Han Zhang,Dengke Mi,Libo Chen,Ming Liu,Yong Shi,Zhi Xue

DOI: https://doi.org/10.1109/srds60354.2023.00023

2023-01-01

Abstract:SPF and DMARC are two important email authen-tication protocols that can effectively reduce the risk of spoofing attacks and improve email security. In this paper, we provide an empirical measurement study of how well SPF and DMARC are deployed and managed. We perform an active measurement on the Alexa Top Million Domains and their subdomains. For the first time, we present a measurement of subdomain configuration. SPF and DMARC adoption is growing, but still more than 70% of domains do not have proper configurations. More than 90% of all domains lack subdomain configurations. Through experiments, we show that in the absence of effective SPF and DMARC configurations, domains and subdomains can be used by attackers to send spoofed emails. To address this issue, we provide a complete set of proactive email security defense solutions. We summarize detailed mitigation measures and email security assessment methodologies. We also propose the SPF Macro-based Abnormal Email Detection System (SMAEDS), which enables proactive defense against spoofed email attacks. We recommend that the community pay more attention to the systemic issues of SPF and DMARC deployment. We hope that this work can help improve the security of the email ecosystem and reduce the risk of phishing attacks.

Chuhan Wang,Kaiwen Shen,Minglei Guo,Yuxuan Zhao,Mingming Zhang,Jianjun Chen,Baojun Liu,Xiaofeng Zheng,Haixin Duan,Yanzhong Lin,Qingfeng Pan

2022-01-01

Abstract:DomainKeys Identified Mail (DKIM) is an email authentication protocol to protect the integrity of email contents. It has been proposed and standardized for over a decade and adopted by Yahoo!, Google, and other leading email service providers. However, little has been done to understand the adoption rate and potential security issues of DKIM due to the challenges of measuring DKIM deployment at scale. In this paper, we provide a large-scale and longitudinal measurement study on how well DKIM is deployed and managed. Our study was made possible by a broad collection of datasets, including 9 5 million DKIM records from passive DNS datasets over five years and 460 million DKIM signatures from real-world email headers. Moreover, we conduct an active measurement on Alexa Top 1 million domains. Our measurement results show that 28.1% of Alexa Top 1 million domains have enabled DKIM, of which 2.9% are misconfigured. We demonstrate that the issues of DKIM key management and DKIM signatures are prevalent in the real world, even for well-known email providers (e.g., Gmail and Mail.ru). We recommend the security community should pay more attention to the systemic problems of DKIM deployment and mitigate these issues from the perspective of protocol design.

Kaiwen Shen,Chuhan Wang,Minglei Guo,Xiaofeng Zheng,Chaoyi Lu,Baojun Liu,Yuxuan Zhao,Shuang Hao,Haixin Duan,Qingfeng Pan,Min Yang

DOI: https://doi.org/10.48550/arXiv.2011.08420

2020-11-17

Abstract:As a fundamental communicative service, email is playing an important role in both individual and corporate communications, which also makes it one of the most frequently attack vectors. An email's authenticity is based on an authentication chain involving multiple protocols, roles and services, the inconsistency among which creates security threats. Thus, it depends on the weakest link of the chain, as any failed part can break the whole chain-based defense. This paper systematically analyzes the transmission of an email and identifies a series of new attacks capable of bypassing SPF, DKIM, DMARC and user-interface protections. In particular, by conducting a "cocktail" joint attack, more realistic emails can be forged to penetrate the celebrated email services, such as Gmail and Outlook. We conduct a large-scale experiment on 30 popular email services and 23 email clients, and find that all of them are vulnerable to certain types of new attacks. We have duly reported the identified vulnerabilities to the related email service providers, and received positive responses from 11 of them, including Gmail, Yahoo, iCloud and Alibaba. Furthermore, we propose key mitigating measures to defend against the new attacks. Therefore, this work is of great value for identifying email spoofing attacks and improving the email ecosystem's overall security.

