ABSTRACT
Email is an important medium for Internet communication. Secure email infrastructure is therefore of utmost importance. In this paper we discuss two software vulnerabilities discovered in libSPF2, a library used by mail servers across the Internet for email sender validation with the Sender Policy Framework (SPF). We describe a technique to remotely detect the vulnerabilities in a production mail server, and we use that technique to quantify the vulnerability of Internet mail servers. We also monitor the patch rate of affected servers by performing continuous measurement over a period of roughly four months. We identify thousands of vulnerable mail servers, some associated with high-profile mail providers. Even after private notifications and public disclosure of the vulnerabilities roughly 80% of the vulnerable servers remain vulnerable.
Supplemental Material
- Amazon. 2021. Alexa Top Sites. https://aws.amazon.com/alexa-top-sites/https://aws.amazon.com/alexa-top-sites/.Google Scholar
- DB-IP. 2022. IP Geolocation API & Free Address Database. https://db-ip.com/Google Scholar
- Casey Deccio, Tarun Yadav, Nathaniel Bennett, Alden Hilton, Michael Howe, Tanner Norton, Jacob Rohde, Eunice Tan, and Bradley Taylor. 2021. Measuring Email Sender Validation in the Wild. In Proceedings of the 17th International Conference on Emerging Networking EXperiments and Technologies (Virtual Event, Germany) (CoNEXT '21). Association for Computing Machinery, New York, NY, USA, 230--242. Google ScholarDigital Library
- Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, and J. Alex Halderman. 2015. Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security. In IMC '15 Internet Measurement Conference. Association for Computing Machinery.Google Scholar
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (Vancouver, BC, Canada) (IMC '14). Association for Computing Machinery, New York, NY, USA, 475--488. Google ScholarDigital Library
- Ian D. Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko. 2015. Security by Any Other Name: On the Effectiveness of Provider Based Email Security. In CCS '15 Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery.Google ScholarDigital Library
- Apache Software Foundation. 2022. SpamAssassin. https://spamassassin.apache.org/Google Scholar
- T. Hansen, D. Crocker, and P. Hallam-Baker. 2009. DomainKeys Identified Mail (DKIM) Service Overview. RFC 5585. RFC Editor. https://www.rfc-editor.org/rfc/rfc5585.txtGoogle Scholar
- Alden Hilton, Joel Hirschmann, and Casey Deccio. 2022. Beware of IPs in Sheep's Clothing: Measurement and Disclosure of IP Spoofing Vulnerabilities. IEEE/ACM Transactions on Networking 30, 4 (2022), 1659--1673. Google ScholarDigital Library
- Philipp Jeitner and Haya Shulman. 2021. Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3165--3182. https://www.usenix.org/conference/usenixsecurity21/presentation/jeitnerGoogle Scholar
- Dan Kaminsky. 2008. DNS TXT Record Parsing Bug in LibSPF2. https://dankaminsky.com/dns-txt-record-parsing-bug-in-libspf2/Google Scholar
- S. Kitterman. 2014. Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208. RFC Editor. https://www.rfc-editor.org/rfc/rfc7208.txtGoogle Scholar
- J. Klensin. 2008. Simple Mail Transfer Protocol. RFC 5321. RFC Editor. https://www.rfc-editor.org/rfc/rfc5321.txtGoogle Scholar
- M. Kucherawy and E. Zwicky. 2015. Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489. RFC Editor. https://www.rfc-editor.org/rfc/rfc7489.txtGoogle Scholar
- P. Mockapetris. 1987. Domain Names - Concepts and Facilities. RFC 1034. RFC Editor. https://www.rfc-editor.org/rfc/rfc1034.txtGoogle Scholar
- P. Mockapetris. 1987. Domain Names - Implementation and Specification. RFC 1035. RFC Editor. https://www.rfc-editor.org/rfc/rfc1035.txtGoogle Scholar
- Naver. 2022. Naver. https://www.naver.com/Google Scholar
- NetBlocks. 2022. Ukraine banking and defense platforms knocked out amid heightened tensions with Russia. https://netblocks.org/reports/ukraine-banking-and-defence-platforms-knocked-out-russia-conflict-JBQX7mAoGoogle Scholar
- International Standards Organization. 2018. ISO/IEC 9899:2018: Information technology - Programming languages - C. https://www.iso.org/standard/74528.htmlGoogle Scholar
- Wirtualna Polska. 2022. Statistics. https://holding.wp.pl/en/statisticsGoogle Scholar
- Wirtualna Polska. 2022. Wirtualna Polska - Wszystko co ważne - www.wp.pl. https://www.wp.pl/Google Scholar
- Eric Rescorla. 2003. Security Holes . . . Who Cares?. In 12th USENIX Security Symposium (USENIX Security 03). USENIX Association, Washington, D.C. https://www.usenix.org/conference/12th-usenix-security-symposium/security-holes-who-caresGoogle Scholar
- Sarah Scheffler, Sean Smith, Yossi Gilad, and Sharon Goldberg. 2018. The Unintended Consequences of Email Spam Prevention. In Passive and Active Measurement. Springer International Publishing.Google Scholar
- Seznam. 2022. About us - About Seznam. https://o.seznam.cz/en/about-us/Google Scholar
- Seznam. 2022. Seznam - najdu tam, co neznám. https://www.seznam.cz/Google Scholar
- Kaiwen Shen, Chuhan Wang, Minglei Guo, Xiaofeng Zheng, Chaoyi Lu, Baojun Liu, Yuxuan Zhao, Shuang Hao, Haixin Duan, Qingfeng Pan, and Min Yang. 2021. Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3201--3217. https://www.usenix.org/conference/usenixsecurity21/presentation/shen-kaiwenGoogle Scholar
- Shevek. 2008. import libspf2 1.2.5. https://github.com/shevek/libspf2/commit/9928ce57b334c2914ccf4def8a8da61b138e4b70Google Scholar
- Shevek. 2008. start on length computation in spf_expand. https://github.com/shevek/libspf2/commit/496322ef486935e1cd52af3c09a26300cb465869Google Scholar
- Vsevolod Stakhov. 2022. Rspamd. https://www.rspamd.com/Google Scholar
- B. Stock, G. Pellegrino, F. Li, M. Backes, and C. Rossow. 2018. Didn't You Hear Me? --- Towards More Successful Web Vulnerability Notifications. Network and Distributed Systems Security (NDSS) Symposium (2018).Google Scholar
- Inc. Synopsys. 2022. About Coverity. https://web.archive.org/web/20220316081445/https://scan.coverity.com/aboutGoogle Scholar
- VK. 2022. VK / Main. https://vk.company/Google Scholar
- VK. 2022. VK / What is VK. https://vk.company/en/company/about/Google Scholar
- Wikipedia. 2022. Naver. https://en.wikipedia.org/wiki/NaverGoogle Scholar
Index Terms
- SPFail: discovering, measuring, and remediating vulnerabilities in email sender validation
Recommendations
Measuring email sender validation in the wild
CoNEXT '21: Proceedings of the 17th International Conference on emerging Networking EXperiments and TechnologiesEmail is a critical Internet application, and its security is important. The Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) were developed to enable mail ...
Security by Any Other Name: On the Effectiveness of Provider Based Email Security
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityEmail as we use it today makes no guarantees about message integrity, authenticity, or confidentiality. Users must explicitly encrypt and sign message contents using tools like PGP if they wish to protect themselves against message tampering, forgery, ...
Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security
IMC '15: Proceedings of the 2015 Internet Measurement ConferenceThe SMTP protocol is responsible for carrying some of users' most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global ...
Comments