BreakSPF: How to mitigate the attack

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like cloud providers, proxies, or content delivery networks (CDNs). 

BreakSPF capitalizes on this by identifying and abusing such configurations, enabling attackers to bypass SPF checks, send spoofed emails that appear legitimate, and manipulate shared services to evade detection.

BreakSPF attack types

BreakSPF uses three primary forms of attack to exploit SPF vulnerabilities, targeting both HTTP and SMTP servers. These include:

  1. Fixed IP address attacks

In this method, attackers gain long-term control over specific IP addresses, using them as Mail Transfer Agents (MTAs) to send spoofed emails. By leveraging shared infrastructure like cloud servers and proxies, they bypass traditional defenses such as greylisting.

  1. Dynamic IP address attacks

Here, attackers dynamically assess vulnerable domains by monitoring changing outgoing IPs, exploiting them temporarily. This method relies on public infrastructure like serverless functions or CI/CD platforms, making traditional IP blacklisting ineffective. Unlike fixed IP attacks, it avoids reliance on specific IP addresses, increasing complexity and making them more challenging to mitigate.

  1. Cross-protocol attacks

In cross-protocol attacks, hackers embed SMTP data within HTTP packets and use HTTP proxies or CDN exit nodes to forward them to victims. By exploiting shared infrastructures like open HTTP proxies and CDN services, these attacks blend malicious activity with legitimate traffic, making them exceptionally stealthy and difficult to trace.

Misconceptions about SPF that weaken email security

A common misconception about SPF is that it authenticates the visible “From” address seen in email clients. In reality, it verifies the 5321.MailFrom address, also known as the return path or bounce address, only visible in the email headers.

This misunderstanding often leads organizations to incorrectly add every every-sending tool to their SPF records. Email expert Laura Atkins from Word to the Wise explains it well: “One of the errors comes because a lot of folks, even a lot of email experts, don’t always know or remember that there are two separate yet equally important From: addresses in an email.”

SPF should only include mechanisms for messages using your organizational domain in the return path. If a subdomain or a different domain is used in the return path, there’s no need to add it to your main domain’s SPF record since it won’t be checked. Including unnecessary mechanisms wastes valuable SPF lookup space.

Protect against BreakSPF with Red Sift OnDMARC

BreakSPF exploits overly permissive SPF ranges, allowing attackers to bypass DMARC and send malicious emails that appear authenticated. To counter this, it’s essential to review not just failing sources but also passing sources that seem unfamiliar or suspicious.

Red Sift OnDMARC’s Dynamic SPF feature safeguards your domain by continuously analyzing SPF records to identify and resolve over-permissive ranges. This proactive approach helps improve your security posture and reduce your attack surface, ensuring potential vulnerabilities exploited by BreakSPF are addressed before any damage occurs. OnDMARC also detects and fixes gaps in protocol misconfiguration, providing comprehensive protection.

OnDMARC users also benefit from optimized forensic reporting for continuous monitoring across domains and subdomains, including the detection of suspicious IP addresses. Additionally, the Dynamic SPF feature prevents issues with the 10 DNS lookup limit by consolidating all authorized services into a single dynamic include statement. This ensures SPF validation for all legitimate traffic, regardless of the number of sending services used.

Stay ahead of threats like BreakSPFstart your free trial with Red Sift OnDMARC today!

PUBLISHED BY

Red Sift

28 Nov. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more