Sumanth Rao
Enze Liu
Stefan Savage
ABSTRACT
Email service has increasingly been outsourced to cloud-based providers and so too has the task of filtering such messages for potential threats. Thus, customers will commonly direct that their incoming email is first sent to a third-party email filtering service (e.g., Proofpoint or Barracuda) and only the "clean" messages are then sent on to their email hosting provider (e.g., Gmail or Microsoft Exchange Online). However, this loosely coupled approach can, in theory, be bypassed if the email hosting provider is not configured to only accept messages that arrive from the email filtering service. In this paper we demonstrate that such bypasses are commonly possible. We document a multi-step methodology to infer if an organization has correctly configured its email hosting provider to guard against such scenarios. Then, using an empirical measurement of edu and com domains as a case study, we show that 80% of such organizations making use of popular cloud-based email filtering services can be bypassed in this manner. We also discuss reasons that lead to such misconfigurations and outline challenges in hardening the binding between email filtering and hosting providers.
Supplemental Material
- Mike Afergan and Robert Beverly. 2005. The State of the Email Aaddress. ACM SIGCOMM Computer Communication Review (CCR), Vol. 35, 1 (2005), 29--36.Google Scholar
Digital Library
- Tony Akers. 2018. How attackers bypass third-party mail filtering to Office 365. (Nov. 2018). https://practical365.com/how-to-ensure-your-third-party-filtering-gateway-is-secureGoogle Scholar
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Security Symposium. Vancouver, BC, Canada, 1093--1110.Google ScholarDigital Library
- Md. Ishtiaq Ashiq, Weitong Li, Tobias Fiebig, and Taejoong Chung. 2023. You've Got Report: Measurement and Security Implications of DMARC Reporting. In Proceedings of the 32nd USENIX Security Symposium. Anaheim, CA, USA, 4123--4137.Google Scholar
- Barracuda. 2023 a. Email Security Gateway. (Sept. 2023). https://www.barracuda.com/products/email-protection/email-security-gatewayGoogle Scholar
- Barracuda. 2023 b. How to Configure Microsoft 365 for Inbound and Outbound Mail. (Feb. 2023). https://campus.barracuda.com/product/emailgatewaydefense/doc/96022752/step-2-configure-microsoft-365-for-inbound-and-outbound-mail/.Google Scholar
- Steven M. Bellovin. 1989. Security Problems in the TCP/IP Protocol Suite. ACM SIGCOMM Computer Communication Review (CCR), Vol. 19, 2 (1989), 32--48.Google ScholarDigital Library
- Nathaniel Bennett, Rebekah Sowards, and Casey Deccio. 2022. Spfail: Discovering, Measuring, and Remediating Vulnerabilities in Email Sender Validation. In Proceedings of the 22nd ACM Internet Measurement Conference (IMC). Nice, France, 633--646.Google ScholarDigital Library
- Jianjun Chen, Vern Paxson, and Jian Jiang. 2020. Composition Kills: A Case Study of Email Sender Authentication. In Proceedings of the 29th USENIX Security Symposium. Virtual Event, 2183--2199.Google Scholar
- Cisco. 2022. Configure Microsoft 365 with Secure Email. (Dec. 2022). https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812-configuring-office-365-microsoft-with.html.Google Scholar
- Stefan Czybik, Micha Horlboge, and Konrad Rieck. 2023. Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild. In Proceedings of the 23rd ACM Internet Measurement Conference (IMC). Montreal, QC, Canada.Google ScholarDigital Library
- Casey Deccio, Tarun Yadav, Nathaniel Bennett, Alden Hilton, Michael Howe, Tanner Norton, Jacob Rohde, Eunice Tan, and Bradley Taylor. 2021. Measuring Email Sender Validation in the Wild. In Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies (CoNEXT). 230--242.Google ScholarDigital Library
- Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015a. A Search Engine Backed by Internet-Wide Scanning. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). Denver, Colorado, USA, 542--553.Google Scholar
- Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, and J. Alex Halderman. 2015b. Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security. In Proceedings of the 2015 Internet Measurement Conference (IMC). Tokyo, Japan, 27--39.Google Scholar
- Tobias Fiebig, Seda Gurses, Carlos H. Ganan, Erna Kotkamp, Fernando Kuipers, and Taritha Sari. 2023. Heads in the Clouds? Measuring Universities' Migration to Public Clouds: Implications for Privacy & Academic Freedom. Proceedings of the Privacy Enhancing Technologies Symposium (PETS) , Vol. 2 (2023), 117--150.Google ScholarCross Ref
- Forrester. 2023. The Forrester Wave: Enterprise Email Security, Q2 2023. (June 2023). https://reprints2.forrester.com/#/assets/2/108/RES178496/reportGoogle Scholar
- Ian D. Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko. 2015. Security by Any Other Name: On the Effectiveness of Provider Based Email Security. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). Denver, Colorado, USA, 450--464.Google ScholarDigital Library
- Abhishek Ghosh. 2019. Fix: gsuite username is a reserved word Error (postmaster, abuse email). (May 2019). https:// thecustomizewindows.com/2019/05/fix-gsuite-username- is-a-reserved-word-error-postmaster-abuse-email/.Google Scholar
- Google. 2022. About CrUX. (June 2022). https://developer.chrome.com/docs/crux/about/Google Scholar
- Google. 2023. Handling reports of abuse and technical issues. (May 2023). https://support.google.com/a/answer/33389Google Scholar
- The Radicati Group. 2023. Secure Email -- Market Quadrant 2023. (March 2023). https://docs.broadcom.com/doc/radicati-secure-email-market-quadrant-2023Google Scholar
- Justin Hoeft. 2021. Google Workspace Rejecting Sophos Setup Messages (and other important messages). (Jan. 2021). https://community.sophos.com/sophos-email/f/discussions/133526/google-workspace-rejecting-sophos-setup-messages-and-other-important-messagesGoogle Scholar
- Ralph Holz, Johanna Amann, Olivier Mehani, Matthias Wachs, and Mohamed Ali Kaafar. 2015. TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication. arXiv preprint arXiv:1511.00341 (2015).Google Scholar
- Florian Holzbauer, Johanna Ullrich, Martina Lindorfer, and Tobias Fiebig. 2022. Not that Simple: Email Delivery in the 21st Century. In 2022 USENIX Annual Technical Conference (USENIX ATC). Carlsbad, CA, USA, 295--308.Google Scholar
- Hang Hu and Gang Wang. 2018. End-to-End Measurements of Email Spoofing Attacks. In Proceedings of the 27th USENIX Security Symposium. Baltimore, MD, 1095--1112.Google ScholarDigital Library
- Liz Izhikevich, Gautam Akiwate, Briana Berger, Spencer Drakontaidis, Anna Ascheman, Paul Pearce, David Adrian, and Zakir Durumeric. 2022. ZDNS: A Fast DNS Toolkit for Internet Measurement. Proceedings of the 22nd ACM Internet Measurement Conference (IMC). Nice, France, 33--43.Google ScholarDigital Library
- S. Kitterman. 2014. Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208. RFC Editor. http://www.rfc-editor.org/rfc/rfc7208.txt http://www.rfc-editor.org/rfc/rfc7208.txt.Google Scholar
- Dr. John C. Klensin. 2008. Simple Mail Transfer Protocol. RFC 5321. (Oct. 2008). https://doi.org/10.17487/RFC5321Google ScholarDigital Library
- KnowBe4. 2023. How to Whitelist by IP Address in Google Workspace. (Oct. 2023). https://support.knowbe4.com/hc/en-us/articles/115002797527-Whitelisting-by-IP-Address-in-Google-Workspace.Google Scholar
- Hyeonmin Lee, Md. Ishtiaq Ashiq, Moritz Müller, Roland van Rijswijk-Deij, Taekyoung "Ted" Kwon, and Taejoong Chung. 2022. Under the Hood of DANE Mismanagement in SMTP. Proceedings of the 31st USENIX Security Symposium. Boston, MA, USA, 1--16.Google Scholar
- Hyeonmin Lee, Aniketh Gireesh, Roland van Rijswijk-Deij, Taekyoung "Ted" Kwon, and Taejoong Chung. 2020. A Longitudinal and Comprehensive Study of the DANE Ecosystem in Email. In Proceedings of the 29th USENIX Security Symposium. Virtual Event, 613--630.Google ScholarDigital Library
- Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In Proceedings of the 25th USENIX Security Symposium. Austin, TX, USA, 1033--1050.Google Scholar
- Enze Liu, Gautam Akiwate, Mattijs Jonker, Ariana Mirian, Grant Ho, Geoffrey M. Voelker, and Stefan Savage. 2023. Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy. In Proceedings of the 8th IEEE European Symposium on Security and Privacy (EuroS&P). Delft, Netherlands.Google ScholarCross Ref
