TY - GEN
T1 - Revisiting Email Forwarding Security under the Authenticated Received Chain Protocol
AU - Wang, Chenkai
AU - Wang, Gang
N1 - Funding Information:
This research was funded by EPSRC under grant EP/T026723/1 and the “Ramon y Cajal” Fellowship RYC-2020-029401-I. Edu was supported by the PTDF for his PhD.
Publisher Copyright:
© 2022 ACM.
PY - 2022/4/25
Y1 - 2022/4/25
N2 - Email authentication protocols such as SPF, DKIM, and DMARC are used to detect spoofing attacks, but they face key challenges when handling email forwarding scenarios. Recently in 2019, a new Authenticated Received Chain (ARC) protocol was introduced to support mail forwarding applications to preserve the authentication records. After 2 years, it is still not well understood how ARC is implemented, deployed, and configured in practice. In this paper, we perform an empirical analysis on ARC usage and examine how it affects spoofing detection decisions on popular email provides that support ARC. After analyzing an email dataset of 600K messages, we show that ARC is not yet widely adopted, but it starts to attract adoption from major email providers (e.g., Gmail, Outlook). Our controlled experiment shows that most email providers' ARC implementations are done correctly. However, some email providers (Zoho) have misinterpreted the meaning of ARC results, which can be exploited by spoofing attacks. Finally, we empirically investigate forwarding-based "Hide My Email"services offered by iOS 15 and Firefox, and show their implementations break ARC and can be leveraged by attackers to launch more successful spoofing attacks against otherwise well-configured email receivers (e.g., Gmail).
AB - Email authentication protocols such as SPF, DKIM, and DMARC are used to detect spoofing attacks, but they face key challenges when handling email forwarding scenarios. Recently in 2019, a new Authenticated Received Chain (ARC) protocol was introduced to support mail forwarding applications to preserve the authentication records. After 2 years, it is still not well understood how ARC is implemented, deployed, and configured in practice. In this paper, we perform an empirical analysis on ARC usage and examine how it affects spoofing detection decisions on popular email provides that support ARC. After analyzing an email dataset of 600K messages, we show that ARC is not yet widely adopted, but it starts to attract adoption from major email providers (e.g., Gmail, Outlook). Our controlled experiment shows that most email providers' ARC implementations are done correctly. However, some email providers (Zoho) have misinterpreted the meaning of ARC results, which can be exploited by spoofing attacks. Finally, we empirically investigate forwarding-based "Hide My Email"services offered by iOS 15 and Firefox, and show their implementations break ARC and can be leveraged by attackers to launch more successful spoofing attacks against otherwise well-configured email receivers (e.g., Gmail).
KW - ARC
KW - Email Forwarding Security
KW - Spoofing Attack
UR - http://www.scopus.com/inward/record.url?scp=85129855211&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85129855211&partnerID=8YFLogxK
U2 - 10.1145/3485447.3512228
DO - 10.1145/3485447.3512228
M3 - Conference contribution
AN - SCOPUS:85129855211
T3 - WWW 2022 - Proceedings of the ACM Web Conference 2022
SP - 681
EP - 689
BT - WWW 2022 - Proceedings of the ACM Web Conference 2022
PB - Association for Computing Machinery, Inc
T2 - 31st ACM World Wide Web Conference, WWW 2022
Y2 - 25 April 2022 through 29 April 2022
ER -