Han Zhang,Libo Chen,Ming Liu,Yong Shi,Songyang Wu,Zhi Xue

DOI: https://doi.org/10.1109/msn60784.2023.00126

2023-01-01

Abstract:As important email authentication protocols, SPF and DMARC can effectively reduce the risk of spoofing and improve the security of email systems. In this paper, we perform, for the first time, a comprehensive and integrated measurement of the state of SPF and DMARC adoption on the Alexa Top Million Domains in 2023, both in two dimensions with email sending and receiving. We provide a detailed analysis and comparison of the results. Our measurement shows that the number of domains configured with SPF and DMARC records is increasing while the number of invalid records is also growing. Among domains with email sending/receiving capabilities, approximately 27% of domain mail servers cannot verify the SPF and DMARC of received emails. Email security must be achieved on both the sending and receiving sides. We recommend that all domain administrators pay more attention to the systemic issues of SPF and DMARC deployments.

Chuhan Wang,Kaiwen Shen,Minglei Guo,Yuxuan Zhao,Mingming Zhang,Jianjun Chen,Baojun Liu,Xiaofeng Zheng,Haixin Duan,Yanzhong Lin,Qingfeng Pan

2022-01-01

Abstract:DomainKeys Identified Mail (DKIM) is an email authentication protocol to protect the integrity of email contents. It has been proposed and standardized for over a decade and adopted by Yahoo!, Google, and other leading email service providers. However, little has been done to understand the adoption rate and potential security issues of DKIM due to the challenges of measuring DKIM deployment at scale. In this paper, we provide a large-scale and longitudinal measurement study on how well DKIM is deployed and managed. Our study was made possible by a broad collection of datasets, including 9 5 million DKIM records from passive DNS datasets over five years and 460 million DKIM signatures from real-world email headers. Moreover, we conduct an active measurement on Alexa Top 1 million domains. Our measurement results show that 28.1% of Alexa Top 1 million domains have enabled DKIM, of which 2.9% are misconfigured. We demonstrate that the issues of DKIM key management and DKIM signatures are prevalent in the real world, even for well-known email providers (e.g., Gmail and Mail.ru). We recommend the security community should pay more attention to the systemic problems of DKIM deployment and mitigate these issues from the perspective of protocol design.

Kaiwen Shen,Chuhan Wang,Minglei Guo,Xiaofeng Zheng,Chaoyi Lu,Baojun Liu,Yuxuan Zhao,Shuang Hao,Haixin Duan,Qingfeng Pan,Min Yang

DOI: https://doi.org/10.48550/arXiv.2011.08420

2020-11-17

Abstract:As a fundamental communicative service, email is playing an important role in both individual and corporate communications, which also makes it one of the most frequently attack vectors. An email's authenticity is based on an authentication chain involving multiple protocols, roles and services, the inconsistency among which creates security threats. Thus, it depends on the weakest link of the chain, as any failed part can break the whole chain-based defense. This paper systematically analyzes the transmission of an email and identifies a series of new attacks capable of bypassing SPF, DKIM, DMARC and user-interface protections. In particular, by conducting a "cocktail" joint attack, more realistic emails can be forged to penetrate the celebrated email services, such as Gmail and Outlook. We conduct a large-scale experiment on 30 popular email services and 23 email clients, and find that all of them are vulnerable to certain types of new attacks. We have duly reported the identified vulnerabilities to the related email service providers, and received positive responses from 11 of them, including Gmail, Yahoo, iCloud and Alibaba. Furthermore, we propose key mitigating measures to defend against the new attacks. Therefore, this work is of great value for identifying email spoofing attacks and improving the email ecosystem's overall security.

