The ‘from’ address field in an email is supposed to identify the person that sent an email, but unfortunately that’s not always the case. In a Black Hat USA 2020 virtual conference session researchers outlined 18 different attacks against email sender authentication systems.
Jianjun Chen, postdoctoral researcher at the International Computer Science Institute (ICSI), explained that the original Simple Mail Transfer Protocol (SMTP) – which is used by the world’s email systems to send email – once had no built-in authentication mechanisms. As such, in the early days of the internet, it was trivially easy for anyone to spoof any identity for the ‘from’ address in an email.
That situation changed with the debut of a trio of sender authentication protocols that have been advanced over the past decade. Among those protocols is Sender Policy Framework (SPF) which verifies the IP address of the sending domain. DomainKeys Identified Mail (DKIM) is a standard that verifies that the email is signed by the sending domain. Finally, Domain Message Authentication, Reporting and Conformance (DMARC), brings SPF and DKIM together into a policy framework approach.
Bypassing Email Sender Authentication
However, in a series of slides revealing specific details, Chen, along with his co-presenters Jian Jiang, senior director of engineering at Shape Security and Vern Paxons, professor at UC Berkeley, outlined how it is possible to get around the enforcement that DMARC is supposed to provide for email sender authentication.
Chen noted that the key idea behind attacks of this nature is to take advantage of inconsistencies between different components of DMARC as well as Mail User Agent (MUA) software, which is what end users use to access email. In one scenario detailed by Chen, an attacker could potentially exploit how SPF and DKIM send results to DMARC, in order to trigger a ‘pass’ for email authentication.
Another scenario can exploit an ambiguity in how a receiving email server shows addresses and how the same address is displayed in an email client. For example, the RFC 5322 specification that defines how email messages should be constructed specifies that messages with multiple ‘from’ headers should be rejected. In practice, the researchers found that 19 out of 29 MUAs in fact accepted multiple ‘from’ addresses.
In summing up the different attacks, Jiang noted that when there are multiple identifiers in the email protocol it is easy to have discrepancies and inconsistencies about which identifier to use. He added that email messages are processed by multiple components and all of the components need to have some kind of agreement on the recognized identifiers in order to accurately enforce email sender authorization policies.
How to Defend Against Email Authentication Bypass
Jiang noted that, generally speaking, when the email authentication protocols are parsing emails they should be set up for strict compliance and reject any kind of suspicious formats.
For end users, Jiang suggested to never blindly trust the email address displayed in an email client, even though it’s typically difficult to verify trust. Jiang commented that the researchers overall found that the user interface of email clients is not sufficient to provide any kind of real security assurance about the authenticity of an email.
“So even for a security professional, it’s not easy for them to use any kind of security indicators to show if an email is trustable or not,” Jiang said. “So there is plenty of space to improve in that direction.”