- Enze Liu, Gautam Akiwate, Mattijs Jonker, Ariana Mirian, Stefan Savage, and Geoffrey M. Voelker. 2021. Who's Got Your Mail? Characterizing Mail Service Provider Usage. In Proceedings of the 21st ACM Internet Measurement Conference (IMC). Virtual Event, 122--136.Google Scholar
- Yu Liu, Matthew R. Squires, Curtis R. Taylor, Robert J. Walls, and Craig A. Shue. 2019. Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks. In Security and Privacy in Communication Networks, , Songqing Chen, Kim-Kwang Raymond Choo, Xinwen Fu, Wenjing Lou, and Aziz Mohaisen (Eds.). Cham, 26--46.Google Scholar
- Zoho Mail. 2023. Spam Control Guidelines and Best Practices. (2023). https://www.zoho.com/mail/help/guidelines-spam-control.htmlGoogle Scholar
- Wilfried Mayer, Aaron Zauner, Martin Schmiedecker, and Markus Huber. 2016. No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large. In Proceedings of the 2016 International Conference on Availability, Reliability and Security (ARES). Salzburg, Austria, 10--20.Google ScholarCross Ref
- Microsoft. 2022. External Domain Name System records for Office 365. (Dec. 2022). https://learn.microsoft.com/en-us/microsoft-365/enterprise/external-domain-name-system-recordsGoogle Scholar
- Microsoft. 2023 a. Configure mail flow using connectors in Exchange Online. (May 2023). https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flowGoogle Scholar
- Microsoft. 2023 b. How to set up a multifunction device or application to send email using Microsoft 365 or Office 365. (March 2023). https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/ how-to-set-up-a-multifunction-device-or-application-to-send- email-using-microsoft-365-or-office-365.Google Scholar
- Microsoft. 2023 c. Mail flow rules (transport rules) in Exchange Online. (Feb. 2023). https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rulesGoogle Scholar
- Microsoft. 2023 d. Manage mail flow using a third-party cloud service with Exchange Online. (Feb. 2023). https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloudGoogle Scholar
- Microsoft. 2023 e. Office 365 URLs and IP address ranges. (April 2023). https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwideGoogle Scholar
- Microsoft. 2023 f. Set up connectors for secure mail flow with a partner organization in Exchange Online. (Feb. 2023). https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-for-secure-mail-flow-with-a-partner.Google Scholar
- Microsoft. 2023 g. Use Directory-Based Edge Blocking to reject messages sent to invalid recipients in Exchange Online. (Feb. 2023). https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-directory-based-edge-blocking.Google Scholar
- Mimecast. 2023 a. Email Security Cloud Gateway -- Connect Process -- Office 365 mail lockdown. (March 2023). https://community.mimecast.com/s/article/email-security-cloud-gateway-connect-process-0365-mail-lockdown.Google Scholar
- Mimecast. 2023 b. Email Security Cloud Gateway -- Setting Up Your Inbound Email. (March 2023). https://community.mimecast.com/s/article/email-security-cloud-gateway-setting-up-your-inbound-email.Google Scholar
- o365info. 2023. How to find Microsoft 365 MX record. (Aug. 2023). https://o365info.com/microsoft-365-mx-record/Google Scholar
- Will Pearce and Nick Landers. 2019. The answer to life, the universe, and everything offensive security. (Sept. 2019). https://github.com/moohax/Talks/blob/master/slides/DerbyCon19.pdfGoogle Scholar
- Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. 2021. Why TLS is Better Without STARTTLS: A Security Analysis of STARTTLS in the Email Context. In Proceedings of the 30th USENIX Security Symposium. Virtual Event, 4365--4382.Google Scholar
- Proofpoint. 2023 a. Configuring Google Workspace (Gsuite) for Proofpoint Essentials. (May 2023). https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/hostedemailservices/Configuring_Google_Workspace_(Gsuite)_for_Proofpoint_EssentialsGoogle Scholar
- Proofpoint. 2023 b. Configuring Microsoft 365 for Proofpoint Essentials. (March 2023). https://web.archive.org/web/20230328135954/https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/hostedemailservices/Configuring_Microsoft_365_for_Proofpoint_EssentialsGoogle Scholar
- Proofpoint. 2023 c. Email Protection Solutions - Secure Email Provider. (Sept. 2023). https://www.proofpoint.com/us/products/email-security-and-protection/email-protectionGoogle Scholar
