: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.

Validate data, before sharing.

I’m going to have to add a couple more slides to my Threat Intelligence: From Zero to Basics deck. But I told GrrCON that I would have an updated deck from Circle City Con anyway.

Over the last two weeks I’ve seen some stuff shared publicly in Threat Intelligence Platforms, that really shouldn’t have been. The data wasn’t valid, at the time of sharing.

Continue reading

One of the differences between college and real life (bias in speaking)

Last talk I have, I expected audience participation, because I asked for it. I failed the audience. I know how to improve the talk for last time.

What was my bias that lead to me failing the audience? I’m used to participation being part of my grade, and having to participate. Others in classes were the same way. Yes we had some that barely participated. But usually half the class did.

Because that’s what I was used to in college class setting, that’s what I expected at a conference talk. The result was I failed my audience with expectations that I shouldn’t have put on them.

Script(s) to extract HTTP Host data from file

A while ago, created a new repository on GitHub for the scripts I wrote for DFIR. Since then, it only had the Computer Ping script in it. Today I added the first of the Extractor scripts.

The first extractor script, xHttpExtractor.py came about from a web based tool I used. It would run on a file uploaded to it, and then list a bunch of indicators, system artifacts, url calls outs, network communication, etc. However the tool didn’t have a good export mechanism at the time. So I would copy and paste everything to a text file, and then extract the url host details from the text files. Mainly so I could add the URL indicators to the web proxy.

Continue reading

Different ways to use TOR

While catching up on SANS’ Internet Storm Center Storm Cast during my drive, I heard this episode. In it Johannes Ullrich was mentioned this article about using DRM Decloaking TOR users. Short version, users running the Tor Browser Bundle click a link, and Microsoft Windows launches the media player not using the TOR network, exposing the user’s real IP address.

This attack could be mitigated by using TAILS or something else that forces all traffic through TOR. Which made me think I should share all the ways I use TOR.

Continue reading