Revisiting Email Forwarding Security under the Authenticated Received Chain Protocol
- 25 April 2022
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in Proceedings of the ACM Web Conference 2022
Abstract
Email authentication protocols such as SPF, DKIM, and DMARC are used to detect spoofing attacks, but they face key challenges when handling email forwarding scenarios. Recently in 2019, a new Authenticated Received Chain (ARC) protocol was introduced to support mail forwarding applications to preserve the authentication records. After 2 years, it is still not well understood how ARC is implemented, deployed, and configured in practice. In this paper, we perform an empirical analysis on ARC usage and examine how it affects spoofing detection decisions on popular email provides that support ARC. After analyzing an email dataset of 600K messages, we show that ARC is not yet widely adopted, but it starts to attract adoption from major email providers (e.g., Gmail, Outlook). Our controlled experiment shows that most email providers’ ARC implementations are done correctly. However, some email providers (Zoho) have misinterpreted the meaning of ARC results, which can be exploited by spoofing attacks. Finally, we empirically investigate forwarding-based “Hide My Email” services offered by iOS 15 and Firefox, and show their implementations break ARC and can be leveraged by attackers to launch more successful spoofing attacks against otherwise well-configured email receivers (e.g., Gmail).Keywords
This publication has 12 references indexed in Scilit:
- Adoption of Email Anti-Spoofing Schemes: A Large Scale AnalysisIEEE Transactions on Network and Service Management, 2021
- The Authenticated Received Chain (ARC) ProtocolPublished by RFC Editor ,2019
- Towards Understanding the Adoption of Anti-Spoofing Protocols in Email SystemsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2018
- Dissecting Spear Phishing Emails for Older vs Young AdultsPublished by Association for Computing Machinery (ACM) ,2017
- Neither Snow Nor Rain Nor MITM...Published by Association for Computing Machinery (ACM) ,2015
- Security by Any Other NamePublished by Association for Computing Machinery (ACM) ,2015
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)Published by RFC Editor ,2015
- DomainKeys Identified Mail (DKIM) SignaturesPublished by RFC Editor ,2011
- Internet Message FormatPublished by RFC Editor ,2001
- Simple Mail Transfer ProtocolPublished by RFC Editor ,1982