Cryptography and Security

Chuhan Wang,Yasuhiro Kuranaga,Yihang Wang,Mingming Zhang,Linkai Zheng,Xiang Li,Jianjun Chen,Haixin Duan,Yanzhong Lin,Qingfeng Pan

DOI: https://doi.org/10.14722/ndss.2024.23113

2024-01-01

Abstract:Email spoofing attacks pose a severe threat to email systems by forging the sender's address to deceive email recipients.Sender Policy Framework (SPF), an email authentication protocol that verifies senders by their IP addresses, is critical for preventing email spoofing attacks.However, attackers can bypass SPF validation and launch convincing spoofing attacks that evade email authentication.This paper proposes BreakSPF, a novel attack framework that bypasses SPF validation to enable email spoofing.Attackers can actively target domains with permissive SPF configurations by utilizing cloud services, proxies, and content delivery networks (CDNs) with shared IP pools.We leverage BreakSPF to conduct a large-scale experiment evaluating the security of SPF deployment across Tranco top 1 million domain names.We uncover that 23,916 domains are vulnerable to BreakSPF attacks, including 23 domains that rank within the top 1,000 most popular domains.The results underscore the widespread SPF configuration vulnerabilities and their potential to undermine the security of email systems.Our study provides valuable insights for detecting and mitigating SPF vulnerabilities and strengthening email system security overall.

Fenglu Zhang,Yunyi Zhang,Baojun Liu,Eihal Alowaisheq,Lingyun Ying,Xiang Li,Zaifeng Zhang,Ying Liu,Haixin Duan,Min Zhang

DOI: https://doi.org/10.1145/3618257.3624839

2023-01-01

Abstract:Leveraging DNS for covert communications is appealing since most networks allow DNS traffic, especially the ones directed toward renowned DNS hosting services. Unfortunately, most DNS hosting services overlook domain ownership verification, enabling miscreants to host undelegated DNS records of a domain they do not own. Consequently, miscreants can conduct covert communication through such undelegated records for whitelisted domains on reputable hosting providers. In this paper, we shed light on the emerging threat posed by undelegated records and demonstrate their exploitation in the wild. To the best of our knowledge, this security risk has not been studied before. We conducted a comprehensive measurement to reveal the prevalence of the risk. In total, we observed 1,580,925 unique undelegated records that are potentially abused. We further observed that a considerable portion of these records are associated with malicious behaviors. By utilizing threat intelligence and malicious traffic collected by malware sandbox, we extracted malicious IP addresses from 25.41% of these records, spanning 1,369 Tranco top 2K domains and 248 DNS hosting providers, including Cloudflare and Amazon. Furthermore, we discovered that the majority of the identified malicious activities are Trojan-related. Moreover, we conducted case studies on two malware families (Dark.IOT and Specter) that exploit undelegated records to obtain C2 servers, in addition to the masquerading SPF records to conceal SMTP-based covert communication. Also, we provided mitigation options for different entities. As a result of our disclosure, several popular hosting providers have taken action to address this issue.

Simon Fernandez,Maciej Korczyński,Andrzej Duda

DOI: https://doi.org/10.1007/978-3-030-98785-5_2

2022-05-04

Abstract:Spam domains are sources of unsolicited mails and one of the primary vehicles for fraud and malicious activities such as phishing campaigns or malware distribution. Spam domain detection is a race: as soon as the spam mails are sent, taking down the domain or blacklisting it is of relative use, as spammers have to register a new domain for their next campaign. To prevent malicious actors from sending mails, we need to detect them as fast as possible and, ideally, even before the campaign is launched. In this paper, using near-real-time passive DNS data from Farsight Security, we monitor the DNS traffic of newly registered domains and the contents of their TXT records, in particular, the configuration of the Sender Policy Framework, an anti-spoofing protocol for domain names and the first line of defense against devastating Business Email Compromise scams. Because spammers and benign domains have different SPF rules and different traffic profiles, we build a new method to detect spam domains using features collected from passive DNS traffic. Using the SPF configuration and the traffic to the TXT records of a domain, we accurately detect a significant proportion of spam domains with a low false positives rate demonstrating its potential in real-world deployments. Our classification scheme can detect spam domains before they send any mail, using only a single DNS query and later on, it can refine its classification by monitoring more traffic to the domain name.