Cryptography and Security

Chuhan Wang,Yasuhiro Kuranaga,Yihang Wang,Mingming Zhang,Linkai Zheng,Xiang Li,Jianjun Chen,Haixin Duan,Yanzhong Lin,Qingfeng Pan

DOI: https://doi.org/10.14722/ndss.2024.23113

2024-01-01

Abstract:Email spoofing attacks pose a severe threat to email systems by forging the sender's address to deceive email recipients.Sender Policy Framework (SPF), an email authentication protocol that verifies senders by their IP addresses, is critical for preventing email spoofing attacks.However, attackers can bypass SPF validation and launch convincing spoofing attacks that evade email authentication.This paper proposes BreakSPF, a novel attack framework that bypasses SPF validation to enable email spoofing.Attackers can actively target domains with permissive SPF configurations by utilizing cloud services, proxies, and content delivery networks (CDNs) with shared IP pools.We leverage BreakSPF to conduct a large-scale experiment evaluating the security of SPF deployment across Tranco top 1 million domain names.We uncover that 23,916 domains are vulnerable to BreakSPF attacks, including 23 domains that rank within the top 1,000 most popular domains.The results underscore the widespread SPF configuration vulnerabilities and their potential to undermine the security of email systems.Our study provides valuable insights for detecting and mitigating SPF vulnerabilities and strengthening email system security overall.

Sibi Chakkaravarthy Sethuraman,Devi Priya V S,Tarun Reddi,Mulka Sai Tharun Reddy,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.cose.2023.103600

IF: 5.105

2024-02-01

Computers & Security

Abstract:Attackers are becoming more skilled in recent years, using sophisticated technology to produce look-alike emails that make it difficult to distinguish between real and fake ones. Most false emails can be detected, but certain undiscovered ones can be dangerous and compromise security. The attacker compromises SMTP to launch an email spoofing attack. This is not difficult given that it was designed without any security safeguards. Spoofers typically exploit the various fields in email headers. By taking advantage of loopholes in email security systems, attackers can create an ideal spoofing mail. As a result, it appears as a reliable source and succeeds in phishing attempts. An in-depth analysis of the email process, its protocols, and authentication mechanisms along with the security measures and adoption rates that led to a variety of spoofing attacks has been examined in our work. Our experiments on renowned mail service suppliers observed that some of them are still vulnerable to associated flaws. Further, we analyzed how different aspects such as age and education, determine whether or not a message is spoofed, and how malware uses email as a command and control to compromise the victim's device and seize control of it. Further, it offers a multitude of mitigation strategies against spoofing attempts that aid aspirants in future research.

computer science, information systems

Simon Fernandez,Maciej Korczyński,Andrzej Duda

DOI: https://doi.org/10.1007/978-3-030-98785-5_2

2022-05-04

Abstract:Spam domains are sources of unsolicited mails and one of the primary vehicles for fraud and malicious activities such as phishing campaigns or malware distribution. Spam domain detection is a race: as soon as the spam mails are sent, taking down the domain or blacklisting it is of relative use, as spammers have to register a new domain for their next campaign. To prevent malicious actors from sending mails, we need to detect them as fast as possible and, ideally, even before the campaign is launched. In this paper, using near-real-time passive DNS data from Farsight Security, we monitor the DNS traffic of newly registered domains and the contents of their TXT records, in particular, the configuration of the Sender Policy Framework, an anti-spoofing protocol for domain names and the first line of defense against devastating Business Email Compromise scams. Because spammers and benign domains have different SPF rules and different traffic profiles, we build a new method to detect spam domains using features collected from passive DNS traffic. Using the SPF configuration and the traffic to the TXT records of a domain, we accurately detect a significant proportion of spam domains with a low false positives rate demonstrating its potential in real-world deployments. Our classification scheme can detect spam domains before they send any mail, using only a single DNS query and later on, it can refine its classification by monitoring more traffic to the domain name.

Cryptography and Security

Fenglu Zhang,Yunyi Zhang,Baojun Liu,Eihal Alowaisheq,Lingyun Ying,Xiang Li,Zaifeng Zhang,Ying Liu,Haixin Duan,Min Zhang

