Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks
This work explored the vulnerabilities of the chain-based authentication structure in the email ecosystem. Specifically, a failure in any part can break the whole chain under this chain-based structure. Namely, the authenticity of an email depends on the weakest link in the email authentication chain. We presented a series of new attacks that can bypass SPF, DKIM, DMARC and user-interface protections through a systematic analysis of the email delivery process. In addition, we conducted a large-scale analysis of 30 popular email services and 23 email clients. Experiment results show that all of them are vulnerable to the new attacks, including famous email services, such as Gmail and Outlook. We underscore the unfortunate fact that many email services have not implemented adequate protective measures. Besides, recognizing the limitation of past literature, which focused on spoofing attacks’ impacts on a single step of the authentication process, we concentrated on spoofing attacks’ influence on the chain-based email authentication process as a whole. Based on our findings, we analyzed the root causes of these attacks and reported the issues to corresponding email service providers. We also proposed key mitigating measures for email protocol designers and email providers to defend against email spoofing attacks. Our work is devoted to helping the email industry more efficiently protect users against email spoofing attacks and improve the email ecosystem’s overall security.
This work has been accepted by USENIX Security 2021 .