Over half of world's top domains weak against email spoofing

Misconfigured email servers could prompt spoof emails being 'sent' from legitimate services.
Written by Charlie Osborne, Contributing Writer

Over half of the world's most popular online services have misconfigured servers which could place users at risk from spoof emails, researchers have warned.

According to Swedish cybersecurity firm Detectify, poor authentication processes and configuration settings in servers belonging to hundreds of major online domains are could put users at risk of legitimate-looking phishing campaigns and fraudulent emails.

Emails have become a major communication channel, and with so many users now owning at least one email address, they are often the first port of call for cyberattackers looking to compromise your system, steal your data or access your online accounts.

Research firm Radicati says (.PDF) over 205 billion emails were sent every day in 2015, and this figure is expected to reach 246 billion emails by the end of 2019.

If spoof emails -- an email sent with a fake sender address -- are sent by a cyberattacker running phishing campaigns, victims could be duped into clicking on malicious links and downloading malware.

By using only a few lines of Python, the firm's researchers found that over 50 percent of top 500 Alexa websites were vulnerable to spoofing -- either through having no authentication configured or by having settings misconfigured.

As noted by ThreatPost, Sender Policy Framework (SPF) is a validation system designed to prevent email spoofing by checking incoming email is coming from acceptable hosts. Domain-based Message Authentication, Reporting and Conformance (DMARC) is used to monitor users and protect domains from fraudulent emails -- but the incorrect settings for either of these protocols could leave servers vulnerable to exploit.

In Detectify's eyes, if an email server does not have SPF or DMARC configured correctly, the server could be vulnerable. The combinations of settings which were considered vulnerable are having no SPF at all, or SPF with the "softfail" setting -- which are not doing enough to protect domains by still accepting it, even if the message is branded suspicious -- or DMARC set with "action none," which does not quarantine or reject emails.

In total, 276 out of the 500 top domains scanned could be spoofed. The firm says that only 42 percent of the servers use DMARC, and out of the ones that use SPF, 40 percent use softfail.

"Since there are in fact ways to prevent this, the problem must be misinformation or lack of knowledge as to how vulnerable email without authentication configured can really be," Detectify says.

The security firm contained several of the domains and said they would reconfigure their servers to boost security. One of the companies which had configured their domains properly was Zendesk, of which the VP of security Ryan Gurney commented:

"Email spoofing is a big issue, and is one of the most sought out vectors for social engineering and phishing. We know that the correct use of SPF and DKIM can help to protect an email domain from these attacks.

To setup SPF and DKIM correctly was challenging and required that we change the way we send email. However, we knew how important this was in order to maintain a high level of email security."

Detectify recommends that SMBs -- which can configure their smaller number of email servers quickly -- use SPF and/or DKIM is set up correctly and configure DMARC to either reject or quarantine failed email. Enterprise players have a more difficult task as they must map out each server, and forgetting one can impact the full setup.

"If you suspect that you may have missed a server, we would recommend configuring DMARC in such way that it will not reject any emails, but will send you a report with the emails that should have failed," the firm says. "After making sure no server is missed, you then reconfigure DMARC to reject emails."

5 things you should know about VPNs

Editorial standards