Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security

Zakir Durumeric; David Adrian; Ariana Mirian; James Kasten; Elie Bursztein; Nicolas Lidzborski; Kurt Thomas; Vijay Eranti; Michael Bailey; J. Alex Halderman

doi:10.1145/2815675.2815695

Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security

Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Halderman

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The SMTP protocol is responsible for carrying some of users' most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC. We present data from two perspectives: SMTP server configurations for the Alexa Top Million domains, and over a year of SMTP connections to and from Gmail. We find that the top mail providers (e.g., Gmail, Yahoo, and Outlook) all proactively encrypt and authenticate messages. However, these best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35% successfully configure encryption, and 1.1% specify a DMARC authentication policy. This security patchwork - paired with SMTP policies that favor failing open to allow gradual deployment - exposes users to attackers who downgrade TLS connections in favor of cleartext and who falsify MX records to reroute messages. We present evidence of such attacks in the wild, highlighting seven countries where more than 20% of inbound Gmail messages arrive in cleartext due to network attackers.

Original language	English (US)
Title of host publication	IMC 2015 - Proceedings of the 2015 ACM Internet Measurement Conference
Publisher	Association for Computing Machinery
Pages	27-39
Number of pages	13
ISBN (Electronic)	9781450338486
DOIs	https://doi.org/10.1145/2815675.2815695
State	Published - Oct 28 2015
Event	ACM Internet Measurement Conference, IMC 2015 - Tokyo, Japan Duration: Oct 28 2015 → Oct 30 2015

Publication series

Name	Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
Volume	2015-October

Other

Other	ACM Internet Measurement Conference, IMC 2015
Country/Territory	Japan
City	Tokyo
Period	10/28/15 → 10/30/15

Keywords

DKIM
DMARC
Email
Mail
SMTP
SPF
STARTTLS
TLS

ASJC Scopus subject areas

Software
Computer Networks and Communications

Online availability

10.1145/2815675.2815695

Library availability

Discover UIUC Full Text

Cite this

Durumeric, Z., Adrian, D., Mirian, A., Kasten, J., Bursztein, E., Lidzborski, N., Thomas, K., Eranti, V., Bailey, M., & Halderman, J. A. (2015). Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security. In IMC 2015 - Proceedings of the 2015 ACM Internet Measurement Conference (pp. 27-39). (Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC; Vol. 2015-October). Association for Computing Machinery. https://doi.org/10.1145/2815675.2815695

Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security. / Durumeric, Zakir; Adrian, David; Mirian, Ariana et al.
IMC 2015 - Proceedings of the 2015 ACM Internet Measurement Conference. Association for Computing Machinery, 2015. p. 27-39 (Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC; Vol. 2015-October).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Durumeric, Z, Adrian, D, Mirian, A, Kasten, J, Bursztein, E, Lidzborski, N, Thomas, K, Eranti, V, Bailey, M & Halderman, JA 2015, Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security. in IMC 2015 - Proceedings of the 2015 ACM Internet Measurement Conference. Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, vol. 2015-October, Association for Computing Machinery, pp. 27-39, ACM Internet Measurement Conference, IMC 2015, Tokyo, Japan, 10/28/15. https://doi.org/10.1145/2815675.2815695

Durumeric Z, Adrian D, Mirian A, Kasten J, Bursztein E, Lidzborski N et al. Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security. In IMC 2015 - Proceedings of the 2015 ACM Internet Measurement Conference. Association for Computing Machinery. 2015. p. 27-39. (Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC). doi: 10.1145/2815675.2815695

@inproceedings{1216d61dc57b4f48b943c635621736a5,

title = "Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security",

abstract = "The SMTP protocol is responsible for carrying some of users' most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC. We present data from two perspectives: SMTP server configurations for the Alexa Top Million domains, and over a year of SMTP connections to and from Gmail. We find that the top mail providers (e.g., Gmail, Yahoo, and Outlook) all proactively encrypt and authenticate messages. However, these best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35% successfully configure encryption, and 1.1% specify a DMARC authentication policy. This security patchwork - paired with SMTP policies that favor failing open to allow gradual deployment - exposes users to attackers who downgrade TLS connections in favor of cleartext and who falsify MX records to reroute messages. We present evidence of such attacks in the wild, highlighting seven countries where more than 20% of inbound Gmail messages arrive in cleartext due to network attackers.",

keywords = "DKIM, DMARC, Email, Mail, SMTP, SPF, STARTTLS, TLS",

author = "Zakir Durumeric and David Adrian and Ariana Mirian and James Kasten and Elie Bursztein and Nicolas Lidzborski and Kurt Thomas and Vijay Eranti and Michael Bailey and Halderman, {J. Alex}",

