By: Andy Sherman on September 29th, 2016
SPF and DKIM are useful, but not a panacea
The following article was written by Eden's own Andy Sherman. It originally appeared on his blog, "My Security Musings."
I received an interesting phishing email today. It was from a business acquaintance and contained a link gussied up to look like an online document. The content and format of the email screamed "suspect me" so I did. A URL lengthener confirmed that the tinyurl.com link went someplace having no connection to me or the acquaintance.
Since my email was hosted on Office365 and his on Google Apps, there was a lot of good header information. His domain used both Sender Policy Framework (SPF, defined by RFC 7208 and RFC 7372) and Domain Key Identified Mail (DKIM, defined RFC 6376) both of which afford protection against spoofing, and Microsoft checks both of those as part of its checks of incoming messages.
Looking at the header it is clear that this message passed through Google's infrastructure and the sender was authenticated to the proper domain within Google mail, since relay IP address matched the SPF record for the domain (which referenced Google's) and the DKIM signature was valid. That lead me to suspect (and I have since confirmed) that this was a case of account compromise by phishing. My guess is that it was the same link disguised as a document that I received.
When SPF and DKIM were first proposed some of us in the field posited that they would be more useful in identifying the good (building whitelists) than in identifying what was bad. I think that this has generally been true. However at the the time spoofing was common and account takeover was rare. The threat landscape has changed since then. While spoofing is still common, so is account takeover, which leads us to a new problem. When an account has been taken over, SPF and DKIM may be very good ensuring that a malicious email gets delivered right to your inbox.
SPAM fighting has always been an arms race, and it continues to be one. Phishers increasingly use compromised email accounts to phish other people. It's great social engineering, since the target knows the (purported) sender, and a list of targets is right there in the compromised email account's contact list. Clearly the way that email security systems use source authentication schemes like SPF and DKIM needs to evolve to better meet this threat. Knowing that the sending domain is authentic is no longer good enough.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.