Author Archives: stephenmxtoolbox

DNSSEC Root Zone Key Signing Key (KSK) Rollover

What is it?

The KSK is a public-private key pair that allows the DNSSEC protocol to secure your DNS information. The public part of the key is the starting point for DNSSEC queries similar to how the root servers are the starting point for DNS queries. The private part of the key is used by Verisign to sign the Zone Signing Keys in the DNSSEC-sign of the root zone.

What does that mean?

If you’re not using DNSSEC then you don’t have anything to worry about. DNSSEC is a additional security measure that can be taken to secure your DNS information and verify that your domain is actually yours. If you’re not sure that you’re using DNSSEC then you likely are not using it. You could ask whomever is responsible for your DNS to find out for sure.

If you are using DNSSEC then you will need to create a new key pair and retire your current key pair so that DNSSEC will keep functioning. This will be done automatically for you if you are supporting RFC5011 (https://tools.ietf.org/html/rfc5011). Otherwise, you will need to manually update the trust anchor at http://data.iana.org/root-anchors/ and you can find information about testing your configuration at https://www.icann.org/en/system/files/files/ksk-rollover-external-test-plan-22jul16-en.pdf

MxToolbox Resources

networktools_dns.png

MxToolbox has all the DNS and DNSSEC tools you need to help you through this transition.  We have everything from basic DNS lookups, to DNSKEY, NSEC and IPSECKEY lookups to comprehensive domain research tools, like Investigator.  You can even validate your DNS Cert or HTTPS Certificate.  All of these tools are easily accessible from

our Network Tools page (see image).

Additional Resources:

https://www.icann.org/news/blog/dnssec-rolling-the-root-zone-key-signing-key

https://www.icann.org/resources/pages/ksk-rollover

The Status of SpamCannibal

We have temporarily removed SpamCannibal from the list of the over 100 blacklists we check when you use our service.  This means that it will temporarily not appear during searches.

Why?

For approximately the last week, SpamCannibal has failed to resolve in DNS and failed to respond to other queries.  For the moment we are treating it like a temporary outage and simply suspending use of it while we wait for more information.

Typically, when a blacklist goes down permanently, they let everyone know by blacklisting the entire world.  This has not happened.  Instead, we simply stopped receiving status from queries and DNS now times out for the site.  No public announcement has been made, so we are assuming that the outage is temporary until we get more information.

What’s the Status of my Monitors?

We maintain the last status of your IP address or domain associated with the monitor for each blacklist.  If you were on SpamCannibal’s list before the outage, you are still considered to be blacklisted until we find our what has happened to their list.  If you were not on the blacklist at the time of the outage, your status will not change.

What does this mean for email delivery?

Being on a blacklist means that if any company uses that blacklist for email delivery or rejection purposes, your email could be rejected.  Anyone who was using a copy of the SpamCannibal blacklist at the time of the outage may still be using that copy for decision making purposes.

Can an IP or domain be delisted?

Not at this time.  Since the site is inaccessible, there is no method for delisting available. If there is more information or the site remains down for an extended period of time, we may decide to flush all monitors that are currently listed as blacklisted by SpamCannibal.

We will continue to monitor SpamCannibal and return them to our pool of blacklists if the site should recover.

Why Blacklisting isn’t really the problem..

If you are on a blacklist, then you’re feeling the urgency and pain of getting off the blacklist and restoring your ability to send email to customers, prospects and vendors – you’re ready to get back to business.  But, wait a second, what caused you to be blacklisted in the first place?

Causes of Blacklisting

  • Malware or Virus infection
  • Errant bulk email campaign
  • Random mail to spam traps or honeypots

You can control these issues with software that filters inbound and outbound email, but really, these are just symptoms of a greater problem – poor Email Delivery Management, meaning methodically developing best practices to ensure email gets to the inbox.

What is going on with email delivery?

Long gone are the days when you could fire off an email and assume it went directly into your customers’ inboxes.  Between spam filters, anti-virus programs, and blacklist-based email filters your email delivery is controlled by several layers of security.  But, do you know anything about how that security works?  Do you know if your email is getting through?  Do you get any feedback from users?  Blacklists are just part of the equation.  By the time you know you are on a blacklist, it’s already too late, your email is already being denied.

In addition, you are probably using several 3rd party companies to email for you.  These could include a bulk email service, marketing automation, forwarders or even rogue email systems sitting in your network.  Do you know if you or partners emailing on your behalf have good reputations with your customers, their inbox providers and those security tools I mentioned?  Do you get any feedback until you’re blacklisted?