note = "Funding Information: The authors thank Vern Paxson, Paul Pearce, Niels Provos, Eric Wustrow, and our shepherd, Alan Mislove, for their help and feedback. We thank the exceptional sysadmins at the University of Michigan for their help and support, including Chris Brenner, Kevin Cheek, Laura Fink, Dan Maletta, Jeff Richardson, Donald Welch, Don Winsor, and others from ITS, CAEN, and DCO. This material is based upon work supported by the National Science Foundation under grants CNS-1111699, CNS-1255153, CNS-1345254, CNS-1409505, CNS-1409758, and CNS-1518741, by the Google Ph.D. Fellowship in Computer Security, by the Morris Wellman Faculty Development Assistant Professorship, and by an Alfred P. Sloan Foundation Research Fellowship.; ACM Internet Measurement Conference, IMC 2015 ; Conference date: 28-10-2015 Through 30-10-2015",

year = "2015",

month = oct,

day = "28",

doi = "10.1145/2815675.2815695",

language = "English (US)",

series = "Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC",

publisher = "Association for Computing Machinery",

pages = "27--39",

booktitle = "IMC 2015 - Proceedings of the 2015 ACM Internet Measurement Conference",

address = "United States",

}

TY - GEN

T1 - Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security

AU - Durumeric, Zakir

AU - Adrian, David

AU - Mirian, Ariana

AU - Kasten, James

AU - Bursztein, Elie

AU - Lidzborski, Nicolas

AU - Thomas, Kurt

AU - Eranti, Vijay

AU - Bailey, Michael

AU - Halderman, J. Alex

N1 - Funding Information: The authors thank Vern Paxson, Paul Pearce, Niels Provos, Eric Wustrow, and our shepherd, Alan Mislove, for their help and feedback. We thank the exceptional sysadmins at the University of Michigan for their help and support, including Chris Brenner, Kevin Cheek, Laura Fink, Dan Maletta, Jeff Richardson, Donald Welch, Don Winsor, and others from ITS, CAEN, and DCO. This material is based upon work supported by the National Science Foundation under grants CNS-1111699, CNS-1255153, CNS-1345254, CNS-1409505, CNS-1409758, and CNS-1518741, by the Google Ph.D. Fellowship in Computer Security, by the Morris Wellman Faculty Development Assistant Professorship, and by an Alfred P. Sloan Foundation Research Fellowship.

PY - 2015/10/28

Y1 - 2015/10/28

N2 - The SMTP protocol is responsible for carrying some of users' most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC. We present data from two perspectives: SMTP server configurations for the Alexa Top Million domains, and over a year of SMTP connections to and from Gmail. We find that the top mail providers (e.g., Gmail, Yahoo, and Outlook) all proactively encrypt and authenticate messages. However, these best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35% successfully configure encryption, and 1.1% specify a DMARC authentication policy. This security patchwork - paired with SMTP policies that favor failing open to allow gradual deployment - exposes users to attackers who downgrade TLS connections in favor of cleartext and who falsify MX records to reroute messages. We present evidence of such attacks in the wild, highlighting seven countries where more than 20% of inbound Gmail messages arrive in cleartext due to network attackers.

AB - The SMTP protocol is responsible for carrying some of users' most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC. We present data from two perspectives: SMTP server configurations for the Alexa Top Million domains, and over a year of SMTP connections to and from Gmail. We find that the top mail providers (e.g., Gmail, Yahoo, and Outlook) all proactively encrypt and authenticate messages. However, these best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35% successfully configure encryption, and 1.1% specify a DMARC authentication policy. This security patchwork - paired with SMTP policies that favor failing open to allow gradual deployment - exposes users to attackers who downgrade TLS connections in favor of cleartext and who falsify MX records to reroute messages. We present evidence of such attacks in the wild, highlighting seven countries where more than 20% of inbound Gmail messages arrive in cleartext due to network attackers.

KW - DKIM

KW - DMARC

KW - Email

KW - Mail

KW - SMTP

KW - SPF

KW - STARTTLS

KW - TLS

UR - http://www.scopus.com/inward/record.url?scp=84954144467&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954144467&partnerID=8YFLogxK

U2 - 10.1145/2815675.2815695

DO - 10.1145/2815675.2815695

M3 - Conference contribution

AN - SCOPUS:84954144467

T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

SP - 27

EP - 39

BT - IMC 2015 - Proceedings of the 2015 ACM Internet Measurement Conference

PB - Association for Computing Machinery

T2 - ACM Internet Measurement Conference, IMC 2015

Y2 - 28 October 2015 through 30 October 2015

ER -

Neither snow nor rain nor MITM⋯ An empirical analysis of email delivery security

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this