DOI: https://doi.org/10.1145/3618257.3624839

2023-01-01

Abstract:Leveraging DNS for covert communications is appealing since most networks allow DNS traffic, especially the ones directed toward renowned DNS hosting services. Unfortunately, most DNS hosting services overlook domain ownership verification, enabling miscreants to host undelegated DNS records of a domain they do not own. Consequently, miscreants can conduct covert communication through such undelegated records for whitelisted domains on reputable hosting providers. In this paper, we shed light on the emerging threat posed by undelegated records and demonstrate their exploitation in the wild. To the best of our knowledge, this security risk has not been studied before. We conducted a comprehensive measurement to reveal the prevalence of the risk. In total, we observed 1,580,925 unique undelegated records that are potentially abused. We further observed that a considerable portion of these records are associated with malicious behaviors. By utilizing threat intelligence and malicious traffic collected by malware sandbox, we extracted malicious IP addresses from 25.41% of these records, spanning 1,369 Tranco top 2K domains and 248 DNS hosting providers, including Cloudflare and Amazon. Furthermore, we discovered that the majority of the identified malicious activities are Trojan-related. Moreover, we conducted case studies on two malware families (Dark.IOT and Specter) that exploit undelegated records to obtain C2 servers, in addition to the masquerading SPF records to conceal SMTP-based covert communication. Also, we provided mitigation options for different entities. As a result of our disclosure, several popular hosting providers have taken action to address this issue.

Mingxuan Liu,Yiming Zhang,Baojun Liu,Zhou Li,Haixin Duan,Donghong Sun

DOI: https://doi.org/10.1145/3485832.3488012

2021-01-01

Abstract:Although spearphishing is a well-known security issue and has been widely researched, it is still an evolving threat with emerging forms. In recent years, Short Message Service (SMS) has been revealed as a new distribution channel for spearphishing messages, which already has caused a serious impact in the real world, but has not yet attracted enough attention from the academic community. In this paper, we report the first systemic study to spotlight this emerging threat, SMS spearphishing attack. Through cooperating with a leading security vendor, we obtain 31.96M real-world spam messages that span three months. We design and implement a novel NLP-based detection algorithm, and uncover 90,801 spearphishing messages on the entire dataset. And then, a large-scale measurement was performed on the detected messages to reveal and understand the characteristics of SMS spearphishing attack. Our findings are multi-fold. We discover that SMS spearphishing has a significant negative impact on the real-world, and a large number of victims have been affected. And the distribution of active illicit types between spearphishing message and common spam is quite inconsistent. At the micro-level, to evade detection and increase the probability of success, adversary campaigns have evolved a set of sophisticated strategies. Our research highlights the impact of SMS spearphishing attack is prominent. We call on different communities to work together to mitigate this emerging security threat.

Mingming Zhang,Xiang Li,Baojun Liu,Jianyu Lu,Yiming Zhang,Jianjun Chen,Haixin Duan,Shuang Hao,Xiaofeng Zheng

DOI: https://doi.org/10.1145/3579440

2023-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:Public hosting services offer a convenient and secure option for creating web applications. However, adversaries can take over a domain by exploiting released service endpoints, leading to hosting-based domain takeover. This threat has affected numerous popular websites, including the subdomains of microsoft.com. However, no effective detection system for identifying vulnerable domains at scale exists to date. This paper fills the research gap by presenting a novel framework, HostingChecker, for detecting domain takeovers. HostingChecker expands detection scope and improves efficiency compared to previous work by: (i) identifying vulnerable hosting services using a semi-automated method; and (ii) detecting vulnerable domains through passive reconstruction of domain dependency chains. The framework enables us to detect the subdomains of Tranco sites on a daily basis. It discovers 10,351 vulnerable subdomains under Tranco Top-1M apex domains, which is over 8× more than previous findings, demonstrating its effectiveness. Furthermore, we conduct an in-depth security analysis on the affected vendors (e.g., Amazon, Alibaba) and gain a suite of new insights, including flawed domain ownership validation implementation. In the end, we have reported the issues to the security response centers of affected vendors, and some (e.g., Baidu and Tencent) have adopted our mitigation. The full paper is provided in [2].

Futai Zou,Siyu Zhang,Li Pang,Linsen Li,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/dsc.2016.96

2016-01-01

Abstract:Domain Name System (DNS) is one of the most crucial components of the Internet. However, due to the vulnerability of DNS, its security has been continuously challenged in recent years. In order to thoroughly understand the root cause of the security risks in the DNS, researches in DNS security are surveyed, and vulnerabilities in DNS and corresponding countermeasures are summarized. First, based on the protocol design and implementation of DNS, weaknesses in DNS fall into 5 categories: cache poisoning, denial of service, software vulnerabilities, information leakage and unauthorized data manipulation. Then, fundamental properties and defense approaches for the 5 categories are analyzed. Next, to improve the Internet name service, new secure DNS architectures are analyzed and compared. And finally, future aspects of research in DNS security are discussed.