Cryptography and Security

Chaoyi Lu,Baojun Liu,Zhou Li,Shuang Hao,Haixin Duan,Mingming Zhang,Chunying Leng,Ying Liu,Zaifeng Zhang,Jianping Wu

DOI: https://doi.org/10.1145/3355369.3355580

2019-01-01

Abstract:DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users. This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.

Sibi Chakkaravarthy Sethuraman,Devi Priya V S,Tarun Reddi,Mulka Sai Tharun Reddy,Muhammad Khurram Khan

DOI: https://doi.org/10.1016/j.cose.2023.103600

IF: 5.105

2024-02-01

Computers & Security

Abstract:Attackers are becoming more skilled in recent years, using sophisticated technology to produce look-alike emails that make it difficult to distinguish between real and fake ones. Most false emails can be detected, but certain undiscovered ones can be dangerous and compromise security. The attacker compromises SMTP to launch an email spoofing attack. This is not difficult given that it was designed without any security safeguards. Spoofers typically exploit the various fields in email headers. By taking advantage of loopholes in email security systems, attackers can create an ideal spoofing mail. As a result, it appears as a reliable source and succeeds in phishing attempts. An in-depth analysis of the email process, its protocols, and authentication mechanisms along with the security measures and adoption rates that led to a variety of spoofing attacks has been examined in our work. Our experiments on renowned mail service suppliers observed that some of them are still vulnerable to associated flaws. Further, we analyzed how different aspects such as age and education, determine whether or not a message is spoofed, and how malware uses email as a command and control to compromise the victim's device and seize control of it. Further, it offers a multitude of mitigation strategies against spoofing attempts that aid aspirants in future research.

computer science, information systems

Ziyu Lin,Zhiwei Lin,Run Guo,Jianjun Chen,Mingming Zhang,Ximeng Liu,Tianhao Yang,Zhuoran Cao,Robert H. Deng

2024-09-03

Abstract:Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.

Cryptography and Security

Hang Hu,Gang Wang

DOI: https://doi.org/10.48550/arXiv.1801.00853

2018-01-03

Abstract:The email system is the central battleground against phishing and social engineering attacks, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions through end-to-end measurements on 35 popular email providers (used by billions of users), and extensive user studies (N = 913) that consist of both simulated and real-world phishing experiments. We have four key findings. First, most popular email providers have the necessary protocols to detect spoofing, but still allow forged emails to get into user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warnings for users, particularly on mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security cues for unverified emails, which demonstrate a positive impact to reduce risky user actions. Comparing simulated experiments with realistic phishing tests, we observe that the impact of security cue is less significant when users are caught off guard in the real-world setting.

Cryptography and Security

Futai Zou,Siyu Zhang,Li Pang,Linsen Li,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/dsc.2016.96

2016-01-01

Abstract:Domain Name System (DNS) is one of the most crucial components of the Internet. However, due to the vulnerability of DNS, its security has been continuously challenged in recent years. In order to thoroughly understand the root cause of the security risks in the DNS, researches in DNS security are surveyed, and vulnerabilities in DNS and corresponding countermeasures are summarized. First, based on the protocol design and implementation of DNS, weaknesses in DNS fall into 5 categories: cache poisoning, denial of service, software vulnerabilities, information leakage and unauthorized data manipulation. Then, fundamental properties and defense approaches for the 5 categories are analyzed. Next, to improve the Internet name service, new secure DNS architectures are analyzed and compared. And finally, future aspects of research in DNS security are discussed.

