1. V. THE DEPLOYMENT STATUS OF SPF
As the BreakSPF attack framework requires a scan of the current deployment status of SPF, we will introduce the deployment status of SPF in this section. Understanding the deployment status of SPF can help us analyze the feasibility and scope of the BreakSPF attack.
2. VI. SHARED IPS COLLECTION
The BreakSPF attack framework needs sufficient IP ad- dresses to verify the feasibility and effectiveness of the attack.
We collected shared IP pools that can be used to launch Break SPF attacks on the Internet and categorized them into five types, including cloud servers, proxy services, serverless functions, CI/CD platforms, and CDN service
. Overview
By collecting IP addresses from the above five types of services, we obtained a total of 87,430 IP addresses and used these IP addresses to access the Web API provided by our attack framework. The details are shown in Table IV
3. VII. BREAKSPF EXPERIMENT RESULTS
A. Overview
SPF vulnerabilities are prevalent on the Internet. From our experiments, we uncover that managing SPF records is a challenging task, which potentially leads to prevalent BreakSPF attacks in the wild. According to the results, we find BreakSPF can affect a total of 23,916 domains, with 23 of them belonging to the top 1,000 domains in Tranco ranking and 1,653 domains in the top 100,000. We present the top 10 well-known domains influenced by the BreakSPF attack in Table VI, which includes prominent domains like microsoft.com, tencent.com, trendmicro.com
TOP 10 WELL-KNOWN DOMAINS INFLUENCED BY BYPASSSPF ATTACK.
Domain Rank IP Source microsoft.com 5 20.*.*.30 CI/CD Platforms qq.com 11 114.*.*.86 Cloud Servers csdn.net 76 114.*.*.86 Cloud Servers huanqiu.com 110 114.*.*.86 Cloud Servers godaddy.com 142 72.*.*.69 Tor rednet.cn 306 114.*.*.86 Cloud Servers mama.cn 311 114.*.*.86 Cloud Servers zhihu.com 420 114.*.*.86 Cloud Servers ieee.org 523 201.*.*.173 RESIP ucla.edu 610 131.*.*.85 VPN