[cs615asa] Black Team - Week 8

Robert Herley IV rherley at stevens.edu
Mon Mar 25 15:04:49 EDT 2019


This week, Black team focused on Sender Policy Framework (SPF). SPF is a an
email authentication method that is used to detect email spoofing which
prevents phising and email spam. The authentication protocol allows the
owner of a domain to specify which mail servers they use to send mail from
that domain.

The exploit that attackers use lies in the usage of the two "from"
addresses in email. The "envelope from" is the return address, which tells
mail servers where to return or bounce the message back and this is usually
hidden in the front-end. The "head from" is the from address that is seen
in email clients. The problem is, both of these addresses can be spoofed
relatively easily. This is where SPF comes in to prove authentication.

To mitigate this, companies publish SPF records in their DNS that list
which IP addresses are authorized to send emails on behalf of their
domains. Email providers will run an SPF check by looking at the DNS
records of the domain name listed in the "envelope from". If the IP address
sending the email isn't listed in that SPF record, the message fails SPF
authentication. This ensures the correctness of the protocol and proves
authentication when it is implemented by the email provider.

https://tools.ietf.org/html/rfc7208
https://blog.returnpath.com/how-to-explain-spf-in-plain-english/
https://support.google.com/a/answer/33786?hl=en

-- 
*Robert Herley*
Computer Science '19 | Stevens Institute of Technology
(631) 896-7161 | www.robherley.xyz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20190325/6fe0b66f/attachment.html>


More information about the cs615asa mailing list