Mingming Zhang,Xiang Li,Baojun Liu,Jianyu Lu,Yiming Zhang,Jianjun Chen,Haixin Duan,Shuang Hao,Xiaofeng Zheng

DOI: https://doi.org/10.1145/3579440

2023-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:Public hosting services offer a convenient and secure option for creating web applications. However, adversaries can take over a domain by exploiting released service endpoints, leading to hosting-based domain takeover. This threat has affected numerous popular websites, including the subdomains of microsoft.com. However, no effective detection system for identifying vulnerable domains at scale exists to date. This paper fills the research gap by presenting a novel framework, HostingChecker, for detecting domain takeovers. HostingChecker expands detection scope and improves efficiency compared to previous work by: (i) identifying vulnerable hosting services using a semi-automated method; and (ii) detecting vulnerable domains through passive reconstruction of domain dependency chains. The framework enables us to detect the subdomains of Tranco sites on a daily basis. It discovers 10,351 vulnerable subdomains under Tranco Top-1M apex domains, which is over 8× more than previous findings, demonstrating its effectiveness. Furthermore, we conduct an in-depth security analysis on the affected vendors (e.g., Amazon, Alibaba) and gain a suite of new insights, including flawed domain ownership validation implementation. In the end, we have reported the issues to the security response centers of affected vendors, and some (e.g., Baidu and Tencent) have adopted our mitigation. The full paper is provided in [2].

Qinwen Hu,Muhammad Rizwan Asghar,Nevil Brownlee

DOI: https://doi.org/10.3233/jcs-200070

2021-02-03

Journal of Computer Security

Abstract:HTTPS refers to an application-specific implementation that runs HyperText Transfer Protocol (HTTP) on top of Secure Socket Layer (SSL) or Transport Layer Security (TLS). HTTPS is used to provide encrypted communication and secure identification of web servers and clients, for different purposes such as online banking and e-commerce. However, many HTTPS vulnerabilities have been disclosed in recent years. Although many studies have pointed out that these vulnerabilities can lead to serious consequences, domain administrators seem to ignore them. In this study, we evaluate the HTTPS security level of Alexa’s top 1 million domains from two perspectives. First, we explore which popular sites are still affected by those well-known security issues. Our results show that less than 0.1% of HTTPS-enabled servers in the measured domains are still vulnerable to known attacks including Rivest Cipher 4 (RC4), Compression Ratio Info-Leak Mass Exploitation (CRIME), Padding Oracle On Downgraded Legacy Encryption (POODLE), Factoring RSA Export Keys (FREAK), Logjam, and Decrypting Rivest–Shamir–Adleman (RSA) using Obsolete and Weakened eNcryption (DROWN). Second, we assess the security level of the digital certificates used by each measured HTTPS domain. Our results highlight that less than 0.52% domains use the expired certificate, 0.42% HTTPS certificates contain different hostnames, and 2.59% HTTPS domains use a self-signed certificate. The domains we investigate in our study cover 5 regions (including ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC) and 61 different categories such as online shopping websites, banking websites, educational websites, and government websites. Although our results show that the problem still exists, we find that changes have been taking place when HTTPS vulnerabilities were discovered. Through this three-year study, we found that more attention has been paid to the use and configuration of HTTPS. For example, more and more domains begin to enable the HTTPS protocol to ensure a secure communication channel between users and websites. From the first measurement, we observed that many domains are still using TLS 1.0 and 1.1, SSL 2.0, and SSL 3.0 protocols to support user clients that use outdated systems. As the previous studies revealed security risks of using these protocols, in the subsequent studies, we found that the majority of domains updated their TLS protocol on time. Our 2020 results suggest that most HTTPS domains use the TLS 1.2 protocol and show that some HTTPS domains are still vulnerable to the existing known attacks. As academics and industry professionals continue to disclose attacks against HTTPS and recommend the secure configuration of HTTPS, we found that the number of vulnerable domain is gradually decreasing every year.

Yao Wang,Mingyi Hu,Bin Li,Bin Yan

DOI: https://doi.org/10.1007/978-3-540-37275-2_66

2006-01-01

Abstract:The Domain Name System (DNS) is the most crucial infrastructure for mapping human-readable host names to the corresponding IP addresses and providing the routing information of Email. Comparing with the top-level domains (TLD) such as the root servers, the local authoritative servers are more vulnerable to device failures and malicious attacks. This paper described the existence condition of authoritative servers and presented a novel domain measurement tool named DNSAuth to collect the information of local authoritative servers automatically. Experiments to the real-life authoritative servers were conducted which highlighting three important aspects: the distribution, the geographic location and their impacts on performance and security. According to five representative attributes, the authoritative servers of China Top100 websites are evaluated and the result shows that only 32% of all the servers act preferably in performance and security.