In recent years, Google and Outlook.com have been rapidly gaining market share as inbox providers.  They and many other companies are prioritizing email that has passed SPF verification and is signed by a valid DKIM signature.  Are you ready for SPF and DKIM?  Do you know if all your 3rd party emailers are covered in your SPF record?

Finally, email spoofing is becoming one of the biggest methods for exploiting a company’s brand to obtain private information and user credentials.  Do you know who is leveraging your brand to spoof your customers?

How do you manage email delivery?

The short answer is to adopt three important technologies:

  • SPF – Enables you to tell the world who is legitimately allowed to send email on your behalf
  • DKIM – Enables you to sign email and take ownership of the quality of the email you send
  • DMARC – Enables you to publish an email address where you can receive feedback from inbox providers about the quality of the email coming from your domain and control how a provider processes email that fails SPF or DKIM.

With all three technologies, you take ownership for the email you send, designate additional senders for your domain and get feedback on email sent by you, your senders and potentially malicious senders.  This is the start of email delivery management.

Our Experts

MxToolbox is the expert in email delivery.  Our team of highly skilled specialists can help you setup SPF, DKIM and DMARC and begin to manage your email delivery.

After talking with dozens of clients, we realized that our customers needed help decoding DMARC reports and understanding:

  • Who is sending email purporting to be from your domain
  • What is the reputation of your domains and delegated IPs
  • Where other senders are and What their reputations are
  • How your SPF, DKIM and DMARC setup is performing
  • What senders are failing DKIM
  • What senders are failing SPF verification
  • When to setup more restrictive policies for DMARC

Check out MxDelivery Center and how our experts can help you better reach your customers.

Investigate by URL

With recent upgrades to the Investigator tool, we’re bringing you even more value and information!  In addition to Related IPs and Related Domains , we recently added the capability to lookup based upon a URL.

Now, you can submit a URL to Investigator and we will pull up all the information on the Domain and take a screenshot of the URL you submit.

Use the Investigator to see if a suspect URL looks like it might contain harmful content while you checkout the rest of the domain!

Investigator URL

MxToolbox Investigator is premium tool included with our MxWatch Monitoring plans.  You can also try a free version of Investigator.

Announcing MxDelivery Center

The only constant in the email world is change…

In the Dot.Boom era, most people discovered email for the first time.  Quickly thereafter malicious individuals discovered how to exploit the new technology for profit with unwanted email: SPAM.  So, businesses created blacklists, lists of IP addresses implicated in the distribution of SPAM, to stop them.  At the same time, a need for legitimate business to know if they were flagged as SPAM and blacklisted arose, and MxToolbox has been informing businesses of their online blacklist reputation ever since.

Over the last decade and a half, legitimate businesses started to employ email filtering and 3rd party mass email companies to keep their email servers off of blacklists and improve inbox delivery.  In addition, new techniques and standards were created to help businesses manage these relationships: SPF, DKIM, DMARC, etc.

What do these standards do?

SPF tells the world what IP addresses and Domains can send email on your behalf.

DKIM electronically signs emails you send to prove that they were actually sent by you.

DMARC provides a framework for how a receiver of your email should process any discrepancies they see with SPF and DKIM and how they should tell you about them so that you can improve your email deliverability.

These technologies fit together nicely, but understanding them and reporting on it is complex.  So, we thought we’d help…

Announcing MxDelivery Center

MxDelivery Center provides everything you need to manage a complex email setup that includes everything from your own servers, to mail hosting services (like Gmail or Outlook.com) and 3rd party emailers while reducing the risk to your brand from phishing and spoofing attacks.

ed-interface

MxDelivery Center combines:

  • RFC compliance checking and recommendations for SPF and DKIM configurations
  • In-depth processing of DMARC reports from your email recipients
  • Graphical representation of your DMARC compliance, SPF Verification and DKIM Verification
  • Insight into spoofing and phishing attacks carried out with your brand
  • Reputation of providers and emailers sending on your behalf

ed-reputationpage

Learn more about MxDelivery Center on the product page.

ed-configurationpage

Or, try our Free DMARC Report before you buy MxDelivery Center!

Our Suite of DNSSEC Tools

Recently, you might have an uptick in Denial of Service attacks or problems with root domain servers.  DNS, while the backbone of the internet, was always easy to spoof with man-in-the-middle attacks and other exploits.  To reduce the effects of these exploits, smart people in the industry created a standard to help secure DNS through a bolt-on security framework called DNSSEC.

