A team of researchers has shared details about the existing security lapses in email forwarding protocols that allow email spoofing. The researchers could easily spoof domains of government, media, and other organizations.
Security Flaws In Email Forwarding
Researchers from UC San Diego, USA, Stanford University, USA, and University of Twente, Netherlands, have elaborated on the inherent security risks associated with email forwarding.
Specifically, they demonstrated the incapability of existing authentication protocols to prevent spoofing attacks.
Presently, the following three security measures exist (and are commonly used) to prevent email spoofing.
- Sender Policy Framework (SPF): Specifies the IP addresses allowed for sending emails for a domain and the subsequent actions (such as marking spam) if an unauthorized IP address is used.
- DomainKeys Identified Mail (DKIM): binds the email message to a sender domain via cryptographic signatures. However, it doesn’t verify the sender.
- Domain Message Authentication, Reporting, and Conformance (DMARC): combines SPF and DKIM protocols to mitigate the underlying security issues that each fails to address separately.
These three protocols usually succeed in preventing email spoofing and spamming to a larger extent by appropriate sender authentication. However, the researchers observed that no security measures ensure the same for email forwarding.
Since such messages involve multiple parties, instead of the simple sender and recipient otherwise, verifying the sender gets tricky. Hence, spoofing sender email domains gets possible, even for trusted email sending domains, such as government IDs. That’s mostly because of the absence of a unified security measure for protecting forwarded emails, despite the ubiquity of this practice.
The attack exploited three security issues: relaxed forwarding validation, Authenticated Received Chain (ARC) implementation vulnerabilities, and abusing mailing lists. In their study, the researchers analyzed 20 different email forwarding services and could spoof prominent domains like “state.gov,” “washingtonpost.gov,” and more. They also delivered spoofed emails to popular providers like Gmail, Zoho, and Microsoft Outlook.
Recommended Mitigations
Besides demonstrating the security lapses in email forwarding, the researchers have also recommended mitigations to prevent such abuses. Specifically, they advise mailing services to disable open forwarding, which will prevent laundering, remove relaxed validation policies, and enhance mailing list security. Moreover, they also suggest revising RFC standards, improving UI notifications, and developing robust testing tools.
The researchers have shared the details of their study in a research paper scheduled for presentation at the 8th IEEE European Symposium on Security and Privacy.