1. III. ATTACK MODEL AND CROSS-PROTOCOL ATTACK

In this section, we will introduce the attack model of BreakSPF and propose a novel cross-protocol attack that can utilize HTTP services to send emails, which expands the IP pools attackers can exploit.

1.1. A. BreakSPF Attack Model

The objective of the BreakSPF attack is to send spoofing
emails to arbitrary victims, posing as popular domains, while
ensuring that these spoofing emails pass SPF and DMARC authentication. 

While it is widely acknowledged that configuring SPF with excessively broad IP address ranges can pose a security risk, few efforts have been made to evaluate whether realistic attackers can exploit this vulnerability.

Thus, we propose the BreakSPF attack model, which translates vulnerable SPF configuration problems into realistic email spoofing attacks.

The vulnerabilities of SPF deployment are exploited by this attack model, which circumvents the protection offered by the current email authentication chains.

Figure 3 illustrates the attack model of BreakSPF.

It comprises a popular domain (e.g., example.com) configured with a vulnerable SPF record containing a wide range of IP addresses, an attacker capable of controlling multiple shared infrastructures, and arbitrary victims with their email services (such as victim.com).

In the BreakSPF attack model, we assume that

• (1) attackers have access to a wide variety of public services that allow
  • them to acquire enough IP pools to bypass SPF validation, detailed in Section VI, and
  (2) attackers are able to identify the popular domains that contain
  • vulnerable SPF records with the IP addresses they currently control, detailed in Section IV.

The attacker is not required to have the ability to act as
an active Man-in-the-Middle (MitM) attacker and change the
DNS entries or perform other DNS spoofing attacks.

As shown in Figure 3, the BreakSPF attack model contains the following steps:

  (1) attackers find a target domain configured with a vulnerable SPF record, 
  (2) attackers choose public services with IP addresses included in the vulnerable SPF record, 
  (3) attackers utilize the chosen public service to send spoofing emails to the victim, 
  (4) the email service of the victim verify the sender’s IP address according to the
      domain in the SMTP MAILFROM command, 
      and the SPF verification of this kind of spoofing emails is pass, 
  (5) the victim will receive a convincingly realistic yet forged email
      that successfully passes SPF and DMARC authentication.

CategoryDns CategoryWatch CategoryTemplate