research-article

Revisiting Email Forwarding Security under the Authenticated Received Chain Protocol

Authors: Chenkai Wang, Gang WangAuthors Info & Claims

WWW '22: Proceedings of the ACM Web Conference 2022

Pages 681 - 689

https://doi.org/10.1145/3485447.3512228

Published: 25 April 2022 Publication History

Abstract

Email authentication protocols such as SPF, DKIM, and DMARC are used to detect spoofing attacks, but they face key challenges when handling email forwarding scenarios. Recently in 2019, a new Authenticated Received Chain (ARC) protocol was introduced to support mail forwarding applications to preserve the authentication records. After 2 years, it is still not well understood how ARC is implemented, deployed, and configured in practice. In this paper, we perform an empirical analysis on ARC usage and examine how it affects spoofing detection decisions on popular email provides that support ARC. After analyzing an email dataset of 600K messages, we show that ARC is not yet widely adopted, but it starts to attract adoption from major email providers (e.g., Gmail, Outlook). Our controlled experiment shows that most email providers’ ARC implementations are done correctly. However, some email providers (Zoho) have misinterpreted the meaning of ARC results, which can be exploited by spoofing attacks. Finally, we empirically investigate forwarding-based “Hide My Email” services offered by iOS 15 and Firefox, and show their implementations break ARC and can be leveraged by attackers to launch more successful spoofing attacks against otherwise well-configured email receivers (e.g., Gmail).

References

[1]

K. Andersen, B. Long, S. Blank, and M. Kucherawy. 2019. The Authenticated Received Chain (ARC) Protocol. RFC8617. https://datatracker.ietf.org/doc/html/rfc8617.

[2]

Apple. 2021. What is Hide My Email?https://support.apple.com/en-us/HT210425.

[3]

Marc Bradshaw. 2021. Fastmail Authentication Milter. https://github.com/fastmail/authentication_milter.

[4]

Jianjun Chen, Vern Paxson, and Jian Jiang. 2020. Composition Kills: A Case Study of Email Sender Authentication. In Proc. of USENIX Security.

[5]

D. Crocker, T. Hansen, and M. Kucherawy. 2011. DomainKeys Identified Mail (DKIM) Signatures. RFC6376. https://tools.ietf.org/html/rfc6376.

[6]

Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, and J. Alex Halderman. 2015. Neither Snow Nor Rain Nor MITM: An Empirical Analysis of Email Delivery Security. In Proc. of IMC.

Digital Library

[7]

Firefox. 2021. Firefox Relay. https://relay.firefox.com/.

[8]

Ian D. Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko. 2015. Security by Any Other Name: On the Effectiveness of Provider Based Email Security. In Proc. of CCS.

Digital Library

[9]

Hang Hu, Peng Peng, and Gang Wang. 2018. Towards Understanding the Adoption of Anti-Spoofing Protocols in Email Systems. In Proc. of SecDev.

[10]

Hang Hu and Gang Wang. 2018. End-to-End Measurements of Email Spoofing Attacks. In Proc. of USENIX Security.

[11]

S. Kitterman. 2014. Sender Policy Framework (SPF). RFC7208. https://tools.ietf.org/html/rfc7208.

[12]

M. Kucherawy and E. Zwicky. 2015. Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC7489. https://tools.ietf.org/html/rfc7489.

[13]

John Levine. 2015. What’s ARC?https://circleid.com/posts/20151028_what_is_authenticated_received_chain_arc.

[14]

Mailman3. 2021. Mailman3 Mailing List Manager. https://docs.mailman3.org/en/latest/.

[15]

Sourena Maroofi, Maciej Korczynski, Arnold Hölzel, and Andrzej Duda. 2021. Adoption of Email Anti-Spoofing Schemes: A Large Scale Analysis. IEEE Trans. Netw. Serv. Manag. 18, 3 (2021), 3184–3196.

[16]

Daniela Oliveira, Harold Rocha, Huizi Yang, Donovan Ellis, Sandeep Dommaraju, Melis Muradoglu, Devon Weir, Adam Soliman, Tian Lin, and Natalie Ebner. 2017. Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing. In Proc. of CHI.

Digital Library

[17]

OpenARC. 2021. The Trusted Domain Project: OpenARC. https://github.com/trusteddomainproject/OpenARC.

