About that DMARC "exploit"

A security researcher has identified a rendering flaw that allows for “perfect” phishing emails. From his website:

Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters. Mailsploit website

While this is a bit of a problem it’s mostly a problem with the email client (MUA) not the email servers involved.
The short version is that an attacker creates an email address in a domain they own. The address includes a null value encrypted in the local part of the email address. When the email client get a hold of the address it displays the address up to the null value and drops everything after that.
For example

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

Decodes to

From: potus@whitehouse.gov\0(potus@whitehouse.gov)@mailsploit.com

Due to a rendering issue different systems end up displaying simply From: potus@whitehouse.gov.
Mail displayed on clients vulnerable to this exploit will be DMARC authenticated for a domain that is different than the domain displayed to the user.
The big problem here is in the email client and how they display to the user. While this is creative, it’s not that much different than using “POTUS <spammer@spamdomain.invalid>”. Display names are a problem, but they’re a problem that has to be addressed by individual mail clients. The choice to display only the comment is a problem.
Maybe this exploit will motivate email client maintainers to rethink their decisions on what to display to users. Their current choices and implementations are vulnerable and need to be improved.
 
 

Related Posts

The feds are deploying DMARC

The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email.
It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication.

Read More

Ask Laura: Can you help me understand no auth / no entry?

AskLaura_Heading3
Dear Laura,
I’m a little confused by the term “no auth / no entry”. Gmail and other major receivers seem to be moving towards requiring authentication before they’ll even consider delivery.
Does this just mean SPF and DKIM, or does this mean the much more stringent DMARC, as well?
Thanks,
No Shirt, No Shoes, No What Now?

Read More

Things you need to read

The email solicitation that made me vow to never work with this company again. When sending unsolicited email, you never know how the recipient is going to respond. Writing a public blog post calling you out can happen.
The 2016 Sparkies. Sparkpost is looking for nominations for their email marketing awards. Win a trip to Insight 2016!
5 CAN SPAM myths. Send Grid’s General Counsel speaks about CAN SPAM myths. Personally, asking for an email to unsubscribe is annoying. I never know if the unsubscribe request worked or not. Give me a link any day.
The most misunderstood statistic in email marketing. A good discussion of why raw complaint rates isn’t the metric the ISPs use, and how it can mislead folks about their email program.
Office 365 is expanding it’s DKIM signing. Terry Zink discusses the upcoming changes to how Office365 handles DKIM signatures. This is exactly the kind of changes I was talking about in my 2016 predictions post – background changes that are going to affect how we authenticate email. He even specifically calls out whether or not a particular signature is DMARC aligned or not.

Read More