Mailsploit: is there a problem with DMARC?

If you are looking for a yes or no answer, the answer is: NO! You can now relax and go grab a cup of coffee. But if you want to learn more, carry on reading.

Rather sensationalist articles recently posted in a number of media outlets claim DMARC can be bypassed due to shortcomings in the way that email clients handle the ‘from’ header. However, after examining the evidence given we’d argue that it’s not a DMARC shortcoming, rather a matter of poor implementation by email clients.

If you compare this to the recent password bug with the Mac High Sierra OS I don’t think we saw anyone claiming that this meant the very concept of passwords is flawed. Instead, people inherently understood that Apple had simply made a mistake when they implemented an update.

So what’s Mailsploit?

Mailsploit is a bug with some email clients where an attacker can trick a naively implemented email header parser into presenting the wrong information to a user.

The method used is not new and exploits like character encoding, cross-site-scripting (XSS) and null byte injections have all long been known by the software community and basic security checks in the development process of those email clients could have prevented this problem.

How does the Mailsploit exploit work?

The attacker encodes the ‘from’ header using base64 or quoted-printable to include the spoofed email address, i.e.:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

The right way of parsing the string above would be to decode ‘cG90dXNAd2hpdGVob3VzZS5nb3Y=’ which results in ‘potus@whitehouse.gov’ and ’00’ which is a null byte (represented as ), resulting in the following email address:

potus@whitehouse.govpotus@whitehouse.gov@mailsploit.com

This email address is not valid per its RFC and should be presented as an error.

What actually happens is that some email clients will stop at the null byte and ignore all the rest, incorrectly displaying the email as ‘potus@whitehouse.gov.’ Other clients will parse the whole thing but stop at the first string that looks like a valid email address, again ‘potus@whitehouse.gov.’

Is DMARC the one to blame?

No, if the parser was correctly implemented the email would have failed to deliver. As per the list published by Sabri Haddouche enterprise providers like Google or Microsoft Office 365 are not affected by it (and affected clients have either fixed it or are in the process of fixing it) so this is no more than another software bug.

The DMARC protocol is innocent. It still remains effective. If you’d like to check your current SPF, DKIM, and DMARC setup quickly and easily, use our free investigate tool.

check email setup

PUBLISHED BY

Randal Pinto

6 Dec. 2017

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

A confident deployment guide for TLS and PKI

Ivan Ristic

Our journey to better network transport security has been quite the ride, filled with ups and downs. Back in the ’90s, when SSL and the Netscape browser were just taking off, things were pretty hard. We were dealing with weak encryption, export restrictions on cryptography, and computers that couldn’t keep up. But over the…

Read more
DMARC

Red Sift OnDMARC: The best Agari alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market.  Red Sift OnDMARC overview Red…

Read more
DMARC

Red Sift OnDMARC: The best Valimail alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimai alternatives on the market.  Red Sift OnDMARC overview Red Sift OnDMARC…

Read more
News

Announcing the beta for Red Sift Radar: An LLM Assistant for Security…

Rahul Powar

We are delighted to announce the beta for Red Sift Radar – our new LLM assistant for security teams. With Red Sift Radar, teams will be able to use an LLM to automate manual checks, drive security consistency, and build bridges with less technical teams. To bring this to life, we have taken base…

Read more