Towards the Adoption of Anti-spoofing Protocols for Email Systems

11/17/2017 ∙ by Hang Hu, et al. ∙ Virginia Polytechnic Institute and State University 0

Email spoofing is a critical step of phishing, where the attacker impersonates someone the victim knows or trusts. In this paper, we conduct a qualitative study to explore why email spoofing is still possible after years of efforts to develop and deploy anti-spoofing protocols (e.g., SPF, DKIM, DMARC). First, we measure the protocol adoption by scanning 1 million Internet domains. We find the adoption rates are still low, especially for the new DMARC (3.1 collect 4293 discussion threads (25.7K messages) from the Internet Engineering Task Force (IETF), a working group formed to develop and promote Internet standards. Our analysis shows key security and usability limitations in the protocol design, which makes it difficult to generate a positive "net effect" for a wide adoption. We validate our results by interviewing email administrators and discuss key implications for future anti-spoofing solutions.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Phishing attack is a known threat to the Internet. Recently, this threat has been significantly escalated due to its heavy involvement in massive data breaches [41], ransomware outbreaks [27], and even political campaigns [11]. For example, spear phishing emails have been used in nearly half of the 2000 reported breaches in 2016, responsible for leaking billions of data records [41].

Email spoofing is a critical step in phishing attacks where the attacker impersonates someone that the victim knows or trusts. By spoofing the email address of a reputable organization or a close friend, the attacker has a better chance to deceive the victim [17]. To prevent spoofing, there has been an active effort since the early 2000 to develop, promote, and deploy anti-spoofing protocols. Protocols such as SPF [21], DKIM [6], and DMARC [26] have become the Internet standards, allowing email receivers to verify the sender’s identity.

Despite these efforts, however, sending spoofing emails is still surprisingly easy today. As an example, Figure 1 shows a spoofing email where the sender address is set to the domain of the U.S. Citizenship and Immigration Services (USCIS). We crafted and sent this email to our own account in Yahoo (as the victim), and it successfully reached the inbox without triggering any warnings. This is not a coincident as email spoofing is still widely used in real-world phishing attacks [41, 32, 11].

The real question is, why email spoofing is still possible after years of efforts spent on the defense. In 2015, two measurement studies [10, 14] show that the adoption rates of anti-spoofing protocols are still low. Among Alexa top 1 million domains, only 40% have adopted SPF and only 1% have DMARC.

Fig. 1: A spoofing email that impersonates the U.S. Citizenship and Immigration Services (USCIS). We acted as the attacker and sent this email to our own account. The email arrived the inbox without triggering any alert (Mr. Hu is a fictional name).

In this paper, we perform a qualitative study to understand why anti-spoofing protocols are not widely adopted, particularly from email providers’ perspectives. To understand the perception of email providers, we conduct a user study with email administrators from different institutions. This user study turned out to be challenging to conduct. Part of the reason is that the candidate pool is small. People who can provide insights for our questions need to have extensive experience managing real-world email services. In addition, email administrators often hesitate (or are not allowed) to share details about their anti-phishing/spoofing solutions. To these ends, we send our user study requests to 4000 email administrators of Alexa top domains. We eventually received responses from administrators from various organizations (universities, payment services, online community websites) who agree to answer open questions either online or through in-person interviews.

Our results show that email administrators are aware of the technical weaknesses of SPF, DKIM and DMARC. The general perception is that these protocols are “helpful”, but “cannot solve the spoofing problem completely”. The email administrators believe that the slow adoption of the protocols is primarily due to the lack of a critical mass. Like many network protocols, the benefits of the anti-spoofing protocols come into existence only if a large number of Internet domains start to adopt the protocols to publish their authentication records. Currently, the incentive of adoption is not strong, especially for Internet domains that don’t host emails services (but they still can be spoofed). In addition to the technical weaknesses, the email administrators pointed out the practical challenges to deploy the protocols, particularly, for organizations that use cloud-based email services and large organizations that have many dependent services. Finally, email administrators share their thoughts on the possible solutions moving forward. One interesting direction is to improve the current email user interface to support security indicators, and educate users to proactively check email authentication results.

In summary, our work makes three contributions.

  • First, through the user study, we provide new insights into the perceived values and concerns of anti-spoofing protocols from email providers’ perspectives. These results shed light to the reasons behind the slow adoption of SPF, DKIM, and DMARC, pointing out the directions of improvement moving forward.

  • Second, we discuss the key implication of the results to protocol designers, email providers, and users. We discuss the possible solutions at the user-end to make up for the defective server-side authentication.

Ii Background and Related Work

In the following, we describe the background of email spoofing attacks and anti-spoofing protocols. Then, we introduce related technology adoption theories to set up the contexts for our study.

Ii-a SMTP and Email Spoofing

Simple Mail Transfer Protocol (SMTP) is the Internet standard for email transmission [33]. A key limitation of SMTP is that it has no built-in security features to prevent people (attackers) from impersonating/spoofing an arbitrary sender address. To perform a spoofing attack, attackers can manipulate two key fields to send emails. First, after establishing an SMTP connection to the target mail server, the attacker can use the “MAIL FROM” command and set the sender address to anyone that they want to impersonate. After that, the “MAIL FROM” address is inserted into the header as the “Return-Path”. In addition, attackers can modify another field called “From” in the email header. This “From” field specifies the address that will be displayed on the email interface [36]. When a user receives the email, the user will see the “From” address (e.g., visa@uscis.gov in Figure 1). If the user replies the email, the reply message will go to the “Return-Path” set by “MAIL FROM”. Note that the two addresses are not necessarily the same.

Email spoofing is a critical step of phishing attacks to gain the victim’s trust [35, 16, 17]. Meanwhile, spoofing is also a strong signal of phishing attacks [16, 22, 23, 28, 34]. Spoofing detection results are often used by phishing detection systems [7, 9, 13, 15, 37].

Ii-B Anti-Spoofing Protocols

To detect and prevent email spoofing, SMTP extension protocols are proposed including SPF, DKIM and DMARC. All three protocols have been published or standardized by the Internet Engineering Task Force (IETF).

SPF.     Sender Policy Framework (SPF) was proposed in early 2000, and standardized in 2014 [21]. SPF allows a domain to publish a list of IPs that are authorized to send emails on its behalf. For instance, the domain a.com can publish its SPF record in the DNS. When the receiving server receives the MAIL FROM command claiming to be alex@a.com, the receiving server can check if the sender IP is listed in the SPF record of a.com.

DKIM.     DomainKeys Identified Mail (DKIM) was first drafted in 2004 and standardized in 2011 [6]. DKIM uses a public-key based approach to authenticate the email sender and check the email integrity. More specifically, the sender’s email service will place a digital signature in the email header signed by the private key associated with the sender’s domain. The receiving service can retrieve the sender’s public key from DNS to verify the signature. To retrieve a DKIM public key from DNS, one will need the selector information (an attribute in the DKIM signature beside the domain name. By verifying the DKIM signature, the receiver can detect if the signed message has been modified, to ensure integrity and authenticity.

DMARC.     Domain-based Message Authentication, Reporting and Conformance (DMARC) was drafted in 2011 and published in 2015 [26]. DMARC is not a standalone protocol but needs to work with SPF and/or DKIM. DMARC allows the domain owner to publish a “failing policy” which specifies what actions the receiver should take when the incoming email fails the DMARC checks. In addition, DMARC requires identifier alignment from SPF or DKIM. For SPF, alignment means that MAIL FROM address used for the SPF check should be consistent with the From field in the header. For DKIM, alignment means that the domain name in the DKIM signature should match the From field. Alignment ensures the email address that user sees matches with the authenticated address.

Ii-C Technology Adoption Theories

To provide the contexts for our study, we briefly introduce the important theories of technology adoptions [31, 25, 19, 20]. With a focus on the networking and security protocols, prior works have examined the adoption of DNSSEC [4], IPv6 [5], HTTPS [12], Bitcoin [3], and Biometric tracking [2]. Below, we discuss three adoption theories related to our study.

TAM.     Technology Acceptance Model (TAM) is the most basic theory that models user intention to adopt new technologies [40, 39]. The model describes the key factors that influence user decision, the most important of which are perceived usefulness (PU) and perceived ease-of-use (PEOU). In our context, “users” refer to email services. TAM has many extended versions with more factors added to the model (e.g., self-efficacy, quality of the system) [24, 40, 8, 29].

|l|l|l|l|l|l|l|l|l| [1.1pt]- UserID & User Study Method & Email Service Type & As Sender: Publish Records?   & As Receiver: Authenticate?  
& & & SPF & DKIM & DMARC & SPF & DKIM & DMARC
U1 & In-person Interview & University1 (campus-level) & ✓& / & ✓& ✓& ✓& ✓
U2 & In-person Interview & University1 (department-level) & ✕& / & ✕& ✓& ✓& ✓
U3 & Open-question Survey & Payment System & ✓& / & ✓& ✓& ✓& ✓
U4 & Open-question Survey & Website Hosting Service & ✓& / & ✕& ✕& ✓& ✕
U5 & Open-question Survey & Advertisement Service1 & ✓& / & ✓& ✓& ✓& ✓
U6 & Open-question Survey & Advertisement Service2 & ✓& / & ✕& ✓& ✓& ✓
U7 & Open-question Survey & University2 (campus-level) & ✕& / & ✕& ✓& ✓& ✓
U8 & Open-question Survey & Anonymous & / & / & / & / & / & /
U9 & Open-question Survey & Online Community & ✓& / & ✕& ✓& ✓& ✓
[1.1pt]-

Network Externalities.     For network protocols, the standard TAM is usually not sufficient to explain their adoption since individual user’s decision is likely to affect other users. This leads to the notion of Network Externalities (or net effect) [19, 3]. Network externalities mean that an individual adopter can add the value for other people to adopt the same technology. In other words, when more users adopt the same protocol, the value of the protocol to each user will also increase [38]. For anti-spoofing protocols, if more domains publish their SPF/DKIM/DMARC records, it makes easier for other email providers to detect spoofing emails.

Cost-Benefit Model.     Ozment and Schechter propose an adoption model that focuses on the cost-benefit perspective [30]. The model argues that only when the benefits to individual adopters overweight the adoption costs will the protocol be widely accepted. For network protocols, the per-user benefits may grow as more users adopt the protocol (net effect) [1]. The costs can be either constant or changing (mostly decreasing) as more users adopt the protocol.

Often cases, a network protocol requires a minimal level of deployment before creating enough benefits to overweight the costs. This leading to notions of critical mass which represents the minimal number of adopters in order to facilitate self-sustaining adoption or create further growth [38].

Iii Research Questions and Methodology

In this paper, we conduct an exploratory study to understand the adoption of anti-spoofing protocols. We qualitatively look into two key questions. First, what are the reasons behind the relatively low rate of anti-spoofing protocols? Second, why did most domain owners configure the protocol with relaxed failing policies?

To answer these questions, we seek to understand the user perception of these protocols in terms of the perceived usefulness (PU) and perceived ease-of-use (PEOU) (two key aspects of TAM). Here, “users” does not refer to the users of the email system. Instead, “users” refer to the email service administrators who will use the protocol to defend against spoofing attacks.

To understand email providers’ perceptions towards the anti-spoofing protocols, we conduct a user study (with IRB approval). The biggest challenge for this user study is to recruit participants to share their experience and insights. More specifically, we need to recruit participants who have real-world experience of operating an email service and/or deploying anti-spoofing protocols. This narrows down the candidate pool to a small and highly specialized user population. In addition, real-world email administrators are often reluctant to share due to the sensitivity of the topic. For many companies and organizations, details about their phishing/spoofing detection systems are non-disclosable.

To address these challenges, we sent our user study requests to a large number of email administrators. More specifically, we contacted the email administrators of Alexa top 4000 domains. In the user study request, we ask about their preferred ways of participation (e.g., survey, phone interviews) and the level of details they feel comfortable to share. In total, we recruit email providers from different organizations. 7 participants agree to fill in a survey with “open questions” and 2 participants agree to do an in-person interview. In Table II-C, we list the 9 email administrators and the type of their institutions and organizations. Note that U8 requested to conceal the institution-specific information, and thus we keep it as “anonymous”. This small-scale but in-depth user study seeks to provide useful qualitative results and new insights from protocol users’ perspectives.

To provide the context for each email service that the participant manages, we also performed a quick measurement as shown in Table II-C. We measured whether the email domain published the corresponding authentication records in DNS (as the sender) and whether the domain performed authentication checks on the incoming emails (as the receiver). Same as before, we cannot measure whether an email domain has published the DKIM public key without knowing its selector (marked with “/”). We observe that most of the email services perform all three authentication checks on incoming emails (7 out of 8) and one email service checks DKIM only. However, when acting as the sender domain, only 3 email services published both SPF and DMARC records to the DNS.

For the interview and survey participants, we use the same list of open questions. The difference is that we can ask follow-up questions to the interview participants, but not the survey participants. Some of the detailed questions are designed based on the results of step1, which we will discuss later. At the high-level, the open questions fall into the following themes. First, we ask the participants to comment on the email spoofing problem and how they usually detect spoofing attempts. Second, we ask the participants to comment on the value that SPF, DKIM and DMARC could bring in for their email services. Third, we ask about their personal perceptions towards the under-adoption of anti-spoofing protocols and the possible reasons. Fourth, we ask why most of the deployed protocols were not configured “strictly”. Finally, we ask the participants to comment on the possible solutions moving forward to the email spoofing problem.

The survey participants answer the open questions using an online survey website that we set up. The interview participants then have a face-to-face interview session for 45 to 60 minutes. Our study is approved by IRB. We ensure that all the data are properly anonymized and securely stored.

Iv Result: User Study

Our user study focuses on open questions regarding the values and concerns of SPF, DKIM and DMARC, and the possible reasons behind their slow adoption. In the following, we discuss our findings by grouping the results into 6 high-level topics.

Iv-a Technical Defects of the Protocols

Email administrators have acknowledged the values of adoption these protocols. However, the most discussed topics are still the technical flaws in SPF, DKIM and DMARC. We summarize these tehnical flaws as the following.