Basically, DNSSEC enables an organization with DNS servers to vouch for a DNS entry that it serves to a requestor by signing it.  This is similar to new standards for other early unencrypted Internet protocols communications, like DKIM for email.  Using DNSSEC is like DKIM in that a provider publishes their signature in a separate DNS entry that can be queried by a DNSSEC aware client.  Clients in this way guard themselves against false DNS entries seeking to exploit them.

MxToolbox wants to make it easier for you to keep up on the latest security and networking standards, so we’ve created a suite of tools to help you with DNSSEC.  Check them out:

  • DS –  identifies the Delegation Signers (DS) for the specified domain
  • DNSKEY – returns the DNSSEC records for a domain
  • IPSECKEY –  returns the public key that resolvers can use to secure data at the IP layer using IPSEC
  • NSEC3PARAM – used by authoritative DNS servers to calculate and determine which NSEC3-records
  • NSEC – identifies the next secure (NSEC) record for the specified domain
  • RRSIG – identifies the Resource Record Signatures for the specified domain

Let us know how you like these tools!  Email us at feedback.

Security Tools

Over the last few years, Security has become a huge concern for many companies. MxToolbox has always made email security information accessibility a primary concern – after all, blacklisting is a sign of greater security problem.  However, we feel like reputation is only one (important) part of the security equation.  That’s why we’re happy to highlight some of the new Security Tools we’ve created to make it easier to do your daily security related work and investigate any issues that might arise.

IP and Domain Reputation

Whether you’re researching a potential partner or an incident, understanding the online reputation of an IP address or Domain is incredibly important.

Blacklist

Presence on a blacklist is a clear indicator of an issue with an IP or Domain.  Use MxToolbox’s Blacklist tool to research an individual IP or Domain’s reputation.  The more blacklists an IP or Domain is on, the more egregious the problem and more likely there is a virus or malware infection or other problem.

Investigating a Domain

Our new Investigator tool give you every piece of information you might want on a Domain or URL:

  • Related IP address with reverse DNS, ASN, Geolocation and more
  • Related Domains
  • DNS Nameserver
  • MX record analysis
  • SPF Record analysis
  • Blacklists
  • Whois data

With Investigator, you get all this information in a single-pane view, allowing you to do quick analysis of potential trouble.

mxtoolbox_investigator_email

Checking Large IP ranges

Imagine knowing immediately when one of your hundreds, thousands or millions of IP addresses is compromised by a bad reputation.  While Blacklisting is traditionally caused by sending spam or malware, it could be a result of maintaining servers with a security posture that is open to attack.  Knowing your network reputation is therefore an important part of your security knowledge.

MxToolbox Service Provider allows you to keep tabs on the blacklist reputation of an entire continuous block of IP addresses.  Designed to give you constant updates on your large IP networks, MxToolbox Service Provider alerts you when any changes to your reputation occur giving you instant warning of potential security issues.

SP Graphs

Incident Analysis

When you have an incident the important thing to do is quickly analyze potential source and refining the precise issue.  For that you need a quick way to analyze your log files and then dig into potential abusers.

Looking at Logs with Bulk Lookup

What do you do with a big log file full of IP addresses and domains that could contain your abuser?  Do you go through it by hand looking for odd IPs or strange domains?

How about a tool where you could dump the entire log file, have it parsed and then lookup all the IPs or domains in a single bulk lookup?  That’s why we created our Bulk Lookup Tool.  Bulk Lookup gives you:

  • Reverse IP Address (for domains)
  • AS Number
  • AS Name
  • Geo Location
  • Blacklist Status
  • Start of Authority (SOA)
  • MX Records
  • Nameservers
  • Email Provider
  • DNS Provider

 

DNSBatch_results

You can correlate sites by ASN and DNS/Email service provider, highlight sites with bad blacklist reputations and identify those in geographies known to be troublesome our outside your client area.  With all this information available you can select those that need further investigation with Investigator or our Networking Tools.

Networking tools

MxToolbox has always provided free tools that simplify your server setup, DNS configuration checks and network evaluation, but many customers use them to pursue security investigations.

Think about the power of being able to Ping, Traceroute or investigate the DNS setup of a suspect server.  Or get realtime reputation information on an IP address hitting your servers.  Or get information on the email configuration of a troubling message.

Our tools give you tremendous flexibility to find the information you need on domains and IP addresses to simplify your security research.