SPF – Not Just for Your Skin

SPF – I need 200, how ’bout you?

Anecdotally, I have seen more reports of targeted “spoofed domain” spam. This is a troubling scenario if your domain really is targeted rather than just picked up by a bot. I’ll outline a rather nasty one, no names given of course.

The Idea is that you receive an email from yourself or another user on your domain. A common one is that everyone on your domain gets an email from someone claiming to be a domain admin. You may think that you need to have a pwn’d machine on your network for this to happen, but that is not the case. As long as someone knows your email domain, this attack vector is easy to produce manually as well as automatically.

The incident that was reported to me is interesting. There was a learning institution that had a user’s mail account compromised. This quickly meant that the IP address and domain name were blacklisted. The admin is now stressed to begin with and is not necessarily thinking straight.

Next, the compromised account was flushed out and the un-blacklisting process started when everyone got an email from a “domain admin.” The email address looked authentic to the unsuspecting users because it cam from the correct domain. This new admin asked everyone on the domain to click a link and enter their usernames and passwords or their email account would be deleted. (uh-oh) Well, another email went out from the real admin telling them not to reply no matter what. And most listened…

(we all know what the … means)

long story short, an SPF (Sender Policy Framework) record could have saved this “spear phishing” attack from happening. SPF is basically a DNS record for your domain. It specifies the IP addresses (or hostnames) for hosts that are allowed to send for your domain. Normally, after specifying the allowed servers, it has a ‘-all’. the – means “not allowed”, all means – well, all. This is very important.

He had a security appliance that was checking for SPF from all domains. This would also check for *his own* domain. It diligently checked SPF and allowed the message anyways. Why? If he had an SPF record, it would say that the server that sent the message was not allowed to send the message. As it turns out, his domain has an SPF record, but it didn’t tell the appliance to drop the message. Instead it had ‘~all’, which means “this is bad, but let it go anyways”.

I guess auditing may have been a good thing here. It’s strange how a single character can ruin an entire day or more.


*** This is a Security Bloggers Network syndicated blog from Security Workshop authored by Tim Cronin. Read the original post at: