skip to main content
10.1145/2030376.2030380acmotherconferencesArticle/Chapter ViewAbstractPublication PagesceasConference Proceedingsconference-collections
research-article

How is e-mail sender authentication used and misused?

Published: 01 September 2011 Publication History

Abstract

E-mail sender authentication is a promising way of verifying the sources of e-mail messages. Since today's primary e-mail sender authentication mechanisms are designed as fully decentralized architecture, it is crucial for e-mail operators to know how other organizations are using and misusing them. This paper addresses the question "How is the DNS Sender Policy Framework (SPF), which is the most popular e-mail sender authentication mechanism, used and misused in the wild?" To the best of our knowledge, this is the first extensive study addressing the fundamental question. This work targets both legitimate and spamming domain names and correlates them with multiple data sets, including the e-mail delivery logs collected from medium-scale enterprise networks and various IP reputation lists. We first present the adoption and usage of DNS SPF from both global and local viewpoints. Next, we present empirically why and how spammers leverage the SPF mechanism in an attempt to pass a simple SPF authentication test. We also present that non-negligible volume of legitimate messages originating from legitimate senders will be rejected or marked as potential spam with the SPF policy set by owners of legitimate domains. Our findings will help provide (1) e-mail operators with useful insights for setting adequate sender or receiver policies and (2) researchers with the detailed measurement data for understanding the feasibility, fundamental limitations, and potential extensions to e-mail sender authentication mechanisms.

References

[1]
Gmail. http://mail.google.com.
[2]
Greylisting. http://www.greylisting.org/.
[3]
Sender rewriting scheme. http://www.openspf.org/SRS.
[4]
The Spamhaus Project. http://www.spamhaus.org/.
[5]
Alexa. The top 500 sites on the web. http://www.alexa.com/topsites.
[6]
E. Allman, J. Callas, M. Delany, M. Libbey, J. Fenton, and M. Thomas. DomainKeys Identified Mail (DKIM) Signatures. RFC 4871 (Proposed Standard), May 2007. Updated by RFC 5672.
[7]
M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for dns. In Proceedings of the 19th USENIX conference on Security, USENIX Security'10, Berkeley, CA, USA, 2010. USENIX Association.
[8]
G. Dalkilic, D. Sipahi, and M. H. Ozcanhan. A simple yet effective spam blocking method. In SIN '09: Proceedings of the 2nd international conference on Security of information and networks, pages 179--185, New York, NY, USA, 2009. ACM.
[9]
DNS Whitelist. http://www.dnswl.org/.
[10]
B. Edelman. Priced and Unpriced Online Markets. The Journal of Economic Perspectives, 23(3):21--36, 2009.
[11]
H. Esquivel, T. Mori, and A. Akella. On the Effectiveness of IP reputation for Spam Filtering. In Proceedings of the Second International Conference on Communication Systems and Networks (COMSNETS'09), Jan 2010.
[12]
Greg Hewgill. SPF -all Domain Survey. https://spf-all.com.
[13]
A. Herzberg. Combining authentication, reputation and classification to make phishing unprofitable. In Proc. Emerging Challenges for Security, Privacy and Trust, 24th IFIP TC 11 International Information Security Conference, pages 13--24, May 2009.
[14]
A. Herzberga. DNS-based email sender authentication mechanisms: A critical review. Computer & Security, 2010. (in press).
[15]
Lars Eggert. DKIM Deployment Trends. https://fit.nokia.com/lars/meter/dkim.html.
[16]
Lars Eggert. SPF Deployment Trends. https://fit.nokia.com/lars/meter/spf.html.
[17]
J. Lyon and M. Wong. Sender ID: Authenticating E-Mail. RFC 4406 (Experimental), Apr. 2006.
[18]
Online Trust Aliance. Email authentication resources & compliance reports. https://otalliance.org/resources/authentication.
[19]
Paul Roberts. Spammers using sender authentication too, study says. http://www.infoworld.com/d/security-central/spammers-using-sender-authentication-too-study-says-147, 2004.
[20]
Z. Qian, Z. M. Mao, Y. Xie, and F. Yu. On Network-level Clusters for Spam Detection. In Proceedings of 17th Annual Network & Distributed System Security Symposium (NDSS), 2010.
[21]
RIPE Labs. Spam over IPv6. http://labs.ripe.net/content/spam-over-ipv6, 2010.
[22]
K. Sato, K. Ishibashi, T. Toyono, and N. Miyake. Extending black domain name list by using co-occurrence relation between dns queries. In Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET'10, Berkeley, CA, USA, 2010. USENIX Association.
[23]
B. Taylor. Sender reputation in a large webmail service. In The Third Conference on Email and Anti-Spam (CEAS), July 2006.
[24]
The Spamhaus Project. The Domain Block List (DBL). http://www.spamhaus.org/dbl.
[25]
The SPF Project. FAQ/Best guess record. http://new.openspf.org/FAQ/Best_guess_record.
[26]
WIDE antispam WG. Measurement Results on Deployment Ratio of Domain Authentications. http://member.wide.ad.jp/wg/antispam/stats/index.html.
[27]
William Leibzon and Julian Mehnle. SPF: History/SPF-2003. http://www.openspf.org/History/SPF-2003.
[28]
M. Wong and W. Schlitt. Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. RFC 4408 (Experimental), Apr. 2006.

Cited By

View all
  • (2024)SPF beyond the standardProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699073(3081-3098)Online publication date: 14-Aug-2024
  • (2024)Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARCPassive and Active Measurement10.1007/978-3-031-56249-5_10(232-261)Online publication date: 20-Mar-2024
  • (2023)A First Look at Brand Indicators for Message Identification (BIMI)Passive and Active Measurement10.1007/978-3-031-28486-1_20(479-495)Online publication date: 10-Mar-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
CEAS '11: Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
September 2011
230 pages
ISBN:9781450307888
DOI:10.1145/2030376
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2011

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

CEAS '11

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)SPF beyond the standardProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699073(3081-3098)Online publication date: 14-Aug-2024
  • (2024)Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARCPassive and Active Measurement10.1007/978-3-031-56249-5_10(232-261)Online publication date: 20-Mar-2024
  • (2023)A First Look at Brand Indicators for Message Identification (BIMI)Passive and Active Measurement10.1007/978-3-031-28486-1_20(479-495)Online publication date: 10-Mar-2023
  • (2022)Email Logging Interface using machine Learning techniques2022 2nd International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE)10.1109/ICACITE53722.2022.9823556(1324-1328)Online publication date: 28-Apr-2022
  • (2021)Measuring email sender validation in the wildProceedings of the 17th International Conference on emerging Networking EXperiments and Technologies10.1145/3485983.3494868(230-242)Online publication date: 2-Dec-2021
  • (2018)Reading Between the Lines: Content-Agnostic Detection of Spear-Phishing EmailsResearch in Attacks, Intrusions, and Defenses10.1007/978-3-030-00470-5_4(69-91)Online publication date: 7-Sep-2018
  • (2015)Large-scale active measurements of DNS entries related to e-mail system security2015 IEEE International Conference on Communications (ICC)10.1109/ICC.2015.7249513(7426-7432)Online publication date: Jun-2015
  • (2015)Detecting spam through their Sender Policy Framework recordsSecurity and Communication Networks10.1002/sec.12808:18(3555-3563)Online publication date: 1-Dec-2015
  • (2013)Identity based email sender authentication for spam mitigationEighth International Conference on Digital Information Management (ICDIM 2013)10.1109/ICDIM.2013.6694015(14-19)Online publication date: Sep-2013
  • (2012)Determination of SPF records for the intention of sending spam2012 20th Signal Processing and Communications Applications Conference (SIU)10.1109/SIU.2012.6204709(1-4)Online publication date: Apr-2012

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media