End-to-end measurements of email spoofing attacks

Hang Hu, Gang Wang

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Spear phishing has been a persistent threat to users and organizations, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions by conducting an end-to-end measurement on 35 popular email providers and examining user reactions to spoofing through a real-world spoofing/phishing test. Our key findings are three folds. First, we observe that most email providers have the necessary protocols to detect spoofing, but still allow forged emails to reach the user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warning for users, particularly for mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security indicators on unverified emails. Our phishing experiment shows that security indicators have a positive impact on reducing risky user actions, but cannot eliminate the risk. Our study reveals a major miscommunication between email providers and endusers. Improvements at both ends (server-side protocols and UIs) are needed to bridge the gap.

Original languageEnglish (US)
Title of host publicationProceedings of the 27th USENIX Security Symposium
PublisherUSENIX Association
Number of pages18
ISBN (Electronic)9781939133045
StatePublished - 2018
Externally publishedYes
Event27th USENIX Security Symposium - Baltimore, United States
Duration: Aug 15 2018Aug 17 2018

Publication series

NameProceedings of the 27th USENIX Security Symposium


Conference27th USENIX Security Symposium
Country/TerritoryUnited States

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'End-to-end measurements of email spoofing attacks'. Together they form a unique fingerprint.

Cite this