Contents
Potential Email Compromise via Dangling DNS MX (PDF)
Abstract:
Routing of email generally relies on DNS MX (Mail Exchange) resource records. In addition, the MX definition may be used in Sender Policy Framework (SPF) rules. In this paper, we explore Dangling MX record targets which are available for third-party purchase and control. Depending on corresponding, potentially valid MX records and SPF rules, the vulnerabilities range from little impact to complete two-way email communication compromise, without snooping or man-in-the-middle techniques.
Even if the organization does not use the domain for email, a third-party could still use it in a phishing attack where the phisher can actually use a valid and legitimate domain for increased credibility.
We discovered 393 domain names with a Dangling MX record. This paper shares real-world examples of Dangling MX records and techniques for finding them. While the Dangling MX concept is already known, this paper also describes a novel vulnerability and research approach where the Dangling MX or other DNS target is an existing registered domain, but available for purchase or unknown third-party use.
1. history
Isn't this an already known problem? Yes this is documented in papers and various articles, but with little focus on email specifically. This paper highlights it specifically for email and, in addition, it introduces a new approach to discover and recognize Dangling DNS targets.
Why disclose all these organizations?
We attempted to contact companies about this since 2019.
See What does "Responsible" mean for Vulnerability Disclosures?
We had a less than three percent success rate.
Imagine the problem already exists and working mail servers may already be handling
other's MX targets maliciously — and would not be detected by these methods.