Hang Hu,Gang Wang

DOI: https://doi.org/10.48550/arXiv.1801.00853

2018-01-03

Abstract:The email system is the central battleground against phishing and social engineering attacks, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions through end-to-end measurements on 35 popular email providers (used by billions of users), and extensive user studies (N = 913) that consist of both simulated and real-world phishing experiments. We have four key findings. First, most popular email providers have the necessary protocols to detect spoofing, but still allow forged emails to get into user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warnings for users, particularly on mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security cues for unverified emails, which demonstrate a positive impact to reduce risky user actions. Comparing simulated experiments with realistic phishing tests, we observe that the impact of security cue is less significant when users are caught off guard in the real-world setting.

Cryptography and Security

Ziyu Lin,Zhiwei Lin,Run Guo,Jianjun Chen,Mingming Zhang,Ximeng Liu,Tianhao Yang,Zhuoran Cao,Robert H. Deng

2024-09-03

Abstract:Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.

Cryptography and Security

Mingxuan Liu,Yiming Zhang,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Xiaofeng Zheng

DOI: https://doi.org/10.14722/ndss.2024.24782

2024-01-01

Abstract:Domain names are often registered and abused for harmful and illegal Internet activities.To mitigate such threats, as an emerging security service, Protective DNS (PDNS) blocks access to harmful content by proactively offering rewritten DNS responses, which resolve malicious domains to controlled hosts.While it has become an effective tool against cybercrime, given their implementation divergence, little has been done from the security community in understanding the deployment, operational status and security policies of PDNS services.In this paper, we present a large-scale measurement study of the deployment and security implications of open PDNS services.We first perform empirical analysis over 28 popular PDNS providers and summarize major formats of DNS rewriting policies.Then, powered by the derived rules, we design a methodology that identifies intentional DNS rewriting enforced by open PDNS servers in the wild.Our findings are multi-faceted.On the plus side, the deployment of PDNS is now starting to scale: we identify 17,601 DNS servers (9.1% of all probed) offering such service.For DNS clients, switching from regular DNS to PDNS induces negligible query latency, despite additional steps (e.g., checking against threat intelligence and rewriting DNS response) being required from the server side.However, we also find flaws and vulnerabilities within PDNS implementation, including evasion of blocking policies and denial of service.Through responsible vulnerability disclosure, we have received 12 audit assessment results of high-risk vulnerabilities.Our study calls for proper guidance and best practices for secure PDNS operation.

MW Wu,YN Huang,SK Lu,IY Chen,SY Kuo

DOI: https://doi.org/10.1109/prdc.2005.8

2005-01-01

Abstract:As checking spam became part of our daily life, unsolicited bulk e-mails (UBE) have become unmanageable and intolerable. Bulk volume of spam e-mails delivering to mail transfer agents (MTAs) is similar to the effect of denial of services (DDoS) attacks as it dramatically reduces the dependability and efficiency of networking systems and e-mail servers. Spam mails may also be used to carry viruses and worms which could significantly affect the availability of computer systems and networks. There have been many solutions proposed to filter spam in the past. Unfortunately there is no silver bullet to deter spammers and eliminate spam mails. That is, in isolation, each of existing spam protection mechanisms has its own advantages and disadvantages. In this paper, we analyze the shortcomings of existing anti-spam solutions and propose a multi-faceted approach using the spam-resistible mail agent (SRMA), which provides the most advantages and the least disadvantages of existing anti-spam solutions. Our experiments show that the proposed SRMA is immune to existing spambots and the prototype proves to be effective, feasible and deployable.