[18]

J. B. Postel. 1982. Simple Mail Transfer Protocol (SMTP). RFC821. https://tools.ietf.org/html/rfc821.

[19]

Florian Quinkert, Dennis Tatang, and Thorsten Holz. 2021. Digging Deeper: An Analysis of Domain Impersonation in the Lower DNS Hierarchy. In Proc. of DIMVA.

Digital Library

[20]

P. Resnick. 2001. Internet Message Format(RFC5321). https://www.ietf.org/rfc/rfc2822.txt.

[21]

Kaiwen Shen, Chuhan Wang, Minglei Guo, Xiaofeng Zheng, Chaoyi Lu, Baojun Liu, Yuxuan Zhao, Shuang Hao, Haixin Duan, Qingfeng Pan, and Min Yang. 2021. Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks. In Proc. of USENIX Security.

[22]

Sympa. 2021. Sympa Mailing List Manager. https://www.sympa.org/.

[23]

Dennis Tatang, Florian Zettl, and Thorsten Holz. 2021. The Evolution of DNS-based Email Authentication: Measuring Adoption and Finding Flaws. In Proc. of RAID.

Digital Library

[24]

TrendMicro. 2021. White Paper by Osterman Research: How to Reduce the Risk of Phishing and Ransomware. https://resources.trendmicro.com/rs/945-CXD-062/images/Reduce-Phishing-Ransomware_Trend-Micro.pdf.

Cited By

Hureau OBayer JDuda AKorczyński M(2024)Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARCPassive and Active Measurement10.1007/978-3-031-56249-5_10(232-261)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56249-5_10
Ragheb MElmedany WSharif M(2023)The Effectiveness of DKIM and SPF in Strengthening Email Security2023 10th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud58648.2023.00068(422-426)Online publication date: 14-Aug-2023
https://doi.org/10.1109/FiCloud58648.2023.00068
Liu EAkiwate GJonker MMirian AHo GVoelker GSavage S(2023)Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00030(373-391)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00030

Index Terms

Revisiting Email Forwarding Security under the Authenticated Received Chain Protocol

Index terms have been assigned to the content through auto-classification.

Recommendations

Revisiting Whittaker & Sidner's "email overload" ten years later
CSCW '06: Proceedings of the 2006 20th anniversary conference on Computer supported cooperative work

Ten years ago, Whittaker and Sidner [8] published research on email overload, coining a term that would drive a research area that continues today. We examine a sample of 600 mailboxes collected at a high-tech company to compare how users organize their ...
RFC 8617: The Authenticated Received Chain (ARC) Protocol
Revisiting the decay of scientific email addresses
Abstract
Email is the primary method of communication with authors of scientific publications. This study sought to measure the reliability, over time, of contact email addresses from biomedical publications, particularly depending on email type. Emails ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '22: Proceedings of the ACM Web Conference 2022

April 2022

3764 pages

ISBN:9781450390965

DOI:10.1145/3485447

Editors:
Frédérique Laforest
INSA Lyon, France
,
Raphaël Troncy
EURECOM, France
,
Elena Simperl
King’s College London, UK
,
Deepak Agarwal
Pinterest, USA
,
Aristides Gionis
KTH Royal Institute of Technology, Sweden
,
Ivan Herman
W3C / retired
,
Lionel Médini
Université Lyon 1, France

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 April 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '22

Sponsor:

SIGWEB

WWW '22: The ACM Web Conference 2022

April 25 - 29, 2022

Virtual Event, Lyon, France

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
238
Total Downloads

Downloads (Last 12 months)62
Downloads (Last 6 weeks)2

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hureau OBayer JDuda AKorczyński M(2024)Spoofed Emails: An Analysis of the Issues Hindering a Larger Deployment of DMARCPassive and Active Measurement10.1007/978-3-031-56249-5_10(232-261)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56249-5_10
Ragheb MElmedany WSharif M(2023)The Effectiveness of DKIM and SPF in Strengthening Email Security2023 10th International Conference on Future Internet of Things and Cloud (FiCloud)10.1109/FiCloud58648.2023.00068(422-426)Online publication date: 14-Aug-2023
https://doi.org/10.1109/FiCloud58648.2023.00068
Liu EAkiwate GJonker MMirian AHo GVoelker GSavage S(2023)Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00030(373-391)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00030

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents