17874

17874

ارائه راه حل جهت نا امن سازي جعل رايانامه (ايميل) با استفاده از اجزاء سرآيند

كارشناسي ارشد

مهندسي فناوري اطلاعات - شبكه هاي كامپيوتري

شهريورماه 1395

ذكتر رضا برنگي

كامپيوتر

چكيده پست الكترونيك يا به اختصار ايميل از مهم‌ترين خدمات اينترنتي است. اين ابزار از بيشترين كاربري در بين سرويس‌هاي گوناگون اينترنتي برخوردار است و در ارتباطات رسمي از آن استفاده ميگردد. لذا موضوع قابليت استناد و اعتماد به اين خدمت در حوزه محتوا و متن ايميل ها و همچنين توانايي شناسايي ارسال كننده واقعي از ديگر سو، حساسيت مضاعفي را در رابطه با اين سرويس ايجاد نموده است. ارسال ايميل مجعول، مشكوك، بمباران و طوفان ايميل از جمله اقدامات خرابكارانه مبتني بر ارسال ايميل است كه اعمال مجرمانه اي چون جعل هويت، سرقت، آدم ربايي، تهديد، ارعاب، محتويات خلاف موازين قانوني، محتويات مستهجن و ... را به بار آورده است. بخش قابل توجهي از اين اعمال متخلافانه به دليل معماري موجود در سرويس ايميل رخ ميدهد كه به افراد اجازه سوء استفاده را مي دهد. پرداختن به مكانيزمهايي كه به كشف هويت واقعي ارسال كننده ايميل منجر شود، مطمع نظر اين پژوهش خواهد بود. بدين منظور ضمن بررسي دقيق سرويس پست الكترونيكي ، سير تطور از ابتداي پيدايش تا كنون، تصحيحات و ويرايشهايي كه در آن خصوص صورت گرفته است را مورد مداقه قرار داده و به اجزاي تاثير گذار در سرآيند ايميل كه بر انجام موفقيت آميز عمل رهگيري موثر هستند نظر مجددي مي اندازيم تا بتوانيم راه حل كارا، امن، قابل اعتماد و قابل دفاعي ارائه نماييم. مدل پيشنهادي اين پژوهش شامل استفاده موثر و مفيد از داده هايي از درون شبكه ها و زير شبكه ها بدون دخالت و اراده مستقيم كاربران انتهايي است. بدين منظور پيشنهاد افزودن فيلد Adlofil شامل اطلاعات مكان نمايي زنجيره اي از كاربران تصادفي به سرآيند ايميل در مرحله عبور از دروازه زير شبكه ارائه ميگردد. مشكل اصلي در ساختار فعلي پست الكترونيك وجود سرآيندي است كه در مرحله توليد و در ماشين فرستنده قابل دستكاري است، به نحوي كه يك هكر به راحتي ميتواند با سو استفاده از آن ، ايميل جعلي ارسال نمايد. مزيت اصلي پيشنهاد طرح شده آنست كه در جايي خارج و دور از دسترس مستقيم هكر محتواي فيلد جديد را روزآمد مي نمايد. چالشهاي متعددي در خصوص اين پيشنهاد قابل طرح است كه ضمن بررسي اهم آنها ميزان امكانپذير بودن و قابليت پياده سازي آن ارزيابي ميشود. با استفاده از تعادل نش نشان ميدهيم كه پيشنهاد مطرح شده كاربرد لازم را دارد و به كمك برنامه نويسي در سطح لايه هاي شبكه نحوه دستكاري داده گرام در حال عبور از دروازه را آزمايش مي نماييم. در انتها يك نمونه آزمايشگاهي از طرح پيشنهادي، پياده سازي گرديده است. واژه‌هاي كليدي: رهگيري ايميل، سرآيند ايميل، پروتكل (قرارداد) ساده نامه‌رساني، جعل ايميل، عامل سمت كاربر، عامل انتقال ايميل، عامل تحويل ايميل.

1396/07/16

9/23/2030 12:00:00 AM

Abstract: By 1978, what we call Email todays was firstly invented. More than 4 billion users are using the Email services and 70 percent of emails every day send or receive include any type of cybercrimes in it. Various types of crimes committed by email have targeted reliability and integrity of this highly common service. Two from three sections of C-I-A triangle which focuses on confidentiality, integrity, and availability are losing their credibility day by day. Stats show us that email services are already a very important tool in the commission of crime. Receiving suspicious emails including sabotage contents, bombing, identity theft, kidnapping, pornography, intimidation, fake and spoofing are some of the threats in which email users are dealing with. Every email is consisted of two parts, the header and the body. The header part carries routing and networking information and the body contains the actual message/data of an email. The header contains several mandatory and optional fields. In order to uniquely identify each email all mail transfer agents (MTAs) use some sort of unique identifier. Basically, when an email created by a client (called the MUA, for Mail User Agent) is sent, it is routed from server to server. The recipient's MTA then delivers the email to the incoming mail server (called the MDA, for Mail Delivery Agent), which stores the email as it waits for the user to accept it. All mail servers have to use a common protocols to communicate each other. Working properly, every mail particles must use SMTP, POP3, IMAP and some sort of standard protocols. Any change in the mail architecture must be confirmed with one of these protocols. The latest RFC that describes SMTP is RFC 5321, released October 2008. RFC 1425 accepted in February 1993, described a way to extend the services SMTP offers, so that calling clients can ask what services are available on the server. The information in the SMTP headers is stored in clear text. Hence those information may be easily manipulated. The possibility that the mail headers could have been edited makes the information in the headers unreliable. Editing the mail headers in order to hide or change genuine information is called spoofing. RFC 821 was made obsolete in April 2001 by RFC 2821. RFC 2822 standard states every email must have a globally unique identifier by the name of message ID. It also provides syntax of message-id and some suggestion to create unique identifier. Just like spoofing other header fields of email, spoofing message-id is also possible. SMTP standards must be backwards compatible, which means services that are not in use regularly, might not be described in later RFC documents but are expected to remain available. The format of the trace header is defined in RFC 5322 as the trace rule. The trace header consists of two sub headers namely the return-path and received headers. The return path header is used to store the address where error reports should be sent. The received header stores the delivery path with a data stamp for each delivery entry. When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header. As “any digital forensic process must have an outcome that is acceptable by law” the investigators have to obtain a chain of information as a chain of custody in which every parts of data can be relied on by court of law. In this regard the fields existed in headers such as received from, X-Originating-IP and message ID plays an important role and highly necessary to study but not enough. In this paper we will propose a new way to track an email forensically. Some changes in email header and TCP/IP packets header, we will have our new idea implemented. In every law enforcement case study, to find out an accused person, the main question is where is the exact location of the accused. What is important in law enforcement investigation process is to find the place of accused person. However in some cases the intermediate devices are used to make the study more solid. Through our forensic proposal the investigators can easily find accused by using a new field in the header of an email and some changes in the structure of intermediate gateway routing procedures. The forensic related information will be gathered into a field by the name of Adlofil in which some of highly unique data will be extracted from CPU, mac and motherboard of a mail sender. It will be a digestion of these data to uniquely identify the sender device. Every intermediate devices from sender to receiver will add its unique data into this digestion. In the case of abuse or criminal investigation on these data and by finding the relation and correlation between them, investigators will clear the truth. Moreover if an accused person is framed, it will be showed. Integrity and non-repudiation are two other advantages of using this technique. Keywords: Email tracking, Email header, simple mail transfer protocol(SMTP), email spoofing, post office protocol 3(POP3), Internet message access protocol(IMAP), mail user agent(MUA), mail transfer agent(MTA), mail delivery agent(MDA).