1. B. Cross-protocol Email Spoofing Attack
We propose a novel cross-protocol email spoofing attack to expand the pool of IP addresses that can be used for BreakSPF attacks.
This cross-protocol email spoofing attack utilizes HTTP services that offer HTTP forwarding functionality, such as HTTP proxy services and CDN services, to send email packets.
The cross-protocol email spoofing attack leverages the similarities between HTTP and SMTP protocols, as well as the fault tolerance of email servers.
First, HTTP and SMTP are pure text-based protocols with similar structures, as illustrated in Figure 4. The data structure of HTTP and SMTP both consist of header and body sections, and their header fields are composed in a similar format, i.e., <header name>:<data>. The Multipurpose Internet Mail Extensions (MIME) protocol [19], initially designed for transmitting vari- ous email data formats, is also widely used for data transmis- sion in HTTP protocol.
Second, the communication processing logic of the email server has high robustness, which allows it to receive and ignore unidentified SMTP commands. Due to the aforementioned factors, an attacker can perform email spoofing attacks by sending HTTP request that embeds with email messages to a targeted email server.
In our analysis, we identify three types of cross-protocol email spoofing techniques, including SMTP Embedded as HTTP Body (A1), SMTP Embedded as HTTP Request (A2), and SMTP Embedded as HTTP Header (A3).
Attackers can send spoofing emails embedded in HTTP requests (as shown in Figure 5) using HTTP proxies or CDN services.
In the A1 attack, we embed the entire data of SMTP communication as the HTTP body. Such HTTP packets conform to the rules of HTTP syntax and are not rejected by HTTP services. This technique requires the SMTP service to tolerate many SMTP command errors.
In the A2 attack, we integrate SMTP com- mands and MIME headers into the HTTP headers to reduce the occurrence of SMTP command errors. However, due to significant differences between the HELO command, DATA command, and HTTP header fields, certain HTTP proxies and CDN services may consider this kind of packet as an incorrect data format and terminate the transmission.
The A3 attack optimizes the A2 attack by embedding SMTP commands an
MIME headers into a single HTTP header. Based on the HTTP protocol [20], HTTP services utilize CRLF (Carriage Return Line Feed, “\r\n”) as the end-of-line marker. However, most SMTP services support both “\n” and “\r\n” as line break characters. We leverage the inconsistencies of line break interpretation between HTTP and SMTP services to construct this attack, bypassing defense strategies implemented by some proxy services against A2 attacks.
In the BreakSPF attack model, attackers utilize cross- protocol attack techniques to control CDN services and HTTP proxy services to launch email spoofing attacks.
Since most CDN services support arbitrary origin servers and port con- figurations, we can configure the CDN’s origin server as the MX record of the target email service and the original port as 25.
We only need to send a crafted POST request to the domain name configured with CDN, and CDN will automatically forward this request to the target email service.
Although such emails will contain some HTTP headers, they can still be accepted by email servers due to their inherent tolerance. For HTTP proxy services, attackers need to modify the HTTP request line and Host header based on the type of HTTP proxy.
Experiment results about cross-protocol attacks will be discussed in Section VI