A new security testing tool that enables email messages to be faked or spoofed, even if the recipients are protected by best practices, has garnered some strong criticism from email security advocates.
News of the tool — called Mailsploit — took off last week after a Wired article highlighted the research. The tool would give would-be attackers a way around email security standards — known as DMARC — employed by a number of email clients. DMARC is the industry standard that prevents email spoofing, a practice where hackers messages appear to come from trusted correspondents.
John Wilson, the field CTO for email security company Agari, told CyberScoop that while the article did contain caveats, he considered it “rather alarmist.”
“If you just skim that article, you would come away with the impression that this standard, which the email industry has worked on for a decade and which has stopped remarkable volumes of spoofed email, has basically been rendered useless,” Wilson said. “But in fact that’s not at all the case.”
DMARC’s defenders, like Shehzad Mirza, director of operations for the nonprofit Global Cyber Alliance, are careful to say that the standard “is not a silver bullet.”
”There’s nothing really new here,” Mirza said about Mailsploit.
Mirza further explained the tool contains examples of a bug that enables a “display name attack.” The attacks work because programs are fooled by specially crafted text in the “from” field, rather than displaying an email address.
Spoofing relies on, among other things, being able to manipulate the “from” field. Mailsploit’s creator, Sabri Haddouche, used the demo on his website to show the “from” field as “firstname.lastname@example.org.”
Traditional spoofing relies on simply lying about the sender — putting bogus information in the “from” field. DMARC stops that by checking the internet address attached to the email, essentially discarding the message if the sender isn’t actually from the domain they’re claiming to be.
But Mailsploit messages make no such claims. The address in the “from” field ends in the correct domain — mailsploit.com.
“Most major email clients already reject Mailsploit emails,” points out Dylan Tweney, communications director for ValiMail, a company that automates DMARC adoption. “In other words, it’s not a DMARC problem … It’s an implementation problem for Apple Mail on iOS and a handful of other mail clients. Apple appears to be working on fixing it already.”
Haddouche, who works as a developer for secure messaging service Wire, acknowledged he designed the tool partly for impact.
“A practical demo is … more fun than a long theoretical description,” he said.
He added that bundling the attacks together into a tool “has proven to be useful,” as people have used it to test other email clients that Haddouche couldn’t do himself.
“All I did was discover a spoofing bug and make a website to explain and show how it works. I didn’t expect Mailsploit to become so well-known so quickly,” he said, attributing the tool’s attention to the Wired article.
“As a researcher I’d say how serious you consider this problem to be depends on your threat model,” he finished.
Wilson gave Haddouche props for practicing responsible disclosure — the researcher gave email providers three months to fix the bug before going public — something which partially accounts for the low number of email programs currently impacted.
“It’s great that he took to time to do that,” he said.
Questioning the standard’s viability comes a vital point in its history. The Department of Homeland Security recently issued a Binding Operational Directive that instructs federal agencies to adopt DMARC over the next few months.