Daiping Liu,Zhou Li,Kun Du,Haining Wang,Baojun Liu,Haixin Duan

DOI: https://doi.org/10.1145/3133956.3134049

2017-01-01

Abstract:Domain names have been exploited for illicit online activities for decades. In the past, miscreants mostly registered new domains for their attacks. However, the domains registered for malicious purposes can be deterred by existing reputation and blacklisting systems. In response to the arms race, miscreants have recently adopted a new strategy, called domain shadowing, to build their attack infrastructures. Specifically, instead of registering new domains, miscreants are beginning to compromise legitimate ones and spawn malicious subdomains under them. This has rendered almost all existing countermeasures ineffective and fragile because subdomains inherit the trust of their apex domains, and attackers can virtually spawn an infinite number of shadowed domains.

Chaoyi Lu,Baojun Liu,Zhou Li,Shuang Hao,Haixin Duan,Mingming Zhang,Chunying Leng,Ying Liu,Zaifeng Zhang,Jianping Wu

DOI: https://doi.org/10.1145/3355369.3355580

2019-01-01

Abstract:DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.

Yury Zhauniarovich,Issa Khalil,Ting Yu,Marc Dacier

DOI: https://doi.org/10.1145/3191329

2018-05-22

Abstract:Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this paper, we perform such an analysis. In order to achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

Cryptography and Security

Theodore Longtchi,Rosana Montañez Rodriguez,Kora Gwartney,Ekzhin Ear,David P. Azari,Christopher P. Kelley,Shouhuai Xu

2024-08-22

Abstract:Malicious emails including Phishing, Spam, and Scam are one significant class of cyber social engineering attacks. Despite numerous defenses to counter them, the problem remains largely open. The ineffectiveness of current defenses can be attributed to our superficial understanding of the psychological properties that make these attacks successful. This problem motivates us to investigate the psychological sophistication, or sophistication for short, of malicious emails. We propose an innovative framework that accommodates two important and complementary aspects of sophistication, dubbed Psychological Techniques, PTechs, and Psychological Tactics, PTacs. We propose metrics and grading rules for human experts to assess the sophistication of malicious emails via the lens of these PTechs and PTacs. To demonstrate the usefulness of the framework, we conduct a case study based on 1,036 malicious emails assessed by four independent graders. Our results show that malicious emails are psychologically sophisticated, while exhibiting both commonalities and different patterns in terms of their PTechs and PTacs. Results also show that previous studies might have focused on dealing with the less proliferated PTechs such as Persuasion and PTacs such as Reward, rather than the most proliferated PTechs such as Attention Grabbing and Impersonation, and PTacs such as Fit and Form and Familiarity that are identified in this study. We also found among others that social events are widely exploited by attackers in contextualizing their malicious emails. These findings could be leveraged to guide the design of effective defenses against malicious emails.

Cryptography and Security

Wentao Chen,Fuzhou Wang,Matthew Edwards

DOI: https://doi.org/10.48550/arXiv.2210.15043

2022-10-26

Cryptography and Security

Abstract:As a major component of online crime, email-based fraud is a threat that causes substantial economic losses every year. To counteract these scammers, volunteers called scam-baiters play the roles of victims, reply to scammers, and try to waste their time and attention with long and unproductive conversations. To curb email fraud and magnify the effectiveness of scam-baiting, we developed and deployed an expandable scam-baiting mailserver that can conduct scam-baiting activities automatically. We implemented three reply strategies using three different models and conducted a one-month-long experiment during which we elicited 150 messages from 130 different scammers. We compare the performance of each strategy at attracting and holding the attention of scammers, finding tradeoffs between human-written and automatically-generated response strategies, and we release both our platform and a dataset containing conversations between our automatic scam-baiters and real human scammers, to support future work in preventing online fraud.

Yin Xiuzi,Chen Gongliang,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.04.003

2009-01-01

Abstract:In light of the flood of spam e-mails,in this paper the authors analyzed the types and the characteristics of them,and proposed to set up a release-permission-based email authentication system.This solution can authenticate email at the beginning and verify email content before sending it.Therefore,the spam can be controlled initiatively rather than passive defense,and to achieve the goal of clearing away the commercial advertising spam further.Also,the solution is back compatible with standard SMTP,and some functions are designed in plug-ins,so that it can be integrated with existing mail system quite easily.