Login based on email domain

Asked

Viewed 259 times

12

I’m thinking of a system where only users who have email with domain name empresa.com may register. After registration an email will be sent to validate the email.

So far so good, I can easily verify which email domain is when the user is registering.

Let’s also assume that the person responsible for distributing the domain emails empresa.com has full control of all active emails.

Now my question is, is there a security flaw that can allow users with other domains to register, or to mask their email?

For example, the email [email protected] is not a real email, but the user can mask the email so that [email protected] be redirected to [email protected]?

Is there any possibility that a DNS poisoning could affect the security of that system?

Note that the question is not related to how to implement but what are the possible security flaws or attacks that I may suffer, in an attempt to circumvent the email domain verification.

security-guard email

  • Companies like Jetbrains and Microsoft do something to validate university students for their student leave programs. So I think you have a way to make it work, but I’m also gonna be waiting for an answer.

  • 1

    Usually you will send an email with a confirmation link to the person, right? Just in your system you send it to the right domain. For someone to intercept this, only by messing up their dns, not the user’s. Or by accessing the user account, but then the problem is much more comprehensive than your system.

  • @Bacco I think could create an answer, no?

  • @Math the hard is to stop and elaborate all the details. In part Sergio Cabral replied below, although I think it lacks a little depth in the context.

  • Rubico!!! I... I... I... rsrsrsrs See if it helped the answer.

  • Yes, Sergio’s answer is "correct". I don’t see anything wrong with it and as Bacco said, it could be deeper. If no one has a better answer I will accept it. But what I really want is something more out of the box. Like DNS poisoning. Something that runs away from the perfect path where no one is really struggling to get in.

  • If there’s a way to do that, I use a lot of redirect, why don’t you use cPanel? is useful for doing this email, if you do not have cPanel and have use registry.br much tramp configure MX + Redirect.

Show 2 more comments

5 answers

2

There is actually no safe way to ensure that the email actually belongs to the company. The failure will always be on the company’s side, because if a person who has access to DNS provides information to third parties, or the DNS access password falls into the wrong hands there is nothing you can do to ensure the integrity of who is accessing.

Just as if you had a login access and normal password and the password fall into the wrong hands there is not much to do.

What you can do is make it difficult to access possible security breaches.

  1. Map by the location where most of the user’s accesses are made, and as soon as it is accessed from a different location generate confirmation emails or warning to those responsible.
  2. For certain companies that have fixed IP you can validate access only to those registered IP’s for that company/user.

No more there is not much to be done, the failure will always be on the side of the user/company, large sites like google, Amazon and others also have problems ensuring the integrity or authenticity of who is accessing.

2


What you want to validate in the foreground is not the email user, but the domain itself.

If the primary DNS is compromised everything is possible, so these validations are realized through TXT records, being possible to verify that the owner has validated.

Another point is to work with companies that use third-party SSL, so most applications by default will fail to verify if any host tries to impersonate through DNS attacks or compromising primary DNS servers.

See how Google Apps requires the TXT field:

https://support.google.com/a/answer/183895?hl=pt-BR

It is also worth reading more about latest email security measures (Spf, dkim, dmarc):

http://www.rsdezoito.com.br/blog/spf-dkim-e-dmarc-e-mail-marketing-seguro/

  • For now, the citation of SPF, DKIM and DMARC was the best answer.

1

If the domain empresa.com belongs to the company that owns the software is safe. In fact security depends on who owns the domain.

For example, I have my domain splitz.com.br, if someone tries to register for a service (Google, Microsoft, etc.) using my domain as [email protected] a confirmation email will be sent to [email protected], but since I am the owner of the domain it is I who receive the email, not the invader. Result: it will not have your email confirmed and your account will not be activated in the service

It happened to me... They tried to register on Facebook using my email [email protected], the result is that I received the confirmation email, confirmed the account, joined the personal Facebook (invader?), changed her password, and deletes this my newly created account on Facebook.

Finally... whoever owns the domain does what they want. The attacker would have to have access to the domain’s DNS to cause problems. I say I have the password to access the site Regitro.Br (or Godaddy, Centralnic, etc.) to modify the DNS entries below.

inserir a descrição da imagem aqui

Only having access to this screen could the attacker, as you said to mask the email so that [email protected] is redirected to [email protected]?

0

I will try to answer the two things you asked (or what I understood in the question):

To automatically check if the email belongs to the company you want to restrict use the following code:

$check = explode('@',$email);

$dominio = $verifies[1];

if($dominio == 'empresa.com.br')' Return true; }

Now let’s talk about email security: It is really safe, and very difficult for a person to circumvent RECEIVING an email by choosing a domain. For someone to circumvent the SENDING of an e-mail, a code was used very easy, I do not know if it has been fixed today. In the email header, some soft allow you to change the header when you send it (I already did it :). Simply change where the property is: [email protected]. This just for sending, but if you send an email to that email, iso will get stuck in the IMAP SERVER, which possibly will not find anything.

That is, the person sends fake emails but does not receive in that fake email.

So this proposal is SAFE ;)

-- Just remembering that the beginning of Facebook was like this, restricted to those who had emails @edu.com (ie only university students).

  • 1

    If someone breaks the security of MX Dns zones they can do much more than connect with a fake email.

  • The issue itself isn’t even code, but security analysis, I believe there will always be a flaw. In cases of superior minds in this area it is possible to use even an ALIAS.

  • Of course not, all these settings, MX Inputs, Dns, Alias, are only System Operator Control.

0

If the "intruder" has access to this company’s emails, and creates a redirect, he can bypass it without any problems.

Assuming it is a company with its own domain, follow some ideas:

  1. SPF check

You can check for SPF and DNS records for the domain. By checking the domain SPF, you can get the company MX Ips. You can

algorithm: dns_get_record ("domain.com", DNS_TXT); locate records with v=spf1 locate on this line all Ips and put in an array for example if the MX contains: 200.10.20.30 restrict registrations to the network 200.10.20.__

  1. Check of Whois

You can get the Ips from the company’s domain, and check the IP address of who you’re accessing. Doing a WHOIS on the IP of who is accessing will confirm who is the owner of the IP, if the company uses fixed IP. You can restrict access from broadband providers such as GVT, OI, etc. Or simply do not consult in these cases.

algorithm: gethostbyname ("domain.com") applies a whois in the field filter by organization name

  1. Map the history of Ips

You can simply make a database of the IP history used by each domain (users with @dominio.com emails) when accessing the system. So you can see if they are on the same network always. In case some "escape" access to the network pattern, you can block the user specifically.

For example:

user [email protected] - IP 200.10.20.30 [email protected] - IP 200.10.20.32 user [email protected] - IP 200.10.20.37

You can use a frequency Pattern for "200.10.20".

[email protected] - IP 177.81.10.20 - Block (totally different IP)

Browser other questions tagged security-guard email

You are not signed in. Login or sign up in order to post.