About that DMARC "exploit"


A security researcher has identified a rendering flaw that allows for “perfect” phishing emails. From his website:

Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters. Mailsploit website

While this is a bit of a problem it’s mostly a problem with the email client (MUA) not the email servers involved.
The short version is that an attacker creates an email address in a domain they own. The address includes a null value encrypted in the local part of the email address. When the email client get a hold of the address it displays the address up to the null value and drops everything after that.
For example

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

Decodes to

From: potus@whitehouse.gov\0(potus@whitehouse.gov)@mailsploit.com

Due to a rendering issue different systems end up displaying simply From: potus@whitehouse.gov.
Mail displayed on clients vulnerable to this exploit will be DMARC authenticated for a domain that is different than the domain displayed to the user.
The big problem here is in the email client and how they display to the user. While this is creative, it’s not that much different than using “POTUS <spammer@spamdomain.invalid>”. Display names are a problem, but they’re a problem that has to be addressed by individual mail clients. The choice to display only the comment is a problem.
Maybe this exploit will motivate email client maintainers to rethink their decisions on what to display to users. Their current choices and implementations are vulnerable and need to be improved.

About the author

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By laura

Recent Posts


Follow Us