First, SPF and DKIM both have the problem of “identifier alignment”. It means that the sender email address that user sees can be different from the address that is actually used to do perform authentication. For SPF, the authentication focuses on the “Return-Path” and examines whether the sender’s IP is listed in the “Return-Path” domain’s SPF record. An attacker can set the “Return-Path” domain to her own domain and set her SPF record to pass the authentication. However, what the receiving user sees on the email interface is set by the “From” field. DKIM has a similar problem given that the domain to sign the email with the DKIM key can be different from the domain on the “Return-Path” . DMARC helps to revolve the prolem by enforing the alignment of the identifiers.

Second, mail forwarding is a problem for SPF. Mail forwarding means one email service automatically forwards emails to another email service. A common scenario is that university students often configure their university email service to forward all their emails to Outlook or Gmail. During Mail forwarding, the email metadata (e.g., “Return-Path”) remains unchanged. SPF will fail after mail forwarding because the forwarder’s IP will not match the original sender’s SPF record.

Thrid, mailing list is a major problem for both SPF and DKIM. When a message is sent to a mailing list, the mailing list will “broadcast” the message to all the subscribers. This is a similar process as mail forwarding. During this process, the mailing list’s IP will become the sender IP, which is different from the original sender’s IP. This will leads to SPF failure. Mailing lists will cause trouble for DKIM because most mailing lists modify the email content before broadcasting it to the subscribers. The common modification is to add a “footer” with the mailing list’s name and a link for un-subscription. Tempering the email content will cause DKIM failure. DMARC helps to solve some of the problems, but not the mailing list problem. For mailing lists, DMARC+SPF will be sure to fail — if the “Return-Path” is modified, DMARC will fail due to the misalignment of identifiers; if the “Return-Path” is unmodified, SPF will fail due to the IP mismatch. For DMARC+DKIM, it will fail if the mailing list still has to modify the email content.

In particular, U7pointed out the problem of DKIM beyond just the mailing list problem. U7 stated that DKIM was too sensitive to “benign” changes to the email content such as line rewrapping and URL expansion. These operations that are very common in email services (sometimes for usability purposes), but can easily lead to invalid signatures. The sensitivity of DKIM also discourages email administrators to deploy DMARC (which need to work with DKIM).

“U7: DKIM is inherently flawed because semantically meaningless changes to a message can render the signature invalid. For example, the relaxed body canonicalization algorithm is sensitive to line rewrapping, which will invalidate the signature without changing the semantic content of the message. Flaws like this make DKIM signatures fragile, reducing the utility of DKIM and thus lessening the priority of its deployment.”

“U7: The fragility of DKIM also affects the utility of DMARC, and thus reducing the priority of its deployment as well.”

Iv-B A Lack of Critical Mass

Email administrators mentioned that there had not been a global consensus that SPF, DKIM or DMARC should be the ultimate solution to stop spoofing. Part of the reason is these protocols are struggling to support common email scenarios such as mail forwarding. Due to the technique weaknesses, the general perception is that SFP, DKIM and DMARC are “helpful” but “cannot solve the spoofing problem completely”. U2 mentioned that potential adopters could be are waiting to see whether enough people would eventually get on board.

“U2: It is not the final answer that the industry picked up yet. I felt at this point that enough people haven’t really adopted it, it’s not worth for me to set it up.”

In addition, U1 and U2 both mentioned that in general there was no penalty to domains for not publishing an SPF/DKIM/DMARC record. Their emails are typically not discriminated unless other malicious signals are detected. This reflects a typical bootstrapping challenge, where a “critical mass” is needed in order to facilitate a self-sustaining adoption process [30].

Iv-C Benefits Not Significantly Overweight Costs

Email administrators then discussed the deeper reasons for the lack of critical mass. U1 pointed out that the protocol adopter does not directly benefit from publishing their SPF, DKIM or DMARC records in the DNS. Instead, these DNS records mainly help other email services to verify incoming emails and protect the customers (users) of other email services. Domains that publish the DNS records receive the benefit of a better reputation, which is a relatively vague benefit, particularly for domains that don’t host email services.

“U1: If I am an email provider, I am not motivated to set up SPF, I am motivated to make sure people who have sent (emails) to my customers have set SPF. I am motivated to evaluate it.”

For popular online services (e.g., social networks, banks), however, they are likely to be motivated to publish SPF, DKIM, and DMARC records to prevent being spoofed and maintain their good reputation (U2, U3).

Fig. 2: The adoption model for anti-spoofing protocols. For email domains, the cost and benefit changes as more domains adopt the protocol. For non-email domains, the cost and benefit stay constant.

To help to illustrate this challenge, we plot Figure 2, which is a modified version of the Ozment-Schechter model [30]. Ozment-Schechter model depicts the general challenge for network protocols to receive a wide adoption, and we customized the model for email spoofing scenarios and created a separate plot for non-email domains (Figure 2(b)).

For email domains (Figure 2(a)), when more domains publish their SPF, DKIM or DMARC records, the benefits for each adopter will increase because more incoming emails can be authenticated. Regarding the costs, there will be a constant base cost for deploying the protocol. On top of that, early adopters also need to handle the insecure domains that have not adopted the protocol and those with misconfigurations. The cost of insecure domains will drop as more domains adopt the protocol. However, this cost cannot reach zero due to the technical issues in these protocols as discussed before.

Figure 2(b) shows a bigger challenge to motivate non-email domains to publish the SPF/DMARC record. For non-email domains (e.g., office.com), the benefit of publishing the SPF/DMARC record is to prevent attackers from impersonating the non-email domain and helps the non-email domain to maintain a good reputation. The domain administrators publish the SPF/DMARC records to be a good Internet “citizen” and help other email services to detect spoofing emails. However, these benefits are considered indirect and thus relatively weaker (U5, U6). Overall, the cost and benefit model is not in favor of creating a “critical mass” for a wide adoption. The bootstrapping phase is challenging without external enforcement or incentives.

Iv-D Deployment Difficulties in Practice

Even if an email administrator decided to deploy the protocol, there would be other challenges in the way. We summarize the participants’ responses from three aspects: (1) a lack of control on the DNS or even the mail servers, (2) the large number of dependency services, (3) a lack of understanding of the protocol and the deployment difficulties.

First, certain services do not have a control over their DNS record. Publishing SPF/DKIM/DMARC record will incur additional overhead to coordinate with their DNS providers (U1, U4, U9). In addition, many companies and organizations even don’t maintain their own mail servers but rely on cloud-based email services. Using cloud-based email services is convenient without the need the handle challenging tasks such as spam filtering. The drawback is that the organization need to rely on the cloud email service to deploy the anti-spoofing protocols.

“U1: So we have very limited control over our DNS. Right now, it is just the difficulty of setting up that DNS.”

Another challenge is that the strict enforcement of certain email protocols requires significant efforts for coordination in big institutions. An email system has many dependent services (e.g., marketing tools) distributed in different departments in a big institution. Deploying a new email protocol requires a non-trivial collaboration effort from different departments.

“U7: Strict enforcement requires identifying all the legitimate sources of email using a return address domain. Large, decentralized organizations (e.g. many large universities), will often have organizational units which acquire third-party services involving email, like email marketing tools, without telling central IT. Figuring all this out and putting policies and procedures in place to prevent it is more work than many admins have time for.”

Finally, the participants mentioned that there had been a lack of deep understanding of the anti-spoofing protocols, especially the new protocols such as DMARC. It is difficult to estimate how much effort is needed to deploy and maintain the protocol in practice.

U3 particularly mentioned that there is a general perception that deploying anti-spoofing protocols is difficult. Regardless the actual level of the difficulty, the perceived difficulty makes email administrators hesitated to try (U3, U9).

“U3: Many people believe that DKIM is hard, and thus don’t prioritize deploying it … Many people don’t understand DMARC, how easy it is to deploy, and how effective it is.”

Iv-E Risks of Breaking the Existing System

Participants have discussed the concerns of breaking the existing email system due to unfamiliarity to the protocol. This is particularly true for DMARC (published in 2015). Email providers need to go through careful testing to make sure the protocol does not block legitimate incoming emails, and their own emails are not blocked by others.

“U2: Probably because it (DMARC) is still in a testing phase and (people) want to see if it is going to work for them. Relatively it (DMARC) is still pretty new for big businesses and such.”

“U5: Domains may fear that they’ve forgotten something and their email may be rejected due to a mistake on their part. ”

These concerns also explain why most protocol adopters (as the sender domain) configure a relaxed SPF/DMARC policy. Even if sender domain actually specified a strict protocol, the receiver may not enforce it anyway. U5 expressed that it was quite often for senders to have mis-configurations. It is easier to not enforce the strict policy than to ask the senders to fix their configurations.

“U5: Spam filters are relied upon too heavily and its sometimes easier to pull email from the spam folder than ask someone to fix their SPF record and re-send the email.”

Iv-F Solutions Moving Forward

We asked the participants to comment on the possible solutions moving forward. Most of the email administrators believed that automated detection systems (e.g., anti-spoofing protocols, spam filters, virus scanners) were necessary, but could not fully prevent spoofing or phishing. U1, U2, U7, U8 and U9 all have mentioned the importance of user education to raise the awareness of spoofing, and training users to check the email authenticity themselves.

“U7: There is no one single way. Technological defenses like content filtering of incoming mail (i.e. spam and virus filtering), are necessary but not sufficient. There is also a need for rigorous training combined with periodic self-phishing (e.g. phishme.com), to raise awareness and identify people who need further training or correction.”

“U8: User education is the most important way to protect them. I always ask our users to look for the email that seems suspicious and bring it to my attention. That way we can prevent malicious intention at earliest possible.”

Finally, U5 expressed the need to have security indicators on the email client. The security indicators are icons or visual cues that are widely used on web browsers to indicate the validity of SSL certificate of websites. A similar email spoofing indicator can be deployed to warn users of emails with unverified sender addresses. In addition, security indicators can also help to high-light the address misalignment of the Return-Path and Mail From fields for emails that bypassed the SPF check.

“U5: Add the ability for email clients to warn users similar to the way browsers do when users are either presented with a valid extended SSL cert or no SSL cert at all. May also display the from & reply to addresses making it harder to get around SPF record checking.”

V Discussion

So far, we have explored the challenges for SPF, DKIM and DMARC to receive a wide adoption. Next, we discuss the key implications to protocol designers, email providers, and the end users.

V-a Implications for Protocol Designers and Promoters

Improving the Perceived Usefulness.     The security and usability issues in SPF, DKIM and DMARC negatively impact their perceived usefulness. To improve the perceived usefulness, addressing these security and usability issues becomes the first priority. Currently, an IETF group is working on a new protocol called Authenticated Received Chain (ARC) [18] which is expected to address email forwarding problem and the mailing list problem. However, this also adds to the number of protocols that domain owners need to deploy. New protocols will have their own challenges to be accepted. For example, the DMARC protocol, even though incrementally deployable, only achieved a 4.6% adoption rate in the past two years. A useful protocol will still face the challenge to be widely adopted.

Building the Critical Mass.     Currently, there is a lack of strong consensus to deploy anti-spoofing protocols. Like many networking protocols, anti-spoofing protocols will provide key benefits only after enough domains start to publish their SPF, DKIM or DMARC records. To bootstrap the adoption and establish a critical mass, external incentive mechanisms are needed. In theory, we can adjust the rewarding function to provide more benefits to early adopters to create a positive net effect [30]. One possible direction is to learn from the promotion of “HTTPS” among websites [12]: modern browsers will display a trusted icon for websites with valid TLS certificates. Similar security indicators can be added to emails with verified sender domains (by SPF, DKIM and DMARC), to incentive domains to publish the corresponding DNS records. In addition, policymakers or major email providers may also consider enforcing certain sensitive domains (e.g., banks, government agencies) to publish their SPF/DKIM/DMARC records to prevent being impersonated. The challenge is how to realize these ideas without disrupting any of the normal operations of the existing email services.

Reducing the Deployment Difficulty.     One direction to improve the adoption rate of anti-spoofing protocols is to make it easy to deploy and configure. Our user study reveals two key problems to address. First, more organizations start to use cloud-based email services (e.g., Google G-Suite, Amazon WorkMail, Office 365). Anti-spoofing protocols should be more cloud-friendly for organizations that don’t have full controls on their mail servers. Second, the deployment process should be further simplified and providers email administrators with more controls. The biggest concern from email administrators is that anti-spoofing protocols may reject legitimate emails or get their own emails rejected. One direction of improvement is to allow the protocol to run in a testing mode (e.g., in DMARC), allowing email administrators to fully assess the impact before real deployment.

V-B Implications for Email Providers

In the short term, email providers are still unlikely to be able to authenticate all the incoming emails. While email providers should act as “good Internet citizens” by publishing their own authentication records, it is also necessary to help to “educate” their users to watch out for spoofing emails. Given the current adoption rate of anti-spoofing protocols (and the relaxed protocol configurations), it is likely that email providers will still have to deliver certain unverified emails to the user inbox. Email providers should act more responsibly by providing the authentication results available for the user to check, or proactively warn users of emails that they are not able to verify. Large email providers such as Gmail and Outlook are already moving towards this direction. Currently, Gmail’s authentication results are available through the webmail interface, but unfortunately not yet available on the mobile app interface. Further research is needed to improve the current mobile email UI to better support security features.

V-C Implications for Users

Given the current situation, users are at the most vulnerable position. Particularly, considering the usability flaws of the existing anti-spoofing protocols, an email that passed the SPF/DKIM checks can still be a spoofed email (e.g., with misaligned addresses). Similarly, emails that failed the SPF/DKIM checks are not necessarily malicious (e.g., forwarded email). To this end, unless the user is fully aware of the authentication details, it is safer for general email users to avoid establishing the trust based on the sender domains. The trustworthiness of the email should be assessed as a whole. It is more reliable to leverage the context of the email exchange, and the external confirmation channels (e.g., calling the sender on the phone) to identify phishing attempts and securely handle critical emails.

Vi Limitations

The scale of the user study is still small, which limits us from producing any statistically significant results. We argue that our contribution is to provide a “qualitative” understanding of the problem space, which lays the groundwork for future quantitative research. For example, one future direction is to conduct surveys to understand what types of domains are more likely to adopt anti-spoofing protocols, and how domain attributes (e.g., service type, popularity, sensitivity) affect the domain owners’ decision.

Vii Conclusion

In this paper, we examine why email spoofing is (still) possible in today’s email system. We show that extensive efforts are needed to address the technical issues in the protocol design and develop external enforcement (or incentives) to bootstrap the protocol adoption. In addition, improved user interfaces are needed for email systems to allow users to proactively check the email authentication results.

References

  • [1] B. Aboba and D. Thaler, “What makes for a successful protocol?” RFC5218, 2008, https://tools.ietf.org/html/rfc5218.
  • [2] S. I. Ahmed, M. R. Haque, S. Guha, M. R. Rifat, and N. Dell, “Privacy, security, and surveillance in the global south: A study of biometric mobile sim registration in bangladesh,” in Proc. of CHI’17, 2017.
  • [3] R. Böhme, “Internet protocol adoption: Learning from bitcoin,” in Proc of IAB Workshop on Internet Technology Adoption and Transition (ITAT’13), 2013.
  • [4] T. Chung, R. van Rijswijk-Deij, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Understanding the Role of Registrars in DNSSEC Deployment,” in Proc. of IMC’17, 2017.
  • [5] L. Colitti, S. H. Gunderson, E. Kline, and T. Refice, “Evaluating ipv6 adoption in the internet,” in Proc of PAM’10, 2010.
  • [6] M. K. D. Crocker, T. Hansen, “Domainkeys identified mail (dkim) signatures,” ser. RFC6376, 2011.
  • [7] P. Dewan, A. Kashyap, and P. Kumaraguru, “Analyzing social and stylometric features to identify spear phishing emails,” in Proc. of eCrime’14, 2014.
  • [8] T. Dickfeld, “Quo vadis ventricular tachycardia ablation: new horizons and developments,” Expert Review of Medical Devices, vol. 8, no. 2, pp. 131–133, 2011.
  • [9] S. Duman, K. Kalkan-Cakmakci, M. Egele, W. K. Robertson, and E. Kirda, “Emailprofiler: Spearphishing filtering with header and stylometric features of emails,” in Proc. of ACSAC’16, 2016.
  • [10] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman, “Neither snow nor rain nor mitm: An empirical analysis of email delivery security,” in Proc. of IMC’15, 2015.
  • [11] FBI, “Grizzly steppe: Russian malicious cyber activity,” FBI and DHS report, 2016, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
  • [12] A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS adoption on the web,” in Proc. of USENIX Security’17, 2017.
  • [13] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. of WWW’07, 2007.
  • [14] I. D. Foster, J. Larson, M. Masich, A. C. Snoeren, S. Savage, and K. Levchenko, “Security by any other name: On the effectiveness of provider based email security,” in Proc. of CCS’15, 2015.
  • [15] G. Ho, A. Sharma, M. Javed, V. Paxson, and D. Wagner, “Detecting credential spearphishing in enterprise settings,” in Proc. of USENIX Security’17, 2017.
  • [16] J. Hong, “The state of phishing attacks,” Communications of the ACM, vol. 55, no. 1, 2012.
  • [17] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Communications of the ACM, vol. 50, no. 10, 2007.
  • [18] E. S. J. E. M. K. E. K. Andersen, B. Long, “Authenticated received chain (arc) protocol,” ser. Internet-Draft’17, 2017, https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-09.
  • [19] M. L. Katz and C. Shapiro, “Technology adoption in the presence of network externalities,” Journal of political economy, vol. 94, no. 4, pp. 822–841, 1986.
  • [20] S. Kim, J. Mankoff, and E. Paulos, “Exploring barriers to the adoption of mobile technologies for volunteer data collection campaigns,” in Proc. of CHI’15, 2015.
  • [21] S. Kitterman, “Sender policy framework (spf),” ser. RFC7208, 2014, https://tools.ietf.org/html/rfc7208.
  • [22] V. Krammer, “Phishing defense against idn address spoofing attacks,” in Proc. of PST’06, 2006.
  • [23] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system,” in Proc. of CHI’07, 2007.
  • [24] P. Lai, “The literature review of technology adoption models and theories for the novelty technology,” Journal of Information Systems and Technology Management, vol. 14, pp. 21 – 38, 04 2017.
  • [25] J. Lindley, P. Coulton, and M. Sturdee, “Implications for adoption,” in Proc. of CHI’17, 2017.
  • [26] E. Z. M. Kucherawy, “Domain-based message authentication, reporting, and conformance (dmarc),” ser. RFC7489, 2015, https://tools.ietf.org/html/rfc7489.
  • [27] Malwarebytes, “Understanding the depth of the global ransomware problem,” 2016, https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf.
  • [28] D. K. McGrath and M. Gupta, “Behind phishing: An examination of phisher modi operandi,” in Proc. of LEET’08, 2008.
  • [29] C. M.Y., “Overview of the technology acceptance model: Origins, developments and future directions,” Sprouts: Working Papers on Information Systems, vol. 9, no. 37, 2009.
  • [30] A. Ozment and S. E. Schechter, “Bootstrapping the adoption of internet security protocols,” in Proc. of WEIS’06, 2006.
  • [31] S. L. Parente and E. C. Prescott, “Barriers to technology adoption and development,” Journal of political Economy, vol. 102, no. 2, pp. 298–321, 1994.
  • [32] PhishMe, “Ransomware delivered by 97% of phishing emails by end of q3 2016 supporting booming cybercrime industry,” 2016, https://phishme.com/ransomware-delivered-97-phishing-emails-end-q3-2016-supporting-
    booming-cybercrime-industry/.
  • [33] J. B. Postel, “Simple mail transfer protocol,” ser. RFC821, 1982, https://tools.ietf.org/html/rfc821.
  • [34] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta, “Phishnet: Predictive blacklisting to detect phishing attacks,” in Proc. of INFOCOM’10, 2010.
  • [35] Proofpoint, “Threat summary and year in review,” 2016, https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf.
  • [36] P. Resnick, “Internet message format,” ser. RFC5321, 2001, https://www.ietf.org/rfc/rfc2822.txt.
  • [37] M. Risher, “Protecting you against phishing,” Google Security Blog, 2017, https://security.googleblog.com/2017/05/protecting-you-against-phishing.html.
  • [38] E. M. Rogers, Diffusion of Innovations, 5th Edition, 5th ed., 2003.
  • [39] V. Venkatesh and H. Bala, “Technology acceptance model 3 and a research agenda on interventions,” Decision Sciences, vol. 39, no. 2, pp. 273–315, 2008.
  • [40] V. Venkatesh and F. D. Davis, “A theoretical extension of the technology acceptance model: Four longitudinal field studies,” Management Science, vol. 46, no. 2, pp. 186–204, 2000.
  • [41] Verizon, “Data breach investigations report,” 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.
TABLE I: User study participants: 9 email administrators. U8 requested to conceal the institution type, and thus we keep it as “anonymous”. For each of their email services, we also measured whether the email domain published the DNS authentication records (as the sender) and whether the domain authenticate incoming emails (as the receiver).

Iii Research Questions and Methodology

In this paper, we conduct an exploratory study to understand the adoption of anti-spoofing protocols. We qualitatively look into two key questions. First, what are the reasons behind the relatively low rate of anti-spoofing protocols? Second, why did most domain owners configure the protocol with relaxed failing policies?

To answer these questions, we seek to understand the user perception of these protocols in terms of the perceived usefulness (PU) and perceived ease-of-use (PEOU) (two key aspects of TAM). Here, “users” does not refer to the users of the email system. Instead, “users” refer to the email service administrators who will use the protocol to defend against spoofing attacks.

To understand email providers’ perceptions towards the anti-spoofing protocols, we conduct a user study (with IRB approval). The biggest challenge for this user study is to recruit participants to share their experience and insights. More specifically, we need to recruit participants who have real-world experience of operating an email service and/or deploying anti-spoofing protocols. This narrows down the candidate pool to a small and highly specialized user population. In addition, real-world email administrators are often reluctant to share due to the sensitivity of the topic. For many companies and organizations, details about their phishing/spoofing detection systems are non-disclosable.

To address these challenges, we sent our user study requests to a large number of email administrators. More specifically, we contacted the email administrators of Alexa top 4000 domains. In the user study request, we ask about their preferred ways of participation (e.g., survey, phone interviews) and the level of details they feel comfortable to share. In total, we recruit email providers from different organizations. 7 participants agree to fill in a survey with “open questions” and 2 participants agree to do an in-person interview. In Table II-C, we list the 9 email administrators and the type of their institutions and organizations. Note that U8 requested to conceal the institution-specific information, and thus we keep it as “anonymous”. This small-scale but in-depth user study seeks to provide useful qualitative results and new insights from protocol users’ perspectives.

To provide the context for each email service that the participant manages, we also performed a quick measurement as shown in Table II-C. We measured whether the email domain published the corresponding authentication records in DNS (as the sender) and whether the domain performed authentication checks on the incoming emails (as the receiver). Same as before, we cannot measure whether an email domain has published the DKIM public key without knowing its selector (marked with “/”). We observe that most of the email services perform all three authentication checks on incoming emails (7 out of 8) and one email service checks DKIM only. However, when acting as the sender domain, only 3 email services published both SPF and DMARC records to the DNS.

For the interview and survey participants, we use the same list of open questions. The difference is that we can ask follow-up questions to the interview participants, but not the survey participants. Some of the detailed questions are designed based on the results of step1, which we will discuss later. At the high-level, the open questions fall into the following themes. First, we ask the participants to comment on the email spoofing problem and how they usually detect spoofing attempts. Second, we ask the participants to comment on the value that SPF, DKIM and DMARC could bring in for their email services. Third, we ask about their personal perceptions towards the under-adoption of anti-spoofing protocols and the possible reasons. Fourth, we ask why most of the deployed protocols were not configured “strictly”. Finally, we ask the participants to comment on the possible solutions moving forward to the email spoofing problem.

The survey participants answer the open questions using an online survey website that we set up. The interview participants then have a face-to-face interview session for 45 to 60 minutes. Our study is approved by IRB. We ensure that all the data are properly anonymized and securely stored.

Iv Result: User Study

Our user study focuses on open questions regarding the values and concerns of SPF, DKIM and DMARC, and the possible reasons behind their slow adoption. In the following, we discuss our findings by grouping the results into 6 high-level topics.

Iv-a Technical Defects of the Protocols

Email administrators have acknowledged the values of adoption these protocols. However, the most discussed topics are still the technical flaws in SPF, DKIM and DMARC. We summarize these tehnical flaws as the following.

First, SPF and DKIM both have the problem of “identifier alignment”. It means that the sender email address that user sees can be different from the address that is actually used to do perform authentication. For SPF, the authentication focuses on the “Return-Path” and examines whether the sender’s IP is listed in the “Return-Path” domain’s SPF record. An attacker can set the “Return-Path” domain to her own domain and set her SPF record to pass the authentication. However, what the receiving user sees on the email interface is set by the “From” field. DKIM has a similar problem given that the domain to sign the email with the DKIM key can be different from the domain on the “Return-Path” . DMARC helps to revolve the prolem by enforing the alignment of the identifiers.

Second, mail forwarding is a problem for SPF. Mail forwarding means one email service automatically forwards emails to another email service. A common scenario is that university students often configure their university email service to forward all their emails to Outlook or Gmail. During Mail forwarding, the email metadata (e.g., “Return-Path”) remains unchanged. SPF will fail after mail forwarding because the forwarder’s IP will not match the original sender’s SPF record.

Thrid, mailing list is a major problem for both SPF and DKIM. When a message is sent to a mailing list, the mailing list will “broadcast” the message to all the subscribers. This is a similar process as mail forwarding. During this process, the mailing list’s IP will become the sender IP, which is different from the original sender’s IP. This will leads to SPF failure. Mailing lists will cause trouble for DKIM because most mailing lists modify the email content before broadcasting it to the subscribers. The common modification is to add a “footer” with the mailing list’s name and a link for un-subscription. Tempering the email content will cause DKIM failure. DMARC helps to solve some of the problems, but not the mailing list problem. For mailing lists, DMARC+SPF will be sure to fail — if the “Return-Path” is modified, DMARC will fail due to the misalignment of identifiers; if the “Return-Path” is unmodified, SPF will fail due to the IP mismatch. For DMARC+DKIM, it will fail if the mailing list still has to modify the email content.

In particular, U7pointed out the problem of DKIM beyond just the mailing list problem. U7 stated that DKIM was too sensitive to “benign” changes to the email content such as line rewrapping and URL expansion. These operations that are very common in email services (sometimes for usability purposes), but can easily lead to invalid signatures. The sensitivity of DKIM also discourages email administrators to deploy DMARC (which need to work with DKIM).

“U7: DKIM is inherently flawed because semantically meaningless changes to a message can render the signature invalid. For example, the relaxed body canonicalization algorithm is sensitive to line rewrapping, which will invalidate the signature without changing the semantic content of the message. Flaws like this make DKIM signatures fragile, reducing the utility of DKIM and thus lessening the priority of its deployment.”

“U7: The fragility of DKIM also affects the utility of DMARC, and thus reducing the priority of its deployment as well.”

Iv-B A Lack of Critical Mass

Email administrators mentioned that there had not been a global consensus that SPF, DKIM or DMARC should be the ultimate solution to stop spoofing. Part of the reason is these protocols are struggling to support common email scenarios such as mail forwarding. Due to the technique weaknesses, the general perception is that SFP, DKIM and DMARC are “helpful” but “cannot solve the spoofing problem completely”. U2 mentioned that potential adopters could be are waiting to see whether enough people would eventually get on board.

“U2: It is not the final answer that the industry picked up yet. I felt at this point that enough people haven’t really adopted it, it’s not worth for me to set it up.”

In addition, U1 and U2 both mentioned that in general there was no penalty to domains for not publishing an SPF/DKIM/DMARC record. Their emails are typically not discriminated unless other malicious signals are detected. This reflects a typical bootstrapping challenge, where a “critical mass” is needed in order to facilitate a self-sustaining adoption process [30].

Iv-C Benefits Not Significantly Overweight Costs

Email administrators then discussed the deeper reasons for the lack of critical mass. U1 pointed out that the protocol adopter does not directly benefit from publishing their SPF, DKIM or DMARC records in the DNS. Instead, these DNS records mainly help other email services to verify incoming emails and protect the customers (users) of other email services. Domains that publish the DNS records receive the benefit of a better reputation, which is a relatively vague benefit, particularly for domains that don’t host email services.

“U1: If I am an email provider, I am not motivated to set up SPF, I am motivated to make sure people who have sent (emails) to my customers have set SPF. I am motivated to evaluate it.”

For popular online services (e.g., social networks, banks), however, they are likely to be motivated to publish SPF, DKIM, and DMARC records to prevent being spoofed and maintain their good reputation (U2, U3).

Fig. 2: The adoption model for anti-spoofing protocols. For email domains, the cost and benefit changes as more domains adopt the protocol. For non-email domains, the cost and benefit stay constant.

To help to illustrate this challenge, we plot Figure 2, which is a modified version of the Ozment-Schechter model [30]. Ozment-Schechter model depicts the general challenge for network protocols to receive a wide adoption, and we customized the model for email spoofing scenarios and created a separate plot for non-email domains (Figure 2(b)).

For email domains (Figure 2(a)), when more domains publish their SPF, DKIM or DMARC records, the benefits for each adopter will increase because more incoming emails can be authenticated. Regarding the costs, there will be a constant base cost for deploying the protocol. On top of that, early adopters also need to handle the insecure domains that have not adopted the protocol and those with misconfigurations. The cost of insecure domains will drop as more domains adopt the protocol. However, this cost cannot reach zero due to the technical issues in these protocols as discussed before.

Figure 2(b) shows a bigger challenge to motivate non-email domains to publish the SPF/DMARC record. For non-email domains (e.g., office.com), the benefit of publishing the SPF/DMARC record is to prevent attackers from impersonating the non-email domain and helps the non-email domain to maintain a good reputation. The domain administrators publish the SPF/DMARC records to be a good Internet “citizen” and help other email services to detect spoofing emails. However, these benefits are considered indirect and thus relatively weaker (U5, U6). Overall, the cost and benefit model is not in favor of creating a “critical mass” for a wide adoption. The bootstrapping phase is challenging without external enforcement or incentives.

Iv-D Deployment Difficulties in Practice

Even if an email administrator decided to deploy the protocol, there would be other challenges in the way. We summarize the participants’ responses from three aspects: (1) a lack of control on the DNS or even the mail servers, (2) the large number of dependency services, (3) a lack of understanding of the protocol and the deployment difficulties.

First, certain services do not have a control over their DNS record. Publishing SPF/DKIM/DMARC record will incur additional overhead to coordinate with their DNS providers (U1, U4, U9). In addition, many companies and organizations even don’t maintain their own mail servers but rely on cloud-based email services. Using cloud-based email services is convenient without the need the handle challenging tasks such as spam filtering. The drawback is that the organization need to rely on the cloud email service to deploy the anti-spoofing protocols.

“U1: So we have very limited control over our DNS. Right now, it is just the difficulty of setting up that DNS.”

Another challenge is that the strict enforcement of certain email protocols requires significant efforts for coordination in big institutions. An email system has many dependent services (e.g., marketing tools) distributed in different departments in a big institution. Deploying a new email protocol requires a non-trivial collaboration effort from different departments.

“U7: Strict enforcement requires identifying all the legitimate sources of email using a return address domain. Large, decentralized organizations (e.g. many large universities), will often have organizational units which acquire third-party services involving email, like email marketing tools, without telling central IT. Figuring all this out and putting policies and procedures in place to prevent it is more work than many admins have time for.”

Finally, the participants mentioned that there had been a lack of deep understanding of the anti-spoofing protocols, especially the new protocols such as DMARC. It is difficult to estimate how much effort is needed to deploy and maintain the protocol in practice.

U3 particularly mentioned that there is a general perception that deploying anti-spoofing protocols is difficult. Regardless the actual level of the difficulty, the perceived difficulty makes email administrators hesitated to try (U3, U9).

“U3: Many people believe that DKIM is hard, and thus don’t prioritize deploying it … Many people don’t understand DMARC, how easy it is to deploy, and how effective it is.”

Iv-E Risks of Breaking the Existing System

Participants have discussed the concerns of breaking the existing email system due to unfamiliarity to the protocol. This is particularly true for DMARC (published in 2015). Email providers need to go through careful testing to make sure the protocol does not block legitimate incoming emails, and their own emails are not blocked by others.

“U2: Probably because it (DMARC) is still in a testing phase and (people) want to see if it is going to work for them. Relatively it (DMARC) is still pretty new for big businesses and such.”

“U5: Domains may fear that they’ve forgotten something and their email may be rejected due to a mistake on their part. ”

These concerns also explain why most protocol adopters (as the sender domain) configure a relaxed SPF/DMARC policy. Even if sender domain actually specified a strict protocol, the receiver may not enforce it anyway. U5 expressed that it was quite often for senders to have mis-configurations. It is easier to not enforce the strict policy than to ask the senders to fix their configurations.

“U5: Spam filters are relied upon too heavily and its sometimes easier to pull email from the spam folder than ask someone to fix their SPF record and re-send the email.”

Iv-F Solutions Moving Forward

We asked the participants to comment on the possible solutions moving forward. Most of the email administrators believed that automated detection systems (e.g., anti-spoofing protocols, spam filters, virus scanners) were necessary, but could not fully prevent spoofing or phishing. U1, U2, U7, U8 and U9 all have mentioned the importance of user education to raise the awareness of spoofing, and training users to check the email authenticity themselves.

“U7: There is no one single way. Technological defenses like content filtering of incoming mail (i.e. spam and virus filtering), are necessary but not sufficient. There is also a need for rigorous training combined with periodic self-phishing (e.g. phishme.com), to raise awareness and identify people who need further training or correction.”

“U8: User education is the most important way to protect them. I always ask our users to look for the email that seems suspicious and bring it to my attention. That way we can prevent malicious intention at earliest possible.”

Finally, U5 expressed the need to have security indicators on the email client. The security indicators are icons or visual cues that are widely used on web browsers to indicate the validity of SSL certificate of websites. A similar email spoofing indicator can be deployed to warn users of emails with unverified sender addresses. In addition, security indicators can also help to high-light the address misalignment of the Return-Path and Mail From fields for emails that bypassed the SPF check.

“U5: Add the ability for email clients to warn users similar to the way browsers do when users are either presented with a valid extended SSL cert or no SSL cert at all. May also display the from & reply to addresses making it harder to get around SPF record checking.”

V Discussion

So far, we have explored the challenges for SPF, DKIM and DMARC to receive a wide adoption. Next, we discuss the key implications to protocol designers, email providers, and the end users.

V-a Implications for Protocol Designers and Promoters

Improving the Perceived Usefulness.     The security and usability issues in SPF, DKIM and DMARC negatively impact their perceived usefulness. To improve the perceived usefulness, addressing these security and usability issues becomes the first priority. Currently, an IETF group is working on a new protocol called Authenticated Received Chain (ARC) [18] which is expected to address email forwarding problem and the mailing list problem. However, this also adds to the number of protocols that domain owners need to deploy. New protocols will have their own challenges to be accepted. For example, the DMARC protocol, even though incrementally deployable, only achieved a 4.6% adoption rate in the past two years. A useful protocol will still face the challenge to be widely adopted.

Building the Critical Mass.     Currently, there is a lack of strong consensus to deploy anti-spoofing protocols. Like many networking protocols, anti-spoofing protocols will provide key benefits only after enough domains start to publish their SPF, DKIM or DMARC records. To bootstrap the adoption and establish a critical mass, external incentive mechanisms are needed. In theory, we can adjust the rewarding function to provide more benefits to early adopters to create a positive net effect [30]. One possible direction is to learn from the promotion of “HTTPS” among websites [12]: modern browsers will display a trusted icon for websites with valid TLS certificates. Similar security indicators can be added to emails with verified sender domains (by SPF, DKIM and DMARC), to incentive domains to publish the corresponding DNS records. In addition, policymakers or major email providers may also consider enforcing certain sensitive domains (e.g., banks, government agencies) to publish their SPF/DKIM/DMARC records to prevent being impersonated. The challenge is how to realize these ideas without disrupting any of the normal operations of the existing email services.

Reducing the Deployment Difficulty.     One direction to improve the adoption rate of anti-spoofing protocols is to make it easy to deploy and configure. Our user study reveals two key problems to address. First, more organizations start to use cloud-based email services (e.g., Google G-Suite, Amazon WorkMail, Office 365). Anti-spoofing protocols should be more cloud-friendly for organizations that don’t have full controls on their mail servers. Second, the deployment process should be further simplified and providers email administrators with more controls. The biggest concern from email administrators is that anti-spoofing protocols may reject legitimate emails or get their own emails rejected. One direction of improvement is to allow the protocol to run in a testing mode (e.g., in DMARC), allowing email administrators to fully assess the impact before real deployment.

V-B Implications for Email Providers

In the short term, email providers are still unlikely to be able to authenticate all the incoming emails. While email providers should act as “good Internet citizens” by publishing their own authentication records, it is also necessary to help to “educate” their users to watch out for spoofing emails. Given the current adoption rate of anti-spoofing protocols (and the relaxed protocol configurations), it is likely that email providers will still have to deliver certain unverified emails to the user inbox. Email providers should act more responsibly by providing the authentication results available for the user to check, or proactively warn users of emails that they are not able to verify. Large email providers such as Gmail and Outlook are already moving towards this direction. Currently, Gmail’s authentication results are available through the webmail interface, but unfortunately not yet available on the mobile app interface. Further research is needed to improve the current mobile email UI to better support security features.

V-C Implications for Users

Given the current situation, users are at the most vulnerable position. Particularly, considering the usability flaws of the existing anti-spoofing protocols, an email that passed the SPF/DKIM checks can still be a spoofed email (e.g., with misaligned addresses). Similarly, emails that failed the SPF/DKIM checks are not necessarily malicious (e.g., forwarded email). To this end, unless the user is fully aware of the authentication details, it is safer for general email users to avoid establishing the trust based on the sender domains. The trustworthiness of the email should be assessed as a whole. It is more reliable to leverage the context of the email exchange, and the external confirmation channels (e.g., calling the sender on the phone) to identify phishing attempts and securely handle critical emails.

Vi Limitations

The scale of the user study is still small, which limits us from producing any statistically significant results. We argue that our contribution is to provide a “qualitative” understanding of the problem space, which lays the groundwork for future quantitative research. For example, one future direction is to conduct surveys to understand what types of domains are more likely to adopt anti-spoofing protocols, and how domain attributes (e.g., service type, popularity, sensitivity) affect the domain owners’ decision.

Vii Conclusion

In this paper, we examine why email spoofing is (still) possible in today’s email system. We show that extensive efforts are needed to address the technical issues in the protocol design and develop external enforcement (or incentives) to bootstrap the protocol adoption. In addition, improved user interfaces are needed for email systems to allow users to proactively check the email authentication results.

References

  • [1] B. Aboba and D. Thaler, “What makes for a successful protocol?” RFC5218, 2008, https://tools.ietf.org/html/rfc5218.
  • [2] S. I. Ahmed, M. R. Haque, S. Guha, M. R. Rifat, and N. Dell, “Privacy, security, and surveillance in the global south: A study of biometric mobile sim registration in bangladesh,” in Proc. of CHI’17, 2017.
  • [3] R. Böhme, “Internet protocol adoption: Learning from bitcoin,” in Proc of IAB Workshop on Internet Technology Adoption and Transition (ITAT’13), 2013.
  • [4] T. Chung, R. van Rijswijk-Deij, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Understanding the Role of Registrars in DNSSEC Deployment,” in Proc. of IMC’17, 2017.
  • [5] L. Colitti, S. H. Gunderson, E. Kline, and T. Refice, “Evaluating ipv6 adoption in the internet,” in Proc of PAM’10, 2010.
  • [6] M. K. D. Crocker, T. Hansen, “Domainkeys identified mail (dkim) signatures,” ser. RFC6376, 2011.
  • [7] P. Dewan, A. Kashyap, and P. Kumaraguru, “Analyzing social and stylometric features to identify spear phishing emails,” in Proc. of eCrime’14, 2014.
  • [8] T. Dickfeld, “Quo vadis ventricular tachycardia ablation: new horizons and developments,” Expert Review of Medical Devices, vol. 8, no. 2, pp. 131–133, 2011.
  • [9] S. Duman, K. Kalkan-Cakmakci, M. Egele, W. K. Robertson, and E. Kirda, “Emailprofiler: Spearphishing filtering with header and stylometric features of emails,” in Proc. of ACSAC’16, 2016.
  • [10] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman, “Neither snow nor rain nor mitm: An empirical analysis of email delivery security,” in Proc. of IMC’15, 2015.
  • [11] FBI, “Grizzly steppe: Russian malicious cyber activity,” FBI and DHS report, 2016, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
  • [12] A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS adoption on the web,” in Proc. of USENIX Security’17, 2017.
  • [13] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. of WWW’07, 2007.
  • [14] I. D. Foster, J. Larson, M. Masich, A. C. Snoeren, S. Savage, and K. Levchenko, “Security by any other name: On the effectiveness of provider based email security,” in Proc. of CCS’15, 2015.
  • [15] G. Ho, A. Sharma, M. Javed, V. Paxson, and D. Wagner, “Detecting credential spearphishing in enterprise settings,” in Proc. of USENIX Security’17, 2017.
  • [16] J. Hong, “The state of phishing attacks,” Communications of the ACM, vol. 55, no. 1, 2012.
  • [17] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Communications of the ACM, vol. 50, no. 10, 2007.
  • [18] E. S. J. E. M. K. E. K. Andersen, B. Long, “Authenticated received chain (arc) protocol,” ser. Internet-Draft’17, 2017, https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-09.
  • [19] M. L. Katz and C. Shapiro, “Technology adoption in the presence of network externalities,” Journal of political economy, vol. 94, no. 4, pp. 822–841, 1986.
  • [20] S. Kim, J. Mankoff, and E. Paulos, “Exploring barriers to the adoption of mobile technologies for volunteer data collection campaigns,” in Proc. of CHI’15, 2015.
  • [21] S. Kitterman, “Sender policy framework (spf),” ser. RFC7208, 2014, https://tools.ietf.org/html/rfc7208.
  • [22] V. Krammer, “Phishing defense against idn address spoofing attacks,” in Proc. of PST’06, 2006.
  • [23] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system,” in Proc. of CHI’07, 2007.
  • [24] P. Lai, “The literature review of technology adoption models and theories for the novelty technology,” Journal of Information Systems and Technology Management, vol. 14, pp. 21 – 38, 04 2017.
  • [25] J. Lindley, P. Coulton, and M. Sturdee, “Implications for adoption,” in Proc. of CHI’17, 2017.
  • [26] E. Z. M. Kucherawy, “Domain-based message authentication, reporting, and conformance (dmarc),” ser. RFC7489, 2015, https://tools.ietf.org/html/rfc7489.
  • [27] Malwarebytes, “Understanding the depth of the global ransomware problem,” 2016, https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf.
  • [28] D. K. McGrath and M. Gupta, “Behind phishing: An examination of phisher modi operandi,” in Proc. of LEET’08, 2008.
  • [29] C. M.Y., “Overview of the technology acceptance model: Origins, developments and future directions,” Sprouts: Working Papers on Information Systems, vol. 9, no. 37, 2009.
  • [30] A. Ozment and S. E. Schechter, “Bootstrapping the adoption of internet security protocols,” in Proc. of WEIS’06, 2006.
  • [31] S. L. Parente and E. C. Prescott, “Barriers to technology adoption and development,” Journal of political Economy, vol. 102, no. 2, pp. 298–321, 1994.
  • [32] PhishMe, “Ransomware delivered by 97% of phishing emails by end of q3 2016 supporting booming cybercrime industry,” 2016, https://phishme.com/ransomware-delivered-97-phishing-emails-end-q3-2016-supporting-
    booming-cybercrime-industry/.
  • [33] J. B. Postel, “Simple mail transfer protocol,” ser. RFC821, 1982, https://tools.ietf.org/html/rfc821.
  • [34] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta, “Phishnet: Predictive blacklisting to detect phishing attacks,” in Proc. of INFOCOM’10, 2010.
  • [35] Proofpoint, “Threat summary and year in review,” 2016, https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf.
  • [36] P. Resnick, “Internet message format,” ser. RFC5321, 2001, https://www.ietf.org/rfc/rfc2822.txt.
  • [37] M. Risher, “Protecting you against phishing,” Google Security Blog, 2017, https://security.googleblog.com/2017/05/protecting-you-against-phishing.html.
  • [38] E. M. Rogers, Diffusion of Innovations, 5th Edition, 5th ed., 2003.
  • [39] V. Venkatesh and H. Bala, “Technology acceptance model 3 and a research agenda on interventions,” Decision Sciences, vol. 39, no. 2, pp. 273–315, 2008.
  • [40] V. Venkatesh and F. D. Davis, “A theoretical extension of the technology acceptance model: Four longitudinal field studies,” Management Science, vol. 46, no. 2, pp. 186–204, 2000.
  • [41] Verizon, “Data breach investigations report,” 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.

Iv Result: User Study

Our user study focuses on open questions regarding the values and concerns of SPF, DKIM and DMARC, and the possible reasons behind their slow adoption. In the following, we discuss our findings by grouping the results into 6 high-level topics.

Iv-a Technical Defects of the Protocols

Email administrators have acknowledged the values of adoption these protocols. However, the most discussed topics are still the technical flaws in SPF, DKIM and DMARC. We summarize these tehnical flaws as the following.

First, SPF and DKIM both have the problem of “identifier alignment”. It means that the sender email address that user sees can be different from the address that is actually used to do perform authentication. For SPF, the authentication focuses on the “Return-Path” and examines whether the sender’s IP is listed in the “Return-Path” domain’s SPF record. An attacker can set the “Return-Path” domain to her own domain and set her SPF record to pass the authentication. However, what the receiving user sees on the email interface is set by the “From” field. DKIM has a similar problem given that the domain to sign the email with the DKIM key can be different from the domain on the “Return-Path” . DMARC helps to revolve the prolem by enforing the alignment of the identifiers.

Second, mail forwarding is a problem for SPF. Mail forwarding means one email service automatically forwards emails to another email service. A common scenario is that university students often configure their university email service to forward all their emails to Outlook or Gmail. During Mail forwarding, the email metadata (e.g., “Return-Path”) remains unchanged. SPF will fail after mail forwarding because the forwarder’s IP will not match the original sender’s SPF record.

Thrid, mailing list is a major problem for both SPF and DKIM. When a message is sent to a mailing list, the mailing list will “broadcast” the message to all the subscribers. This is a similar process as mail forwarding. During this process, the mailing list’s IP will become the sender IP, which is different from the original sender’s IP. This will leads to SPF failure. Mailing lists will cause trouble for DKIM because most mailing lists modify the email content before broadcasting it to the subscribers. The common modification is to add a “footer” with the mailing list’s name and a link for un-subscription. Tempering the email content will cause DKIM failure. DMARC helps to solve some of the problems, but not the mailing list problem. For mailing lists, DMARC+SPF will be sure to fail — if the “Return-Path” is modified, DMARC will fail due to the misalignment of identifiers; if the “Return-Path” is unmodified, SPF will fail due to the IP mismatch. For DMARC+DKIM, it will fail if the mailing list still has to modify the email content.

In particular, U7pointed out the problem of DKIM beyond just the mailing list problem. U7 stated that DKIM was too sensitive to “benign” changes to the email content such as line rewrapping and URL expansion. These operations that are very common in email services (sometimes for usability purposes), but can easily lead to invalid signatures. The sensitivity of DKIM also discourages email administrators to deploy DMARC (which need to work with DKIM).

“U7: DKIM is inherently flawed because semantically meaningless changes to a message can render the signature invalid. For example, the relaxed body canonicalization algorithm is sensitive to line rewrapping, which will invalidate the signature without changing the semantic content of the message. Flaws like this make DKIM signatures fragile, reducing the utility of DKIM and thus lessening the priority of its deployment.”

“U7: The fragility of DKIM also affects the utility of DMARC, and thus reducing the priority of its deployment as well.”

Iv-B A Lack of Critical Mass

Email administrators mentioned that there had not been a global consensus that SPF, DKIM or DMARC should be the ultimate solution to stop spoofing. Part of the reason is these protocols are struggling to support common email scenarios such as mail forwarding. Due to the technique weaknesses, the general perception is that SFP, DKIM and DMARC are “helpful” but “cannot solve the spoofing problem completely”. U2 mentioned that potential adopters could be are waiting to see whether enough people would eventually get on board.

“U2: It is not the final answer that the industry picked up yet. I felt at this point that enough people haven’t really adopted it, it’s not worth for me to set it up.”

In addition, U1 and U2 both mentioned that in general there was no penalty to domains for not publishing an SPF/DKIM/DMARC record. Their emails are typically not discriminated unless other malicious signals are detected. This reflects a typical bootstrapping challenge, where a “critical mass” is needed in order to facilitate a self-sustaining adoption process [30].

Iv-C Benefits Not Significantly Overweight Costs

Email administrators then discussed the deeper reasons for the lack of critical mass. U1 pointed out that the protocol adopter does not directly benefit from publishing their SPF, DKIM or DMARC records in the DNS. Instead, these DNS records mainly help other email services to verify incoming emails and protect the customers (users) of other email services. Domains that publish the DNS records receive the benefit of a better reputation, which is a relatively vague benefit, particularly for domains that don’t host email services.

“U1: If I am an email provider, I am not motivated to set up SPF, I am motivated to make sure people who have sent (emails) to my customers have set SPF. I am motivated to evaluate it.”

For popular online services (e.g., social networks, banks), however, they are likely to be motivated to publish SPF, DKIM, and DMARC records to prevent being spoofed and maintain their good reputation (U2, U3).

Fig. 2: The adoption model for anti-spoofing protocols. For email domains, the cost and benefit changes as more domains adopt the protocol. For non-email domains, the cost and benefit stay constant.

To help to illustrate this challenge, we plot Figure 2, which is a modified version of the Ozment-Schechter model [30]. Ozment-Schechter model depicts the general challenge for network protocols to receive a wide adoption, and we customized the model for email spoofing scenarios and created a separate plot for non-email domains (Figure 2(b)).

For email domains (Figure 2(a)), when more domains publish their SPF, DKIM or DMARC records, the benefits for each adopter will increase because more incoming emails can be authenticated. Regarding the costs, there will be a constant base cost for deploying the protocol. On top of that, early adopters also need to handle the insecure domains that have not adopted the protocol and those with misconfigurations. The cost of insecure domains will drop as more domains adopt the protocol. However, this cost cannot reach zero due to the technical issues in these protocols as discussed before.

Figure 2(b) shows a bigger challenge to motivate non-email domains to publish the SPF/DMARC record. For non-email domains (e.g., office.com), the benefit of publishing the SPF/DMARC record is to prevent attackers from impersonating the non-email domain and helps the non-email domain to maintain a good reputation. The domain administrators publish the SPF/DMARC records to be a good Internet “citizen” and help other email services to detect spoofing emails. However, these benefits are considered indirect and thus relatively weaker (U5, U6). Overall, the cost and benefit model is not in favor of creating a “critical mass” for a wide adoption. The bootstrapping phase is challenging without external enforcement or incentives.

Iv-D Deployment Difficulties in Practice

Even if an email administrator decided to deploy the protocol, there would be other challenges in the way. We summarize the participants’ responses from three aspects: (1) a lack of control on the DNS or even the mail servers, (2) the large number of dependency services, (3) a lack of understanding of the protocol and the deployment difficulties.

First, certain services do not have a control over their DNS record. Publishing SPF/DKIM/DMARC record will incur additional overhead to coordinate with their DNS providers (U1, U4, U9). In addition, many companies and organizations even don’t maintain their own mail servers but rely on cloud-based email services. Using cloud-based email services is convenient without the need the handle challenging tasks such as spam filtering. The drawback is that the organization need to rely on the cloud email service to deploy the anti-spoofing protocols.

“U1: So we have very limited control over our DNS. Right now, it is just the difficulty of setting up that DNS.”

Another challenge is that the strict enforcement of certain email protocols requires significant efforts for coordination in big institutions. An email system has many dependent services (e.g., marketing tools) distributed in different departments in a big institution. Deploying a new email protocol requires a non-trivial collaboration effort from different departments.

“U7: Strict enforcement requires identifying all the legitimate sources of email using a return address domain. Large, decentralized organizations (e.g. many large universities), will often have organizational units which acquire third-party services involving email, like email marketing tools, without telling central IT. Figuring all this out and putting policies and procedures in place to prevent it is more work than many admins have time for.”

Finally, the participants mentioned that there had been a lack of deep understanding of the anti-spoofing protocols, especially the new protocols such as DMARC. It is difficult to estimate how much effort is needed to deploy and maintain the protocol in practice.

U3 particularly mentioned that there is a general perception that deploying anti-spoofing protocols is difficult. Regardless the actual level of the difficulty, the perceived difficulty makes email administrators hesitated to try (U3, U9).

“U3: Many people believe that DKIM is hard, and thus don’t prioritize deploying it … Many people don’t understand DMARC, how easy it is to deploy, and how effective it is.”

Iv-E Risks of Breaking the Existing System

Participants have discussed the concerns of breaking the existing email system due to unfamiliarity to the protocol. This is particularly true for DMARC (published in 2015). Email providers need to go through careful testing to make sure the protocol does not block legitimate incoming emails, and their own emails are not blocked by others.

“U2: Probably because it (DMARC) is still in a testing phase and (people) want to see if it is going to work for them. Relatively it (DMARC) is still pretty new for big businesses and such.”

“U5: Domains may fear that they’ve forgotten something and their email may be rejected due to a mistake on their part. ”

These concerns also explain why most protocol adopters (as the sender domain) configure a relaxed SPF/DMARC policy. Even if sender domain actually specified a strict protocol, the receiver may not enforce it anyway. U5 expressed that it was quite often for senders to have mis-configurations. It is easier to not enforce the strict policy than to ask the senders to fix their configurations.

“U5: Spam filters are relied upon too heavily and its sometimes easier to pull email from the spam folder than ask someone to fix their SPF record and re-send the email.”

Iv-F Solutions Moving Forward

We asked the participants to comment on the possible solutions moving forward. Most of the email administrators believed that automated detection systems (e.g., anti-spoofing protocols, spam filters, virus scanners) were necessary, but could not fully prevent spoofing or phishing. U1, U2, U7, U8 and U9 all have mentioned the importance of user education to raise the awareness of spoofing, and training users to check the email authenticity themselves.

“U7: There is no one single way. Technological defenses like content filtering of incoming mail (i.e. spam and virus filtering), are necessary but not sufficient. There is also a need for rigorous training combined with periodic self-phishing (e.g. phishme.com), to raise awareness and identify people who need further training or correction.”

“U8: User education is the most important way to protect them. I always ask our users to look for the email that seems suspicious and bring it to my attention. That way we can prevent malicious intention at earliest possible.”

Finally, U5 expressed the need to have security indicators on the email client. The security indicators are icons or visual cues that are widely used on web browsers to indicate the validity of SSL certificate of websites. A similar email spoofing indicator can be deployed to warn users of emails with unverified sender addresses. In addition, security indicators can also help to high-light the address misalignment of the Return-Path and Mail From fields for emails that bypassed the SPF check.

“U5: Add the ability for email clients to warn users similar to the way browsers do when users are either presented with a valid extended SSL cert or no SSL cert at all. May also display the from & reply to addresses making it harder to get around SPF record checking.”

V Discussion

So far, we have explored the challenges for SPF, DKIM and DMARC to receive a wide adoption. Next, we discuss the key implications to protocol designers, email providers, and the end users.

V-a Implications for Protocol Designers and Promoters

Improving the Perceived Usefulness.     The security and usability issues in SPF, DKIM and DMARC negatively impact their perceived usefulness. To improve the perceived usefulness, addressing these security and usability issues becomes the first priority. Currently, an IETF group is working on a new protocol called Authenticated Received Chain (ARC) [18] which is expected to address email forwarding problem and the mailing list problem. However, this also adds to the number of protocols that domain owners need to deploy. New protocols will have their own challenges to be accepted. For example, the DMARC protocol, even though incrementally deployable, only achieved a 4.6% adoption rate in the past two years. A useful protocol will still face the challenge to be widely adopted.

Building the Critical Mass.     Currently, there is a lack of strong consensus to deploy anti-spoofing protocols. Like many networking protocols, anti-spoofing protocols will provide key benefits only after enough domains start to publish their SPF, DKIM or DMARC records. To bootstrap the adoption and establish a critical mass, external incentive mechanisms are needed. In theory, we can adjust the rewarding function to provide more benefits to early adopters to create a positive net effect [30]. One possible direction is to learn from the promotion of “HTTPS” among websites [12]: modern browsers will display a trusted icon for websites with valid TLS certificates. Similar security indicators can be added to emails with verified sender domains (by SPF, DKIM and DMARC), to incentive domains to publish the corresponding DNS records. In addition, policymakers or major email providers may also consider enforcing certain sensitive domains (e.g., banks, government agencies) to publish their SPF/DKIM/DMARC records to prevent being impersonated. The challenge is how to realize these ideas without disrupting any of the normal operations of the existing email services.

Reducing the Deployment Difficulty.     One direction to improve the adoption rate of anti-spoofing protocols is to make it easy to deploy and configure. Our user study reveals two key problems to address. First, more organizations start to use cloud-based email services (e.g., Google G-Suite, Amazon WorkMail, Office 365). Anti-spoofing protocols should be more cloud-friendly for organizations that don’t have full controls on their mail servers. Second, the deployment process should be further simplified and providers email administrators with more controls. The biggest concern from email administrators is that anti-spoofing protocols may reject legitimate emails or get their own emails rejected. One direction of improvement is to allow the protocol to run in a testing mode (e.g., in DMARC), allowing email administrators to fully assess the impact before real deployment.

V-B Implications for Email Providers

In the short term, email providers are still unlikely to be able to authenticate all the incoming emails. While email providers should act as “good Internet citizens” by publishing their own authentication records, it is also necessary to help to “educate” their users to watch out for spoofing emails. Given the current adoption rate of anti-spoofing protocols (and the relaxed protocol configurations), it is likely that email providers will still have to deliver certain unverified emails to the user inbox. Email providers should act more responsibly by providing the authentication results available for the user to check, or proactively warn users of emails that they are not able to verify. Large email providers such as Gmail and Outlook are already moving towards this direction. Currently, Gmail’s authentication results are available through the webmail interface, but unfortunately not yet available on the mobile app interface. Further research is needed to improve the current mobile email UI to better support security features.

V-C Implications for Users

Given the current situation, users are at the most vulnerable position. Particularly, considering the usability flaws of the existing anti-spoofing protocols, an email that passed the SPF/DKIM checks can still be a spoofed email (e.g., with misaligned addresses). Similarly, emails that failed the SPF/DKIM checks are not necessarily malicious (e.g., forwarded email). To this end, unless the user is fully aware of the authentication details, it is safer for general email users to avoid establishing the trust based on the sender domains. The trustworthiness of the email should be assessed as a whole. It is more reliable to leverage the context of the email exchange, and the external confirmation channels (e.g., calling the sender on the phone) to identify phishing attempts and securely handle critical emails.

Vi Limitations

The scale of the user study is still small, which limits us from producing any statistically significant results. We argue that our contribution is to provide a “qualitative” understanding of the problem space, which lays the groundwork for future quantitative research. For example, one future direction is to conduct surveys to understand what types of domains are more likely to adopt anti-spoofing protocols, and how domain attributes (e.g., service type, popularity, sensitivity) affect the domain owners’ decision.

Vii Conclusion

In this paper, we examine why email spoofing is (still) possible in today’s email system. We show that extensive efforts are needed to address the technical issues in the protocol design and develop external enforcement (or incentives) to bootstrap the protocol adoption. In addition, improved user interfaces are needed for email systems to allow users to proactively check the email authentication results.

References

  • [1] B. Aboba and D. Thaler, “What makes for a successful protocol?” RFC5218, 2008, https://tools.ietf.org/html/rfc5218.
  • [2] S. I. Ahmed, M. R. Haque, S. Guha, M. R. Rifat, and N. Dell, “Privacy, security, and surveillance in the global south: A study of biometric mobile sim registration in bangladesh,” in Proc. of CHI’17, 2017.
  • [3] R. Böhme, “Internet protocol adoption: Learning from bitcoin,” in Proc of IAB Workshop on Internet Technology Adoption and Transition (ITAT’13), 2013.
  • [4] T. Chung, R. van Rijswijk-Deij, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Understanding the Role of Registrars in DNSSEC Deployment,” in Proc. of IMC’17, 2017.
  • [5] L. Colitti, S. H. Gunderson, E. Kline, and T. Refice, “Evaluating ipv6 adoption in the internet,” in Proc of PAM’10, 2010.
  • [6] M. K. D. Crocker, T. Hansen, “Domainkeys identified mail (dkim) signatures,” ser. RFC6376, 2011.
  • [7] P. Dewan, A. Kashyap, and P. Kumaraguru, “Analyzing social and stylometric features to identify spear phishing emails,” in Proc. of eCrime’14, 2014.
  • [8] T. Dickfeld, “Quo vadis ventricular tachycardia ablation: new horizons and developments,” Expert Review of Medical Devices, vol. 8, no. 2, pp. 131–133, 2011.
  • [9] S. Duman, K. Kalkan-Cakmakci, M. Egele, W. K. Robertson, and E. Kirda, “Emailprofiler: Spearphishing filtering with header and stylometric features of emails,” in Proc. of ACSAC’16, 2016.
  • [10] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman, “Neither snow nor rain nor mitm: An empirical analysis of email delivery security,” in Proc. of IMC’15, 2015.
  • [11] FBI, “Grizzly steppe: Russian malicious cyber activity,” FBI and DHS report, 2016, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
  • [12] A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS adoption on the web,” in Proc. of USENIX Security’17, 2017.
  • [13] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. of WWW’07, 2007.
  • [14] I. D. Foster, J. Larson, M. Masich, A. C. Snoeren, S. Savage, and K. Levchenko, “Security by any other name: On the effectiveness of provider based email security,” in Proc. of CCS’15, 2015.
  • [15] G. Ho, A. Sharma, M. Javed, V. Paxson, and D. Wagner, “Detecting credential spearphishing in enterprise settings,” in Proc. of USENIX Security’17, 2017.
  • [16] J. Hong, “The state of phishing attacks,” Communications of the ACM, vol. 55, no. 1, 2012.
  • [17] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Communications of the ACM, vol. 50, no. 10, 2007.
  • [18] E. S. J. E. M. K. E. K. Andersen, B. Long, “Authenticated received chain (arc) protocol,” ser. Internet-Draft’17, 2017, https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-09.
  • [19] M. L. Katz and C. Shapiro, “Technology adoption in the presence of network externalities,” Journal of political economy, vol. 94, no. 4, pp. 822–841, 1986.
  • [20] S. Kim, J. Mankoff, and E. Paulos, “Exploring barriers to the adoption of mobile technologies for volunteer data collection campaigns,” in Proc. of CHI’15, 2015.
  • [21] S. Kitterman, “Sender policy framework (spf),” ser. RFC7208, 2014, https://tools.ietf.org/html/rfc7208.
  • [22] V. Krammer, “Phishing defense against idn address spoofing attacks,” in Proc. of PST’06, 2006.
  • [23] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system,” in Proc. of CHI’07, 2007.
  • [24] P. Lai, “The literature review of technology adoption models and theories for the novelty technology,” Journal of Information Systems and Technology Management, vol. 14, pp. 21 – 38, 04 2017.
  • [25] J. Lindley, P. Coulton, and M. Sturdee, “Implications for adoption,” in Proc. of CHI’17, 2017.
  • [26] E. Z. M. Kucherawy, “Domain-based message authentication, reporting, and conformance (dmarc),” ser. RFC7489, 2015, https://tools.ietf.org/html/rfc7489.
  • [27] Malwarebytes, “Understanding the depth of the global ransomware problem,” 2016, https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf.
  • [28] D. K. McGrath and M. Gupta, “Behind phishing: An examination of phisher modi operandi,” in Proc. of LEET’08, 2008.
  • [29] C. M.Y., “Overview of the technology acceptance model: Origins, developments and future directions,” Sprouts: Working Papers on Information Systems, vol. 9, no. 37, 2009.
  • [30] A. Ozment and S. E. Schechter, “Bootstrapping the adoption of internet security protocols,” in Proc. of WEIS’06, 2006.
  • [31] S. L. Parente and E. C. Prescott, “Barriers to technology adoption and development,” Journal of political Economy, vol. 102, no. 2, pp. 298–321, 1994.
  • [32] PhishMe, “Ransomware delivered by 97% of phishing emails by end of q3 2016 supporting booming cybercrime industry,” 2016, https://phishme.com/ransomware-delivered-97-phishing-emails-end-q3-2016-supporting-
    booming-cybercrime-industry/.
  • [33] J. B. Postel, “Simple mail transfer protocol,” ser. RFC821, 1982, https://tools.ietf.org/html/rfc821.
  • [34] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta, “Phishnet: Predictive blacklisting to detect phishing attacks,” in Proc. of INFOCOM’10, 2010.
  • [35] Proofpoint, “Threat summary and year in review,” 2016, https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf.
  • [36] P. Resnick, “Internet message format,” ser. RFC5321, 2001, https://www.ietf.org/rfc/rfc2822.txt.
  • [37] M. Risher, “Protecting you against phishing,” Google Security Blog, 2017, https://security.googleblog.com/2017/05/protecting-you-against-phishing.html.
  • [38] E. M. Rogers, Diffusion of Innovations, 5th Edition, 5th ed., 2003.
  • [39] V. Venkatesh and H. Bala, “Technology acceptance model 3 and a research agenda on interventions,” Decision Sciences, vol. 39, no. 2, pp. 273–315, 2008.
  • [40] V. Venkatesh and F. D. Davis, “A theoretical extension of the technology acceptance model: Four longitudinal field studies,” Management Science, vol. 46, no. 2, pp. 186–204, 2000.
  • [41] Verizon, “Data breach investigations report,” 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.

V Discussion

So far, we have explored the challenges for SPF, DKIM and DMARC to receive a wide adoption. Next, we discuss the key implications to protocol designers, email providers, and the end users.

V-a Implications for Protocol Designers and Promoters

Improving the Perceived Usefulness.     The security and usability issues in SPF, DKIM and DMARC negatively impact their perceived usefulness. To improve the perceived usefulness, addressing these security and usability issues becomes the first priority. Currently, an IETF group is working on a new protocol called Authenticated Received Chain (ARC) [18] which is expected to address email forwarding problem and the mailing list problem. However, this also adds to the number of protocols that domain owners need to deploy. New protocols will have their own challenges to be accepted. For example, the DMARC protocol, even though incrementally deployable, only achieved a 4.6% adoption rate in the past two years. A useful protocol will still face the challenge to be widely adopted.

Building the Critical Mass.     Currently, there is a lack of strong consensus to deploy anti-spoofing protocols. Like many networking protocols, anti-spoofing protocols will provide key benefits only after enough domains start to publish their SPF, DKIM or DMARC records. To bootstrap the adoption and establish a critical mass, external incentive mechanisms are needed. In theory, we can adjust the rewarding function to provide more benefits to early adopters to create a positive net effect [30]. One possible direction is to learn from the promotion of “HTTPS” among websites [12]: modern browsers will display a trusted icon for websites with valid TLS certificates. Similar security indicators can be added to emails with verified sender domains (by SPF, DKIM and DMARC), to incentive domains to publish the corresponding DNS records. In addition, policymakers or major email providers may also consider enforcing certain sensitive domains (e.g., banks, government agencies) to publish their SPF/DKIM/DMARC records to prevent being impersonated. The challenge is how to realize these ideas without disrupting any of the normal operations of the existing email services.

Reducing the Deployment Difficulty.     One direction to improve the adoption rate of anti-spoofing protocols is to make it easy to deploy and configure. Our user study reveals two key problems to address. First, more organizations start to use cloud-based email services (e.g., Google G-Suite, Amazon WorkMail, Office 365). Anti-spoofing protocols should be more cloud-friendly for organizations that don’t have full controls on their mail servers. Second, the deployment process should be further simplified and providers email administrators with more controls. The biggest concern from email administrators is that anti-spoofing protocols may reject legitimate emails or get their own emails rejected. One direction of improvement is to allow the protocol to run in a testing mode (e.g., in DMARC), allowing email administrators to fully assess the impact before real deployment.

V-B Implications for Email Providers

In the short term, email providers are still unlikely to be able to authenticate all the incoming emails. While email providers should act as “good Internet citizens” by publishing their own authentication records, it is also necessary to help to “educate” their users to watch out for spoofing emails. Given the current adoption rate of anti-spoofing protocols (and the relaxed protocol configurations), it is likely that email providers will still have to deliver certain unverified emails to the user inbox. Email providers should act more responsibly by providing the authentication results available for the user to check, or proactively warn users of emails that they are not able to verify. Large email providers such as Gmail and Outlook are already moving towards this direction. Currently, Gmail’s authentication results are available through the webmail interface, but unfortunately not yet available on the mobile app interface. Further research is needed to improve the current mobile email UI to better support security features.

