Mailsploit: is there a problem with DMARC?

If you are looking for a yes or no answer, the answer is: NO! You can now relax and go grab a cup of coffee. But if you want to learn more, carry on reading.

Rather sensationalist articles recently posted in a number of media outlets claim DMARC can be bypassed due to shortcomings in the way that email clients handle the ‘from’ header. However, after examining the evidence given we’d argue that it’s not a DMARC shortcoming, rather a matter of poor implementation by email clients.

If you compare this to the recent password bug with the Mac High Sierra OS I don’t think we saw anyone claiming that this meant the very concept of passwords is flawed. Instead, people inherently understood that Apple had simply made a mistake when they implemented an update.

So what’s Mailsploit?

Mailsploit is a bug with some email clients where an attacker can trick a naively implemented email header parser into presenting the wrong information to a user.

The method used is not new and exploits like character encoding, cross-site-scripting (XSS) and null byte injections have all long been known by the software community and basic security checks in the development process of those email clients could have prevented this problem.

How does the Mailsploit exploit work?

The attacker encodes the ‘from’ header using base64 or quoted-printable to include the spoofed email address, i.e.:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

The right way of parsing the string above would be to decode ‘cG90dXNAd2hpdGVob3VzZS5nb3Y=’ which results in ‘potus@whitehouse.gov’ and ’00’ which is a null byte (represented as ), resulting in the following email address:

potus@whitehouse.govpotus@whitehouse.gov@mailsploit.com

This email address is not valid per its RFC and should be presented as an error.

What actually happens is that some email clients will stop at the null byte and ignore all the rest, incorrectly displaying the email as ‘potus@whitehouse.gov.’ Other clients will parse the whole thing but stop at the first string that looks like a valid email address, again ‘potus@whitehouse.gov.’

Is DMARC the one to blame?

No, if the parser was correctly implemented the email would have failed to deliver. As per the list published by Sabri Haddouche enterprise providers like Google or Microsoft Office 365 are not affected by it (and affected clients have either fixed it or are in the process of fixing it) so this is no more than another software bug.

The DMARC protocol is innocent. It still remains effective. If you’d like to check your current SPF, DKIM, and DMARC setup quickly and easily, use our free investigate tool.

check email setup

PUBLISHED BY

Randal Pinto

6 Dec. 2017

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Security

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more
News

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more
News

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more
News

Understanding the polyfill.io domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the polyfill.io domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to polyfill.io. Latest update: 27th June 2024 Sansec, a…

Read more