Contents
This trend runs counter to the fundamental principle of SPF, which is designed to establish identity authentication based on IP addresses.
A single IP address may be able to send emails on behalf of thousands of domains, exacerbating the risks SPF protocols face. Second, the era of cloud services has lowered the barrier for attackers to obtain IP addresses.
There are many ways for attackers to obtain and use some IP addresses that do not belong to them, such as cloud servers, proxy services, and serverless functions. These challenges have implications for the security of SPF protocols and call for a reevaluation of the current approaches used to authenticate email identities.
1. history
the IP addresses included in the SPF records can be obtained by the attacker.
Previous research focused on analyzing SPF records for syntax, which is not comprehensive enough to identify real vulnerable SPF records. For example, it is difficult to judge whether such an SPF record ( "v=spf1 ip4:107.21.107.7/16 mx -all") is vulnerable only by checking the record itself.
However, we found attackers can obtain an IP address included in this SPF record from Amazon cloud service, which confirms that this SPF record is vulnerable. This kind of SPF vulnerability is difficult to discover through simple SPF measurements.
We believe the potential systemic security risks in the currently deployed SPF records have been overlooked.
2. Our Study
In this paper, we performed the first systematic analysis of SPF vulnerabilities from the perspective of IP address availability.
We designed an attack framework called BreakSPF that utilized IP addresses from shared infrastructure to exploit overly permissive SPF configuration vulnerabili- ties.
With the BreakSPF framework, attackers can perform email spoofing attacks using any IP address sourced from public shared infrastructures. Such an attack can circumvent the protections of existing email authentication chains.
To build the BreakSPF framework, we have solved the following challenges:
(i) How can a large pool of usable IP addresses be gathered to carry out BreakSPF attacks?
To amass a substantial number of IP addresses for the BreakSPF attack framework, we surveyed shared infrastructures where attackers can obtain IP addresses and categorized them into five types, including cloud servers, proxy services, serverless functions, CI/CD platforms, and CDN services.
(ii) How do we utilize these shared IP addresses to launch email spoofing attacks?
We proposed a novel cross-protocol email spoofing attack technique, incorporating CDN services and HTTP proxy services into the BreakSPF attack framework. It leverages the similarities between HTTP and SMTP proto- cols and the robustness of email servers since email servers will interpret HTTP request headers as illegal SMTP commands. Attackers can send crafted HTTP packets to make HTTP proxy services, and CDN services act as attack nodes, forwarding spoofing emails to the victim’s email server. This technique can expand the types of shared infrastructure that BreakSPF can utilize.
(iii) How to accurately and efficiently find vulnerable SPF records affected by a particular IP address?
First, intricate dependencies between domains, as well as between domains and IP addresses, pervade the SPF ecosystem. To pinpoint all vulnerable domains affected by an attacker-controlled IP address, we need to recursively gather the SPF records of all domains and construct complete SPF dependency trees.
This enables mapping each IP address to the relevant ances- tor domain nodes in the tree. Second, since the experiment involves millions of domain names and our access to some IP addresses is time-restricted, we must condense the search space and optimize search efficiency. To quickly retrieve vulnerable domains, we developed an algorithm to parse, store, and query SPF records. We used the algorithm to parse the SPF records of all tested domains, and we constructed an SPF reverse database mapping IP addresses to the relevant domains with the SPF dependency tree.
With our designed query algorithm for the SPF reversed database, we could quickly retrieve all vulnerable domains impacted by a given IP address.
3. Key Findings
We collected 87,430 IP addresses from five types of shared infrastructure settings across the Internet and used them to conduct a large-scale BreakSPF experiment based on Tranco top 1 million domains.
We sent several crafted emails to prominent email services to validate attack effectiveness, as shown in Figure 12. The results demonstrated that BreakSPF can bypass SPF and DMARC verification, enabling spoofed emails to enter inboxes of popular email services.
Our experiments uncovered prevalent security risks raised by SPF vulnerabilities. We detected 23,916 vulnerable domain names, with 23 in the top 1,000 (e.g., microsoft.com, qq.com) and 188 in the top 10,000. We also proved centralized SPF dependencies can increase SPF vulnerability impact from the perspectives of providers and individual IPs.
For example, we found four vulnerable email providers can impact over 1k domains each, and a special IP is exploitable for spoofing emails on behalf of over 10k domains. From the experimental results, we find that a small number of IPs are relied upon by a large number of domains, which implies that an attacker only needs a very low cost to conduct large-scale phishing spoofing attacks.
These findings indicate that the BreakSPF attack model is indeed possible in real life and may have been exploited by attackers.
We responsibly disclosed the above vulnerabilities to the relevant domain administrators via emails and vulnerability report platforms like HackerOne. Tencent and Shopee have acknowledged and fixed our reported issues.
We proposed three mitigation strategies, including port management, online detection services, and DMARC reports.
We have developed to assist email administrators in an online detection tool promptly identifying SPF configuration issues. We believe our efforts will help reduce email spoofing, raise SPF configuration awareness, and improve email security overall.