V-C Implications for Users

Given the current situation, users are at the most vulnerable position. Particularly, considering the usability flaws of the existing anti-spoofing protocols, an email that passed the SPF/DKIM checks can still be a spoofed email (e.g., with misaligned addresses). Similarly, emails that failed the SPF/DKIM checks are not necessarily malicious (e.g., forwarded email). To this end, unless the user is fully aware of the authentication details, it is safer for general email users to avoid establishing the trust based on the sender domains. The trustworthiness of the email should be assessed as a whole. It is more reliable to leverage the context of the email exchange, and the external confirmation channels (e.g., calling the sender on the phone) to identify phishing attempts and securely handle critical emails.

Vi Limitations

The scale of the user study is still small, which limits us from producing any statistically significant results. We argue that our contribution is to provide a “qualitative” understanding of the problem space, which lays the groundwork for future quantitative research. For example, one future direction is to conduct surveys to understand what types of domains are more likely to adopt anti-spoofing protocols, and how domain attributes (e.g., service type, popularity, sensitivity) affect the domain owners’ decision.

Vii Conclusion

In this paper, we examine why email spoofing is (still) possible in today’s email system. We show that extensive efforts are needed to address the technical issues in the protocol design and develop external enforcement (or incentives) to bootstrap the protocol adoption. In addition, improved user interfaces are needed for email systems to allow users to proactively check the email authentication results.

References

  • [1] B. Aboba and D. Thaler, “What makes for a successful protocol?” RFC5218, 2008, https://tools.ietf.org/html/rfc5218.
  • [2] S. I. Ahmed, M. R. Haque, S. Guha, M. R. Rifat, and N. Dell, “Privacy, security, and surveillance in the global south: A study of biometric mobile sim registration in bangladesh,” in Proc. of CHI’17, 2017.
  • [3] R. Böhme, “Internet protocol adoption: Learning from bitcoin,” in Proc of IAB Workshop on Internet Technology Adoption and Transition (ITAT’13), 2013.
  • [4] T. Chung, R. van Rijswijk-Deij, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Understanding the Role of Registrars in DNSSEC Deployment,” in Proc. of IMC’17, 2017.
  • [5] L. Colitti, S. H. Gunderson, E. Kline, and T. Refice, “Evaluating ipv6 adoption in the internet,” in Proc of PAM’10, 2010.
  • [6] M. K. D. Crocker, T. Hansen, “Domainkeys identified mail (dkim) signatures,” ser. RFC6376, 2011.
  • [7] P. Dewan, A. Kashyap, and P. Kumaraguru, “Analyzing social and stylometric features to identify spear phishing emails,” in Proc. of eCrime’14, 2014.
  • [8] T. Dickfeld, “Quo vadis ventricular tachycardia ablation: new horizons and developments,” Expert Review of Medical Devices, vol. 8, no. 2, pp. 131–133, 2011.
  • [9] S. Duman, K. Kalkan-Cakmakci, M. Egele, W. K. Robertson, and E. Kirda, “Emailprofiler: Spearphishing filtering with header and stylometric features of emails,” in Proc. of ACSAC’16, 2016.
  • [10] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman, “Neither snow nor rain nor mitm: An empirical analysis of email delivery security,” in Proc. of IMC’15, 2015.
  • [11] FBI, “Grizzly steppe: Russian malicious cyber activity,” FBI and DHS report, 2016, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
  • [12] A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS adoption on the web,” in Proc. of USENIX Security’17, 2017.
  • [13] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. of WWW’07, 2007.
  • [14] I. D. Foster, J. Larson, M. Masich, A. C. Snoeren, S. Savage, and K. Levchenko, “Security by any other name: On the effectiveness of provider based email security,” in Proc. of CCS’15, 2015.
  • [15] G. Ho, A. Sharma, M. Javed, V. Paxson, and D. Wagner, “Detecting credential spearphishing in enterprise settings,” in Proc. of USENIX Security’17, 2017.
  • [16] J. Hong, “The state of phishing attacks,” Communications of the ACM, vol. 55, no. 1, 2012.
  • [17] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Communications of the ACM, vol. 50, no. 10, 2007.
  • [18] E. S. J. E. M. K. E. K. Andersen, B. Long, “Authenticated received chain (arc) protocol,” ser. Internet-Draft’17, 2017, https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-09.
  • [19] M. L. Katz and C. Shapiro, “Technology adoption in the presence of network externalities,” Journal of political economy, vol. 94, no. 4, pp. 822–841, 1986.
  • [20] S. Kim, J. Mankoff, and E. Paulos, “Exploring barriers to the adoption of mobile technologies for volunteer data collection campaigns,” in Proc. of CHI’15, 2015.
  • [21] S. Kitterman, “Sender policy framework (spf),” ser. RFC7208, 2014, https://tools.ietf.org/html/rfc7208.
  • [22] V. Krammer, “Phishing defense against idn address spoofing attacks,” in Proc. of PST’06, 2006.
  • [23] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system,” in Proc. of CHI’07, 2007.
  • [24] P. Lai, “The literature review of technology adoption models and theories for the novelty technology,” Journal of Information Systems and Technology Management, vol. 14, pp. 21 – 38, 04 2017.
  • [25] J. Lindley, P. Coulton, and M. Sturdee, “Implications for adoption,” in Proc. of CHI’17, 2017.
  • [26] E. Z. M. Kucherawy, “Domain-based message authentication, reporting, and conformance (dmarc),” ser. RFC7489, 2015, https://tools.ietf.org/html/rfc7489.
  • [27] Malwarebytes, “Understanding the depth of the global ransomware problem,” 2016, https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf.
  • [28] D. K. McGrath and M. Gupta, “Behind phishing: An examination of phisher modi operandi,” in Proc. of LEET’08, 2008.
  • [29] C. M.Y., “Overview of the technology acceptance model: Origins, developments and future directions,” Sprouts: Working Papers on Information Systems, vol. 9, no. 37, 2009.
  • [30] A. Ozment and S. E. Schechter, “Bootstrapping the adoption of internet security protocols,” in Proc. of WEIS’06, 2006.
  • [31] S. L. Parente and E. C. Prescott, “Barriers to technology adoption and development,” Journal of political Economy, vol. 102, no. 2, pp. 298–321, 1994.
  • [32] PhishMe, “Ransomware delivered by 97% of phishing emails by end of q3 2016 supporting booming cybercrime industry,” 2016, https://phishme.com/ransomware-delivered-97-phishing-emails-end-q3-2016-supporting-
    booming-cybercrime-industry/.
  • [33] J. B. Postel, “Simple mail transfer protocol,” ser. RFC821, 1982, https://tools.ietf.org/html/rfc821.
  • [34] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta, “Phishnet: Predictive blacklisting to detect phishing attacks,” in Proc. of INFOCOM’10, 2010.
  • [35] Proofpoint, “Threat summary and year in review,” 2016, https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf.
  • [36] P. Resnick, “Internet message format,” ser. RFC5321, 2001, https://www.ietf.org/rfc/rfc2822.txt.
  • [37] M. Risher, “Protecting you against phishing,” Google Security Blog, 2017, https://security.googleblog.com/2017/05/protecting-you-against-phishing.html.
  • [38] E. M. Rogers, Diffusion of Innovations, 5th Edition, 5th ed., 2003.
  • [39] V. Venkatesh and H. Bala, “Technology acceptance model 3 and a research agenda on interventions,” Decision Sciences, vol. 39, no. 2, pp. 273–315, 2008.
  • [40] V. Venkatesh and F. D. Davis, “A theoretical extension of the technology acceptance model: Four longitudinal field studies,” Management Science, vol. 46, no. 2, pp. 186–204, 2000.
  • [41] Verizon, “Data breach investigations report,” 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.

Vi Limitations

The scale of the user study is still small, which limits us from producing any statistically significant results. We argue that our contribution is to provide a “qualitative” understanding of the problem space, which lays the groundwork for future quantitative research. For example, one future direction is to conduct surveys to understand what types of domains are more likely to adopt anti-spoofing protocols, and how domain attributes (e.g., service type, popularity, sensitivity) affect the domain owners’ decision.

Vii Conclusion

In this paper, we examine why email spoofing is (still) possible in today’s email system. We show that extensive efforts are needed to address the technical issues in the protocol design and develop external enforcement (or incentives) to bootstrap the protocol adoption. In addition, improved user interfaces are needed for email systems to allow users to proactively check the email authentication results.

References

  • [1] B. Aboba and D. Thaler, “What makes for a successful protocol?” RFC5218, 2008, https://tools.ietf.org/html/rfc5218.
  • [2] S. I. Ahmed, M. R. Haque, S. Guha, M. R. Rifat, and N. Dell, “Privacy, security, and surveillance in the global south: A study of biometric mobile sim registration in bangladesh,” in Proc. of CHI’17, 2017.
  • [3] R. Böhme, “Internet protocol adoption: Learning from bitcoin,” in Proc of IAB Workshop on Internet Technology Adoption and Transition (ITAT’13), 2013.
  • [4] T. Chung, R. van Rijswijk-Deij, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Understanding the Role of Registrars in DNSSEC Deployment,” in Proc. of IMC’17, 2017.
  • [5] L. Colitti, S. H. Gunderson, E. Kline, and T. Refice, “Evaluating ipv6 adoption in the internet,” in Proc of PAM’10, 2010.
  • [6] M. K. D. Crocker, T. Hansen, “Domainkeys identified mail (dkim) signatures,” ser. RFC6376, 2011.
  • [7] P. Dewan, A. Kashyap, and P. Kumaraguru, “Analyzing social and stylometric features to identify spear phishing emails,” in Proc. of eCrime’14, 2014.
  • [8] T. Dickfeld, “Quo vadis ventricular tachycardia ablation: new horizons and developments,” Expert Review of Medical Devices, vol. 8, no. 2, pp. 131–133, 2011.
  • [9] S. Duman, K. Kalkan-Cakmakci, M. Egele, W. K. Robertson, and E. Kirda, “Emailprofiler: Spearphishing filtering with header and stylometric features of emails,” in Proc. of ACSAC’16, 2016.
  • [10] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman, “Neither snow nor rain nor mitm: An empirical analysis of email delivery security,” in Proc. of IMC’15, 2015.
  • [11] FBI, “Grizzly steppe: Russian malicious cyber activity,” FBI and DHS report, 2016, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
  • [12] A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS adoption on the web,” in Proc. of USENIX Security’17, 2017.
  • [13] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. of WWW’07, 2007.
  • [14] I. D. Foster, J. Larson, M. Masich, A. C. Snoeren, S. Savage, and K. Levchenko, “Security by any other name: On the effectiveness of provider based email security,” in Proc. of CCS’15, 2015.
  • [15] G. Ho, A. Sharma, M. Javed, V. Paxson, and D. Wagner, “Detecting credential spearphishing in enterprise settings,” in Proc. of USENIX Security’17, 2017.
  • [16] J. Hong, “The state of phishing attacks,” Communications of the ACM, vol. 55, no. 1, 2012.
  • [17] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Communications of the ACM, vol. 50, no. 10, 2007.
  • [18] E. S. J. E. M. K. E. K. Andersen, B. Long, “Authenticated received chain (arc) protocol,” ser. Internet-Draft’17, 2017, https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-09.
  • [19] M. L. Katz and C. Shapiro, “Technology adoption in the presence of network externalities,” Journal of political economy, vol. 94, no. 4, pp. 822–841, 1986.
  • [20] S. Kim, J. Mankoff, and E. Paulos, “Exploring barriers to the adoption of mobile technologies for volunteer data collection campaigns,” in Proc. of CHI’15, 2015.
  • [21] S. Kitterman, “Sender policy framework (spf),” ser. RFC7208, 2014, https://tools.ietf.org/html/rfc7208.
  • [22] V. Krammer, “Phishing defense against idn address spoofing attacks,” in Proc. of PST’06, 2006.
  • [23] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system,” in Proc. of CHI’07, 2007.
  • [24] P. Lai, “The literature review of technology adoption models and theories for the novelty technology,” Journal of Information Systems and Technology Management, vol. 14, pp. 21 – 38, 04 2017.
  • [25] J. Lindley, P. Coulton, and M. Sturdee, “Implications for adoption,” in Proc. of CHI’17, 2017.
  • [26] E. Z. M. Kucherawy, “Domain-based message authentication, reporting, and conformance (dmarc),” ser. RFC7489, 2015, https://tools.ietf.org/html/rfc7489.
  • [27] Malwarebytes, “Understanding the depth of the global ransomware problem,” 2016, https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf.
  • [28] D. K. McGrath and M. Gupta, “Behind phishing: An examination of phisher modi operandi,” in Proc. of LEET’08, 2008.
  • [29] C. M.Y., “Overview of the technology acceptance model: Origins, developments and future directions,” Sprouts: Working Papers on Information Systems, vol. 9, no. 37, 2009.
  • [30] A. Ozment and S. E. Schechter, “Bootstrapping the adoption of internet security protocols,” in Proc. of WEIS’06, 2006.
  • [31] S. L. Parente and E. C. Prescott, “Barriers to technology adoption and development,” Journal of political Economy, vol. 102, no. 2, pp. 298–321, 1994.
  • [32] PhishMe, “Ransomware delivered by 97% of phishing emails by end of q3 2016 supporting booming cybercrime industry,” 2016, https://phishme.com/ransomware-delivered-97-phishing-emails-end-q3-2016-supporting-
    booming-cybercrime-industry/.
  • [33] J. B. Postel, “Simple mail transfer protocol,” ser. RFC821, 1982, https://tools.ietf.org/html/rfc821.
  • [34] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta, “Phishnet: Predictive blacklisting to detect phishing attacks,” in Proc. of INFOCOM’10, 2010.
  • [35] Proofpoint, “Threat summary and year in review,” 2016, https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf.
  • [36] P. Resnick, “Internet message format,” ser. RFC5321, 2001, https://www.ietf.org/rfc/rfc2822.txt.
  • [37] M. Risher, “Protecting you against phishing,” Google Security Blog, 2017, https://security.googleblog.com/2017/05/protecting-you-against-phishing.html.
  • [38] E. M. Rogers, Diffusion of Innovations, 5th Edition, 5th ed., 2003.
  • [39] V. Venkatesh and H. Bala, “Technology acceptance model 3 and a research agenda on interventions,” Decision Sciences, vol. 39, no. 2, pp. 273–315, 2008.
  • [40] V. Venkatesh and F. D. Davis, “A theoretical extension of the technology acceptance model: Four longitudinal field studies,” Management Science, vol. 46, no. 2, pp. 186–204, 2000.
  • [41] Verizon, “Data breach investigations report,” 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.

