research-article

Security by Any Other Name: On the Effectiveness of Provider Based Email Security

Authors:

Kirill LevchenkoAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 450 - 464

https://doi.org/10.1145/2810103.2813607

Published: 12 October 2015 Publication History

Get Access

Abstract

Email as we use it today makes no guarantees about message integrity, authenticity, or confidentiality. Users must explicitly encrypt and sign message contents using tools like PGP if they wish to protect themselves against message tampering, forgery, or eavesdropping. However, few do, leaving the vast majority of users open to such attacks. Fortunately, transport-layer security mechanisms (available as extensions to SMTP, IMAP, POP3) provide some degree of protection against network-based eavesdropping attacks. At the same time, DKIM and SPF protect against network-based message forgery and tampering. In this work we evaluate the security provided by these protocols, both in theory and in practice. Using a combination of measurement techniques, we determine whether major providers supports TLS at each point in their email message path, and whether they support SPF and DKIM on incoming and outgoing mail. We found that while more than half of the top 20,000 receiving MTAs supported TLS, and support for TLS is increasing, servers do not check certificates, opening the Internet email system up to man-in-the-middle eavesdropping attacks. At the same time, while use of SPF is common, enforcement is limited. Moreover, few of the senders we examined used DKIM, and fewer still rejected invalid DKIM signatures. Our findings show that the global email system provides some protection against passive eavesdropping, limited protection against unprivileged peer message forgery, and no protection against active network-based attacks. We observe that protection even against the latter is possible using existing protocols with proper enforcement.

References

[1]

Google encrypts data amid backlash against NSA spying. The Washington Post, Sept. 2013.

Google Scholar

[2]

M. Adkins. The Current State of SMTP STARTTLS Deployment. https://www.facebook.com/notes/1453015901605223, May 2014.

Google Scholar

[3]

Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman. Neither Snow Nor Rain Nor MITMdots\ An Empirical Analysis of Mail Delivery Security. In Proceedings of the 2015 Internet Measurement Conference (IMC), 2015.

Digital Library

Google Scholar

[4]

B. Gellman and A. Soltani. NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say. The Washington Post, Oct. 2013.

Google Scholar

[5]

S. Goldberg. Why is it taking so long to secure Internet routing? Communications of the ACM, 57(10):56--63, 2014.

Digital Library

Google Scholar

[6]

B. Taylor. Fighting phishing with eBay and PayPal. http://gmailblog.blogspot.com/2008/07/fighting-phishing-with-ebay-and-paypal.html, July 2008.

Google Scholar

Cited By

View all

Rao SLiu EHo GVoelker GSavage SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Unfiltered: Measuring Cloud-based Email Filtering BypassesProceedings of the ACM on Web Conference 202410.1145/3589334.3645499(1702-1711)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645499
Li RZhang ZShao JLu RJia XWei G(2024)The Potential Harm of Email Delivery: Investigating the HTTPS Configurations of Webmail ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324660021:1(125-138)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3246600
Varshney GKumawat RVaradharajan VTupakula UGupta C(2024)Anti-phishing: A comprehensive perspectiveExpert Systems with Applications10.1016/j.eswa.2023.122199238(122199)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122199
Show More Cited By

Index Terms

Security by Any Other Name: On the Effectiveness of Provider Based Email Security
1. Information systems
  1. World Wide Web
    1. Web applications
      1. Internet communications tools
        Email
2. Networks
  1. Network protocols
    1. Application layer protocols

Recommendations

Measuring email sender validation in the wild
CoNEXT '21: Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies

Email is a critical Internet application, and its security is important. The Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) were developed to enable mail ...
The Evolution of DNS-based Email Authentication: Measuring Adoption and Finding Flaws
RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Email is still one of the most common ways of communication in our digital world, the underlying Simple Mail Transport Protocol (SMTP) is crucial for our information society. Back when SMTP was developed, security goals for the exchanged messages did ...
Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security
IMC '15: Proceedings of the 2015 Internet Measurement Conference

The SMTP protocol is responsible for carrying some of users' most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global ...

Comments

Information & Contributors

Information

Published In

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
1,282
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)11

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Rao SLiu EHo GVoelker GSavage SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Unfiltered: Measuring Cloud-based Email Filtering BypassesProceedings of the ACM on Web Conference 202410.1145/3589334.3645499(1702-1711)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645499
Li RZhang ZShao JLu RJia XWei G(2024)The Potential Harm of Email Delivery: Investigating the HTTPS Configurations of Webmail ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324660021:1(125-138)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3246600
Varshney GKumawat RVaradharajan VTupakula UGupta C(2024)Anti-phishing: A comprehensive perspectiveExpert Systems with Applications10.1016/j.eswa.2023.122199238(122199)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122199
Blechschmidt BStock BCalandrino JTroncoso C(2023)Extended hell(o)Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620511(4895-4912)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620511
Altulaihan EAlismail AHafizur Rahman MIbrahim A(2023)Email Security Issues, Tools, and Techniques Used in InvestigationSustainability10.3390/su15131061215:13(10612)Online publication date: 5-Jul-2023
https://doi.org/10.3390/su151310612
BEŞTAŞ M(2023)Elektronik Posta Sistemine Üçüncü Taraf Güveni Gerektirmeyen Bir Çözüm ÖnerisiA Solution Proposal That Does Not Require Third-Party Trust in the Registered Email Systemİnsan ve Toplum Bilimleri Araştırmaları Dergisi10.15869/itobiad.116854712:1(393-418)Online publication date: 31-Mar-2023
https://doi.org/10.15869/itobiad.1168547
Czybik SHorlboge MRieck KMontpetit MLeivadeas AUhlig SJaved M(2023)Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the WildProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624827(344-355)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624827
Al-Karaki JOmar MGawanmeh AJones A(2023)Advancing CyberSecurity Education and Training: Practical Case Study of Running Capture the Flag (CTF) on the Metaverse vs. Physical Settings2023 International Conference on Intelligent Metaverse Technologies & Applications (iMETA)10.1109/iMETA59369.2023.10294722(1-7)Online publication date: 18-Sep-2023
https://doi.org/10.1109/iMETA59369.2023.10294722
Zhang HMi DChen LLiu MShi YXue Z(2023)Subdomain Protection is Needed: An SPF and DMARC-Based Empirical Measurement Study and Proactive Solution of Email Security2023 42nd International Symposium on Reliable Distributed Systems (SRDS)10.1109/SRDS60354.2023.00023(140-150)Online publication date: 25-Sep-2023
https://doi.org/10.1109/SRDS60354.2023.00023
Zhang HChen LLiu MShi YWu SXue Z(2023)Both Sides Needed: A Two-Dimensional Measurement Study of Email Security Based on SPF and DMARC2023 19th International Conference on Mobility, Sensing and Networking (MSN)10.1109/MSN60784.2023.00126(855-861)Online publication date: 14-Dec-2023
https://doi.org/10.1109/MSN60784.2023.00126
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Measuring email sender validation in the wild

The Evolution of DNS-based Email Authentication: Measuring Adoption and Finding Flaws

Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Measuring email sender validation in the wild

The Evolution of DNS-based Email Authentication: Measuring Adoption and Finding Flaws

Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations