Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy

Enze Liu; Gautam Akiwate; Mattijs Jonker; Ariana Mirian; Grant Ho; Geoffrey M. Voelker; Stefan Savage

doi:10.48550/arXiv.2302.07287

Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy

Enze Liu
, Gautam Akiwate
, Mattijs Jonker
, Ariana Mirian
, Grant Ho
, Geoffrey M. Voelker
, Stefan Savage

Research output: Contribution to conference › Paper › peer-review

279 Downloads (Pure)

Abstract

The critical role played by email has led to a range of extension protocols (e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email sender domains. These protocols are complex as is, but are further complicated by automated email forwarding — used by individual users to manage multiple accounts and by mailing lists to redistribute messages. In this paper, we explore how such email forwarding and its implementations can break the implicit assumptions in widely deployed anti-spoofing protocols. Using large-scale empirical measurements of 20 email forwarding services (16 leading email providers and four popular mailing list services), we identify a range of security issues rooted in forwarding behavior and show how they can be combined to reliably evade existing anti-spoofing controls. We further show how these issues allow attackers to not only deliver spoofed email messages to prominent email providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof email on behalf of tens of thousands of popular domains including sensitive domains used by organizations in government (e.g., state.gov), finance (e.g., transunion.com), law (e.g., perkinscoie.com)
and news (e.g., washingtonpost.com) among others.

Original language	English
Number of pages	19
DOIs	https://doi.org/10.48550/arXiv.2302.07287
Publication status	Published - 2023
Event	8th IEEE European Symposium on Security and Privacy - TU Delft Echo, Delft, Netherlands Duration: 3 Jul 2023 → 7 Jul 2023 Conference number: 8 https://eurosp2023.ieee-security.org/index.html

Conference

Conference	8th IEEE European Symposium on Security and Privacy
Abbreviated title	Euro S&P
Country/Territory	Netherlands
City	Delft
Period	3/07/23 → 7/07/23
Internet address	https://eurosp2023.ieee-security.org/index.html

Keywords

mail
security
spf
dkim
dmarc
spoofing

Access to Document

10.48550/arXiv.2302.07287Licence: CC BY

eurosp23-paper17Accepted author version, 986 KB

Best Paper Award -- Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy
Liu, E. (Recipient), Akiwate, G. (Recipient), Jonker, M. (Recipient), Mirian, A. (Recipient), Ho, G. (Recipient), Voelker, G. M. (Recipient) & Savage, S. (Recipient), 4 Jul 2023
Prize

Cite this

@conference{46bfc7b6ef4c40ed8272e684029b6187,

title = "Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy",

abstract = "The critical role played by email has led to a range of extension protocols (e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email sender domains. These protocols are complex as is, but are further complicated by automated email forwarding — used by individual users to manage multiple accounts and by mailing lists to redistribute messages. In this paper, we explore how such email forwarding and its implementations can break the implicit assumptions in widely deployed anti-spoofing protocols. Using large-scale empirical measurements of 20 email forwarding services (16 leading email providers and four popular mailing list services), we identify a range of security issues rooted in forwarding behavior and show how they can be combined to reliably evade existing anti-spoofing controls. We further show how these issues allow attackers to not only deliver spoofed email messages to prominent email providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof email on behalf of tens of thousands of popular domains including sensitive domains used by organizations in government (e.g., state.gov), finance (e.g., transunion.com), law (e.g., perkinscoie.com) and news (e.g., washingtonpost.com) among others.",

keywords = "mail, security, spf, dkim, dmarc, spoofing",

author = "Enze Liu and Gautam Akiwate and Mattijs Jonker and Ariana Mirian and Grant Ho and Voelker, \{Geoffrey M.\} and Stefan Savage",

year = "2023",

doi = "10.48550/arXiv.2302.07287",

language = "English",

note = "8th IEEE European Symposium on Security and Privacy, Euro S\&P ; Conference date: 03-07-2023 Through 07-07-2023",

url = "https://eurosp2023.ieee-security.org/index.html",

}

TY - CONF

T1 - Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy

AU - Liu, Enze

AU - Akiwate, Gautam

AU - Jonker, Mattijs

AU - Mirian, Ariana

AU - Ho, Grant

AU - Voelker, Geoffrey M.

AU - Savage, Stefan

N1 - Conference code: 8

PY - 2023

Y1 - 2023

N2 - The critical role played by email has led to a range of extension protocols (e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email sender domains. These protocols are complex as is, but are further complicated by automated email forwarding — used by individual users to manage multiple accounts and by mailing lists to redistribute messages. In this paper, we explore how such email forwarding and its implementations can break the implicit assumptions in widely deployed anti-spoofing protocols. Using large-scale empirical measurements of 20 email forwarding services (16 leading email providers and four popular mailing list services), we identify a range of security issues rooted in forwarding behavior and show how they can be combined to reliably evade existing anti-spoofing controls. We further show how these issues allow attackers to not only deliver spoofed email messages to prominent email providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof email on behalf of tens of thousands of popular domains including sensitive domains used by organizations in government (e.g., state.gov), finance (e.g., transunion.com), law (e.g., perkinscoie.com) and news (e.g., washingtonpost.com) among others.

AB - The critical role played by email has led to a range of extension protocols (e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email sender domains. These protocols are complex as is, but are further complicated by automated email forwarding — used by individual users to manage multiple accounts and by mailing lists to redistribute messages. In this paper, we explore how such email forwarding and its implementations can break the implicit assumptions in widely deployed anti-spoofing protocols. Using large-scale empirical measurements of 20 email forwarding services (16 leading email providers and four popular mailing list services), we identify a range of security issues rooted in forwarding behavior and show how they can be combined to reliably evade existing anti-spoofing controls. We further show how these issues allow attackers to not only deliver spoofed email messages to prominent email providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof email on behalf of tens of thousands of popular domains including sensitive domains used by organizations in government (e.g., state.gov), finance (e.g., transunion.com), law (e.g., perkinscoie.com) and news (e.g., washingtonpost.com) among others.

KW - mail

KW - security

KW - spf

KW - dkim

KW - dmarc

KW - spoofing

U2 - 10.48550/arXiv.2302.07287

DO - 10.48550/arXiv.2302.07287

M3 - Paper

T2 - 8th IEEE European Symposium on Security and Privacy

Y2 - 3 July 2023 through 7 July 2023

ER -

Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy

Abstract

Conference

Keywords

Access to Document

Fingerprint

Prizes

Best Paper Award -- Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy

Cite this