Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spooﬁng Attacks
This work explored the vulnerabilities of the chain-based authentication structure in the email ecosystem. Speciﬁcally, a failure in any part can break the whole chain under this chain-based structure. Namely, the authenticity of an email depends on the weakest link in the email authentication chain. We presented a series of new attacks that can bypass SPF, DKIM, DMARC and user-interface protections through a systematic analysis of the email delivery process. In addition, we conducted a large-scale analysis of 30 popular email services and 23 email clients. Experiment results show that all of them are vulnerable to the new attacks, including famous email services, such as Gmail and Outlook. We underscore the unfortunate fact that many email services have not implemented adequate protective measures. Besides, recognizing the limitation of past literature, which focused on spooﬁng attacks’ impacts on a single step of the authentication process, we concentrated on spooﬁng attacks’ inﬂuence on the chain-based email authentication process as a whole. Based on our ﬁndings, we analyzed the root causes of these attacks and reported the issues to corresponding email service providers. We also proposed key mitigating measures for email protocol designers and email providers to defend against email spooﬁng attacks. Our work is devoted to helping the email industry more efﬁciently protect users against email spooﬁng attacks and improve the email ecosystem’s overall security.
This work has been accepted by USENIX Security 2021 .