- F Rahmad, Y Suryanto, and K Ramli. 2020. Performance Comparison of Anti-Spam Technology Using Confusion Matrix Classification. In IOP Conference Series: Materials Science and Engineering, Vol. 879. 012076.Google Scholar
- Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger. 2023. Passive SSH Key Compromise via Lattices. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS). Copenhagen, Denmark, 2886--2900.Google ScholarDigital Library
- Jamie Scaife. 2023. Using SPF Macros to Solve the Operational Challenges of SPF. (10 2023). https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/Google Scholar
- Kaiwen Shen, Chuhan Wang, Minglei Guo, Xiaofeng Zheng, Chaoyi Lu, Baojun Liu, Yuxuan Zhao, Shuang Hao, Haixin Duan, Qingfeng Pan, and Min Yang. 2021. Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks. In Proceedings of the 30th USENIX Security Symposium. Virtual Event, 3201--3217.Google Scholar
- Sophos. 2023. Configure Microsoft 365. (March 2023). https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureM365/index.htmlGoogle Scholar
- Christian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar, and Sascha Fahl. 2022. 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. In Proceedings of the 2022 IEEE Symposium on Security and Privacy. 860--875.Google ScholarCross Ref
- Vircom Support. 2023. Configuring Google Workspace (Gsuite) for Proofpoint Essentials. (April 2023). https://vircomhelp.freshdesk.com/support/solutions/articles/48001171784-configuring-google-workspace-gsuite-for-proofpoint-essentials.Google Scholar
- Ali Tajran. 2023. How to configure Microsoft 365 to only accept mail from third-party spam filter. (May 2023). https://www.alitajran.com/only-accept-from-third-party-spam-filter.Google Scholar
- Dennis Tatang, Florian Zettl, and Thorsten Holz. 2021. The Evolution of DNS-based Email Authentication: Measuring Adoption and Finding Flaws. In Proceedings of the 2021 International Symposium on Research in Attacks, Intrusions and Defenses (RAID). San Sebastian, Spain, 354--369.Google ScholarDigital Library
- TrendMicro. 2023. Adding Office 365 Inbound Connectors. (Oct. 2023). https://success.trendmicro.com/dcx/s/solution/000250836-trend-micro-email-security-integration-with-microsoft-office-365.Google Scholar
- Roland van Rijswijk-Deij, Mattijs Jonker, Anna Sperotto, and Aiko Pras. 2016. A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements. IEEE Journal on Selected Areas in Communications, Vol. 34, 6 (2016), 1877--1888.Google ScholarCross Ref
- Chuhan Wang, Kaiwen Shen, Minglei Guo, Yuxuan Zhao, Mingming Zhang, Jianjun Chen, Baojun Liu, Xiaofeng Zheng, Haixin Duan, Yanzhong Lin, and Qingfeng Pan. 2022. A Large-scale and Longitudinal Measurement Study of DKIM Deployment. In Proceedings of the 31st USENIX Security Symposium. Boston, MA, USA, 1185--1201.Google Scholar
- Wikipedia. 2023. Bounce message. (May 2023). https://en.wikipedia.org/wiki/Bounce_messageGoogle Scholar
- Sophia Willows. 2023. How to access your Google Workplace's postmaster@ inbox. (May 2023). https://sophiabits.com/blog/how-to-access-google-postmaster-emailGoogle Scholar
Index Terms
- Unfiltered: Measuring Cloud-based Email Filtering Bypasses
Recommendations
Measuring email sender validation in the wild
CoNEXT '21: Proceedings of the 17th International Conference on emerging Networking EXperiments and TechnologiesEmail is a critical Internet application, and its security is important. The Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) were developed to enable mail ...
Preventing Spam Email by Delivery Limitation in RMX
IDEAS '15: Proceedings of the 19th International Database Engineering & Applications SymposiumOn the rule-based email exchange system called RMX, similar to general mailing lists, anyone can send emails by sending to an address unique to RMX. However, there is a security problem that we cannot prevent spam emails and accidentally sending email ...
DNS-based email sender authentication mechanisms: A critical review
We describe and compare three predominant email sender authentication mechanisms based on DNS: SPF, DKIM and Sender-ID Framework (SIDF). These mechanisms are designed mainly to assist in filtering of undesirable email messages, in particular spam and ...
Comments