Vii Conclusion

In this paper, we examine why email spoofing is (still) possible in today’s email system. We show that extensive efforts are needed to address the technical issues in the protocol design and develop external enforcement (or incentives) to bootstrap the protocol adoption. In addition, improved user interfaces are needed for email systems to allow users to proactively check the email authentication results.

References

  • [1] B. Aboba and D. Thaler, “What makes for a successful protocol?” RFC5218, 2008, https://tools.ietf.org/html/rfc5218.
  • [2] S. I. Ahmed, M. R. Haque, S. Guha, M. R. Rifat, and N. Dell, “Privacy, security, and surveillance in the global south: A study of biometric mobile sim registration in bangladesh,” in Proc. of CHI’17, 2017.
  • [3] R. Böhme, “Internet protocol adoption: Learning from bitcoin,” in Proc of IAB Workshop on Internet Technology Adoption and Transition (ITAT’13), 2013.
  • [4] T. Chung, R. van Rijswijk-Deij, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Understanding the Role of Registrars in DNSSEC Deployment,” in Proc. of IMC’17, 2017.
  • [5] L. Colitti, S. H. Gunderson, E. Kline, and T. Refice, “Evaluating ipv6 adoption in the internet,” in Proc of PAM’10, 2010.
  • [6] M. K. D. Crocker, T. Hansen, “Domainkeys identified mail (dkim) signatures,” ser. RFC6376, 2011.
  • [7] P. Dewan, A. Kashyap, and P. Kumaraguru, “Analyzing social and stylometric features to identify spear phishing emails,” in Proc. of eCrime’14, 2014.
  • [8] T. Dickfeld, “Quo vadis ventricular tachycardia ablation: new horizons and developments,” Expert Review of Medical Devices, vol. 8, no. 2, pp. 131–133, 2011.
  • [9] S. Duman, K. Kalkan-Cakmakci, M. Egele, W. K. Robertson, and E. Kirda, “Emailprofiler: Spearphishing filtering with header and stylometric features of emails,” in Proc. of ACSAC’16, 2016.
  • [10] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman, “Neither snow nor rain nor mitm: An empirical analysis of email delivery security,” in Proc. of IMC’15, 2015.
  • [11] FBI, “Grizzly steppe: Russian malicious cyber activity,” FBI and DHS report, 2016, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
  • [12] A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS adoption on the web,” in Proc. of USENIX Security’17, 2017.
  • [13] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. of WWW’07, 2007.
  • [14] I. D. Foster, J. Larson, M. Masich, A. C. Snoeren, S. Savage, and K. Levchenko, “Security by any other name: On the effectiveness of provider based email security,” in Proc. of CCS’15, 2015.
  • [15] G. Ho, A. Sharma, M. Javed, V. Paxson, and D. Wagner, “Detecting credential spearphishing in enterprise settings,” in Proc. of USENIX Security’17, 2017.
  • [16] J. Hong, “The state of phishing attacks,” Communications of the ACM, vol. 55, no. 1, 2012.
  • [17] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Communications of the ACM, vol. 50, no. 10, 2007.
  • [18] E. S. J. E. M. K. E. K. Andersen, B. Long, “Authenticated received chain (arc) protocol,” ser. Internet-Draft’17, 2017, https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-09.
  • [19] M. L. Katz and C. Shapiro, “Technology adoption in the presence of network externalities,” Journal of political economy, vol. 94, no. 4, pp. 822–841, 1986.
  • [20] S. Kim, J. Mankoff, and E. Paulos, “Exploring barriers to the adoption of mobile technologies for volunteer data collection campaigns,” in Proc. of CHI’15, 2015.
  • [21] S. Kitterman, “Sender policy framework (spf),” ser. RFC7208, 2014, https://tools.ietf.org/html/rfc7208.
  • [22] V. Krammer, “Phishing defense against idn address spoofing attacks,” in Proc. of PST’06, 2006.
  • [23] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system,” in Proc. of CHI’07, 2007.
  • [24] P. Lai, “The literature review of technology adoption models and theories for the novelty technology,” Journal of Information Systems and Technology Management, vol. 14, pp. 21 – 38, 04 2017.
  • [25] J. Lindley, P. Coulton, and M. Sturdee, “Implications for adoption,” in Proc. of CHI’17, 2017.
  • [26] E. Z. M. Kucherawy, “Domain-based message authentication, reporting, and conformance (dmarc),” ser. RFC7489, 2015, https://tools.ietf.org/html/rfc7489.
  • [27] Malwarebytes, “Understanding the depth of the global ransomware problem,” 2016, https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf.
  • [28] D. K. McGrath and M. Gupta, “Behind phishing: An examination of phisher modi operandi,” in Proc. of LEET’08, 2008.
  • [29] C. M.Y., “Overview of the technology acceptance model: Origins, developments and future directions,” Sprouts: Working Papers on Information Systems, vol. 9, no. 37, 2009.
  • [30] A. Ozment and S. E. Schechter, “Bootstrapping the adoption of internet security protocols,” in Proc. of WEIS’06, 2006.
  • [31] S. L. Parente and E. C. Prescott, “Barriers to technology adoption and development,” Journal of political Economy, vol. 102, no. 2, pp. 298–321, 1994.
  • [32] PhishMe, “Ransomware delivered by 97% of phishing emails by end of q3 2016 supporting booming cybercrime industry,” 2016, https://phishme.com/ransomware-delivered-97-phishing-emails-end-q3-2016-supporting-
    booming-cybercrime-industry/.
  • [33] J. B. Postel, “Simple mail transfer protocol,” ser. RFC821, 1982, https://tools.ietf.org/html/rfc821.
  • [34] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta, “Phishnet: Predictive blacklisting to detect phishing attacks,” in Proc. of INFOCOM’10, 2010.
  • [35] Proofpoint, “Threat summary and year in review,” 2016, https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf.
  • [36] P. Resnick, “Internet message format,” ser. RFC5321, 2001, https://www.ietf.org/rfc/rfc2822.txt.
  • [37] M. Risher, “Protecting you against phishing,” Google Security Blog, 2017, https://security.googleblog.com/2017/05/protecting-you-against-phishing.html.
  • [38] E. M. Rogers, Diffusion of Innovations, 5th Edition, 5th ed., 2003.
  • [39] V. Venkatesh and H. Bala, “Technology acceptance model 3 and a research agenda on interventions,” Decision Sciences, vol. 39, no. 2, pp. 273–315, 2008.
  • [40] V. Venkatesh and F. D. Davis, “A theoretical extension of the technology acceptance model: Four longitudinal field studies,” Management Science, vol. 46, no. 2, pp. 186–204, 2000.
  • [41] Verizon, “Data breach investigations report,” 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.

References

  • [1] B. Aboba and D. Thaler, “What makes for a successful protocol?” RFC5218, 2008, https://tools.ietf.org/html/rfc5218.
  • [2] S. I. Ahmed, M. R. Haque, S. Guha, M. R. Rifat, and N. Dell, “Privacy, security, and surveillance in the global south: A study of biometric mobile sim registration in bangladesh,” in Proc. of CHI’17, 2017.
  • [3] R. Böhme, “Internet protocol adoption: Learning from bitcoin,” in Proc of IAB Workshop on Internet Technology Adoption and Transition (ITAT’13), 2013.
  • [4] T. Chung, R. van Rijswijk-Deij, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Understanding the Role of Registrars in DNSSEC Deployment,” in Proc. of IMC’17, 2017.
  • [5] L. Colitti, S. H. Gunderson, E. Kline, and T. Refice, “Evaluating ipv6 adoption in the internet,” in Proc of PAM’10, 2010.
  • [6] M. K. D. Crocker, T. Hansen, “Domainkeys identified mail (dkim) signatures,” ser. RFC6376, 2011.
  • [7] P. Dewan, A. Kashyap, and P. Kumaraguru, “Analyzing social and stylometric features to identify spear phishing emails,” in Proc. of eCrime’14, 2014.
  • [8] T. Dickfeld, “Quo vadis ventricular tachycardia ablation: new horizons and developments,” Expert Review of Medical Devices, vol. 8, no. 2, pp. 131–133, 2011.
  • [9] S. Duman, K. Kalkan-Cakmakci, M. Egele, W. K. Robertson, and E. Kirda, “Emailprofiler: Spearphishing filtering with header and stylometric features of emails,” in Proc. of ACSAC’16, 2016.
  • [10] Z. Durumeric, D. Adrian, A. Mirian, J. Kasten, E. Bursztein, N. Lidzborski, K. Thomas, V. Eranti, M. Bailey, and J. A. Halderman, “Neither snow nor rain nor mitm: An empirical analysis of email delivery security,” in Proc. of IMC’15, 2015.
  • [11] FBI, “Grizzly steppe: Russian malicious cyber activity,” FBI and DHS report, 2016, https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf.
  • [12] A. P. Felt, R. Barnes, A. King, C. Palmer, C. Bentzel, and P. Tabriz, “Measuring HTTPS adoption on the web,” in Proc. of USENIX Security’17, 2017.
  • [13] I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” in Proc. of WWW’07, 2007.
  • [14] I. D. Foster, J. Larson, M. Masich, A. C. Snoeren, S. Savage, and K. Levchenko, “Security by any other name: On the effectiveness of provider based email security,” in Proc. of CCS’15, 2015.
  • [15] G. Ho, A. Sharma, M. Javed, V. Paxson, and D. Wagner, “Detecting credential spearphishing in enterprise settings,” in Proc. of USENIX Security’17, 2017.
  • [16] J. Hong, “The state of phishing attacks,” Communications of the ACM, vol. 55, no. 1, 2012.
  • [17] T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, “Social phishing,” Communications of the ACM, vol. 50, no. 10, 2007.
  • [18] E. S. J. E. M. K. E. K. Andersen, B. Long, “Authenticated received chain (arc) protocol,” ser. Internet-Draft’17, 2017, https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-09.
  • [19] M. L. Katz and C. Shapiro, “Technology adoption in the presence of network externalities,” Journal of political economy, vol. 94, no. 4, pp. 822–841, 1986.
  • [20] S. Kim, J. Mankoff, and E. Paulos, “Exploring barriers to the adoption of mobile technologies for volunteer data collection campaigns,” in Proc. of CHI’15, 2015.
  • [21] S. Kitterman, “Sender policy framework (spf),” ser. RFC7208, 2014, https://tools.ietf.org/html/rfc7208.
  • [22] V. Krammer, “Phishing defense against idn address spoofing attacks,” in Proc. of PST’06, 2006.
  • [23] P. Kumaraguru, Y. Rhee, A. Acquisti, L. F. Cranor, J. Hong, and E. Nunge, “Protecting people from phishing: The design and evaluation of an embedded training email system,” in Proc. of CHI’07, 2007.
  • [24] P. Lai, “The literature review of technology adoption models and theories for the novelty technology,” Journal of Information Systems and Technology Management, vol. 14, pp. 21 – 38, 04 2017.
  • [25] J. Lindley, P. Coulton, and M. Sturdee, “Implications for adoption,” in Proc. of CHI’17, 2017.
  • [26] E. Z. M. Kucherawy, “Domain-based message authentication, reporting, and conformance (dmarc),” ser. RFC7489, 2015, https://tools.ietf.org/html/rfc7489.
  • [27] Malwarebytes, “Understanding the depth of the global ransomware problem,” 2016, https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf.
  • [28] D. K. McGrath and M. Gupta, “Behind phishing: An examination of phisher modi operandi,” in Proc. of LEET’08, 2008.
  • [29] C. M.Y., “Overview of the technology acceptance model: Origins, developments and future directions,” Sprouts: Working Papers on Information Systems, vol. 9, no. 37, 2009.
  • [30] A. Ozment and S. E. Schechter, “Bootstrapping the adoption of internet security protocols,” in Proc. of WEIS’06, 2006.
  • [31] S. L. Parente and E. C. Prescott, “Barriers to technology adoption and development,” Journal of political Economy, vol. 102, no. 2, pp. 298–321, 1994.
  • [32] PhishMe, “Ransomware delivered by 97% of phishing emails by end of q3 2016 supporting booming cybercrime industry,” 2016, https://phishme.com/ransomware-delivered-97-phishing-emails-end-q3-2016-supporting-
    booming-cybercrime-industry/.
  • [33] J. B. Postel, “Simple mail transfer protocol,” ser. RFC821, 1982, https://tools.ietf.org/html/rfc821.
  • [34] P. Prakash, M. Kumar, R. R. Kompella, and M. Gupta, “Phishnet: Predictive blacklisting to detect phishing attacks,” in Proc. of INFOCOM’10, 2010.
  • [35] Proofpoint, “Threat summary and year in review,” 2016, https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf.
  • [36] P. Resnick, “Internet message format,” ser. RFC5321, 2001, https://www.ietf.org/rfc/rfc2822.txt.
  • [37] M. Risher, “Protecting you against phishing,” Google Security Blog, 2017, https://security.googleblog.com/2017/05/protecting-you-against-phishing.html.
  • [38] E. M. Rogers, Diffusion of Innovations, 5th Edition, 5th ed., 2003.
  • [39] V. Venkatesh and H. Bala, “Technology acceptance model 3 and a research agenda on interventions,” Decision Sciences, vol. 39, no. 2, pp. 273–315, 2008.
  • [40] V. Venkatesh and F. D. Davis, “A theoretical extension of the technology acceptance model: Four longitudinal field studies,” Management Science, vol. 46, no. 2, pp. 186–204, 2000.
  • [41] Verizon, “Data breach investigations report,” 2017, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.