Ding Wang,Qianchen Gu,Haibo Cheng,Ping Wang

DOI: https://doi.org/10.1145/2897845.2897916

2016-01-01

Abstract:Despite over two decades of continuous efforts, how to design a secure and efficient two-factor authentication scheme remains an open issue. Hundreds of new schemes have wave upon wave been proposed, yet most of them are shortly found unable to achieve some important security goals (e.g., truly two-factor security) and desirable properties (e.g., user anonymity), falling into the unsatisfactory "break-fix-break-fix" cycle. In this vicious cycle, protocol designers often advocate the superiorities of their improved scheme, but do not illustrate (or unconsciously overlooking) the aspects on which their scheme performs poorly.In this paper, we first use a series of "improved schemes" over Xu et al.' s 2009 scheme as case studies to highlight that, if there are no improved measurements, more "improved schemes" generally would not mean more advancements. To figure out why the measurement of existing schemes is invariably insufficient, we further investigate into the state-of-the-art evaluation criteria set (i.e., Madhusudhan-Mittal's set). Besides reporting its ambiguities and redundancies, we propose viable fixes and refinements. To our knowledge, we for the first time show that there are at least seven different attacking scenarios that may lead to the failure of a scheme in achieving truly two-factor security. Finally, we conduct a large-scale comparative evaluation of 26 representative two-factor schemes, and our results outline the request for better measurement when assessing new schemes.

Pouyan Fotouhi Tehrani,Raphael Hiesgen,Teresa Lübeck,Thomas C. Schmidt,Matthias Wählisch

DOI: https://doi.org/10.23919/TMA62044.2024.10559089

2024-07-02

Abstract:Integrity and trust on the web build on X.509 certificates. Misuse or misissuance of these certificates threaten the Web PKI security model, which led to the development of several guarding techniques. In this paper, we study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use. Our measurements comprise 4 million popular domains, for which we explore the existence and consistency of the different extensions. Our findings indicate that CAA is almost exclusively deployed in the absence of DNSSEC, while DNSSEC protected service names tend to not use the DNS for guarding certificates. Even though mainly deployed in a formally correct way, CAA CA-strings tend to not selectively separate CAs, and numerous domains hold certificates beyond the CAA semantic. TLSA records are repeatedly poorly maintained and occasionally occur without DNSSEC.

Cryptography and Security,Networking and Internet Architecture

Zhi Wang,Xin Yang,Du Chen,Han Gao,Meiqi Tian,Yan Jia,Wanpeng Li

2024-11-18

Abstract:To protect users from data breaches and phishing attacks, service providers typically implement two-factor authentication (2FA) to add an extra layer of security against suspicious login attempts. However, since 2FA can sometimes hinder user experience by introducing additional steps, many websites aim to reduce inconvenience by minimizing the frequency of 2FA prompts. One approach to achieve this is by storing the user's ``Remember the Device'' preference in a cookie. As a result, users are only prompted for 2FA when this cookie expires or if they log in from a new device. To understand and improve the security of 2FA systems in real-world settings, we propose SE2FA, a vulnerability evaluation framework designed to detect vulnerabilities in 2FA systems. This framework enables us to analyze the security of 407 2FA systems across popular websites from the Tranco Top 10,000 list. Our analysis and evaluation found three zero-day vulnerabilities on three service providers that could allow an attacker to access a victim's account without possessing the victim's second authentication factor, thereby bypassing 2FA protections entirely. A further investigation found that these vulnerabilities stem from design choices aimed at simplifying 2FA for users but that unintentionally reduce its security effectiveness. We have disclosed these findings to the affected websites and assisted them in mitigating the risks. Based on the insights from this research, we provide practical recommendations for countermeasures to strengthen 2FA security and address these newly identified threats.

