Exploiting the Trust Hierarchy among Email Systems

Pablo Ximenes; André dos Santos

doi:10.5753/sbseg.2008.20887

Pablo Ximenes UPRM
André dos Santos UPRM / UECE

DOI: https://doi.org/10.5753/sbseg.2008.20887

Resumo

This paper presents a critique of the current status of the trust hierarchy found among SMTP based email systems. We evaluate current trends and present real evidence that the prevalence of ad-hoc initiatives for trust classification is a potential risk in itself. In that sense, we describe a vulnerability found in Google’s free email service (Gmail) that allows an attacker to exploit the current trust hierarchy that exists between email providers in order to assemble powerful spam/phishing attacks. We demonstrate this vulnerability by crafting a proof of concept attack software that is able to send whitelisted open relayed unlimited spam and phishing messages through Google’s email servers, thus giving concrete evidence of the presented threat.

Referências

Comtouch Corporation. Q3 2007 Email Threats Trend Report. (2007) Available at: <http://www.commtouch.com/downloads/Commtouch_2007_Q3_Email_Threats.pdf>. Accessed in July 29th 2008.

Strauser, Kirk (2005). The history and future of SMTP: SMTP’s adaptations to a hostile internet. The Free Software Magazine, Issue 2, USA.

Jung, Jaeyeon; Sit, Emil (2004), An Empirical Study of Spam Traffic and the Use of DNS Black Lists. Internet Measurement Conference. Taormina, Italy

Levien, R.; McCarthy, L. ; Blaze, M. (1996). Transparent Internet e-mail security: Technical Report. AT&T Laboratories, Murray Hill, NJ 07974. (Draft version). USA.

Goodman, J.; Cormack, G. V.; Heckerman, D. (2007). Spam and the Ongoing Battle for the Inbox. COMMUNICATIONS OF THE ACM. Vol. 50, No. 2. USA.

Cook, D.; Hartnett, J.; Manderson, K.; Scanlan, J. (2006). Catching Spam Before it Arrives: Domain Specific Dynamic Blacklists. Fourth Australasian Information Security Workshop (AISW-NetSec 2006). Hobart, Australia

Pantel, P.; Lin, D. (1998). SpamCop: A Spam Classication & Organization Program. Fifteenth National Conference on Artificial Intelligence, Workshop on Learning for Text Categorization. USA

Sahami, M.; Dumais, S.; Heckerman, D.; Horvitz, E. (1998). A Bayesian Approach to Filtering Junk E-Mail. Fifteenth National Conference on Artificial Intelligence, Workshop on Learning for Text Categorization. USA

Wong, M.; Schlitt, W. (2006). RFC4408: Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail. Available at <https://www.ietf.org/rfc/rfc4408.txt>. Accessed in July 29th 2008.

HANSELL, S. (2006). Postage Is Due for Companies Sending E-Mail. The New York Times. Issue of February 5, 2006. USA

Dyson, E. (2006). You've Got Goodmail. The New York Times. Issue of March 17, 2006. USA

Pfleeger, S. L.; Bloom, G. (2005). Canning Spam: Proposed Solutions to Unwanted Email. IEEE Security and Privacy Magazine, vol. 3, no. 2, pp. 40-7. USA.

MINDLIN, A. (2006). Google’s Gmail Learns How to Spot Spam. The New York Times, Issue of October 2, 2006. USA.

Jackson, T. (2007). How our spam filter works. The Official Gmail Blog. Available at: <http://gmailblog.blogspot.com/2007/10/how-our-spam-filter-works.html>. Accessed in July 29th 2008.

Blaze, M.; Feigenbaum, J.; Ioannidis, J.; Keromytis, A (1999). The Role of Trust Management in Distributed Systems Security. Chapter in Secure Internet Programming: Security Issues for Mobile and Distributed Objects, Springer-Verlag. Germany.

Gmail Team (2008). So much time, so little spam. Available at: <http://mail.google.com/mail/help/intl/en/fightspam/spamexplained.html>. Accessed in July 29th 2008.