Cryptography and Security

Michael Specter,Sunoo Park,Matthew Green

DOI: https://doi.org/10.48550/arXiv.1904.06425

2019-04-13

Abstract:Email breaches are commonplace, and they expose a wealth of personal, business, and political data that may have devastating consequences. The current email system allows any attacker who gains access to your email to prove the authenticity of the stolen messages to third parties -- a property arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This exacerbates the problem of email breaches by greatly increasing the potential for attackers to damage the users' reputation, blackmail them, or sell the stolen information to third parties. In this paper, we introduce "non-attributable email", which guarantees that a wide class of adversaries are unable to convince any third party of the authenticity of stolen emails. We formally define non-attributability, and present two practical system proposals -- KeyForge and TimeForge -- that provably achieve non-attributability while maintaining the important protection against spam and spoofing that is currently provided by DKIM. Moreover, we implement KeyForge and demonstrate that that scheme is practical, achieving competitive verification and signing speed while also requiring 42% less bandwidth per email than RSA2048.

Cryptography and Security,Computers and Society,Networking and Internet Architecture

Mingxuan Liu,Yiming Zhang,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Xiaofeng Zheng

DOI: https://doi.org/10.14722/ndss.2024.24782

2024-01-01

Abstract:Domain names are often registered and abused for harmful and illegal Internet activities.To mitigate such threats, as an emerging security service, Protective DNS (PDNS) blocks access to harmful content by proactively offering rewritten DNS responses, which resolve malicious domains to controlled hosts.While it has become an effective tool against cybercrime, given their implementation divergence, little has been done from the security community in understanding the deployment, operational status and security policies of PDNS services.In this paper, we present a large-scale measurement study of the deployment and security implications of open PDNS services.We first perform empirical analysis over 28 popular PDNS providers and summarize major formats of DNS rewriting policies.Then, powered by the derived rules, we design a methodology that identifies intentional DNS rewriting enforced by open PDNS servers in the wild.Our findings are multi-faceted.On the plus side, the deployment of PDNS is now starting to scale: we identify 17,601 DNS servers (9.1% of all probed) offering such service.For DNS clients, switching from regular DNS to PDNS induces negligible query latency, despite additional steps (e.g., checking against threat intelligence and rewriting DNS response) being required from the server side.However, we also find flaws and vulnerabilities within PDNS implementation, including evasion of blocking policies and denial of service.Through responsible vulnerability disclosure, we have received 12 audit assessment results of high-risk vulnerabilities.Our study calls for proper guidance and best practices for secure PDNS operation.

Ruixuan Li,Shaodong Xiao,Baojun Liu,Yanzhong Lin,Haixin Duan,Qingfeng Pan,Jianjun Chen,Jia Zhang,Ximeng Liu,Xiuqi Lu,Jun Shao

DOI: https://doi.org/10.1145/3646547.3688425

2024-01-01

Abstract:Abnormal email bounces seriously disrupt user lives and company transactions. Proliferating security protocols and protection strategies have made email delivery increasingly complex. A natural question is how and why email delivery fails in the wild. Filling this knowledge gap requires a representative global email delivery dataset, which is rarely disclosed by email service providers (ESPs). In this paper, we first systematically reveal the scale and root causes of email bounces, and evaluate the email squatting risk in the real world. Through a 15-month passive dataset from a large ESP, we present a unique global view of 298M emails delivered to 3M receiver mail servers in 169 countries. We find that 38M (12.93%) emails fail to be delivered in the first attempt, about one-third of which could be successfully delivered after retrying, while the rest are permanently undeliverable. Delving deeper into bounce reasons, we observe that poor server reputation and network communication quality are significant factors leading to temporary email bounces. In particular, spam blocklists affect many normal email deliveries. The misconfiguration of authentication mechanisms and email address typos result in many permanently undeliverable emails. More seriously, many email addresses with significant residual value can be exploited by squatting attackers. Overall, we call for the community to revisit email delivery failures, especially to improve standards for email bounce reporting and resolution.