EN-Bypass：针对邮件代发提醒机制的安全评估方法

doi:10.11959/j.issn.2096-109x.2023041

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (3): 90-101.doi: 10.11959/j.issn.2096-109x.2023041

EN-Bypass：针对邮件代发提醒机制的安全评估方法

袁静怡, 李子川, 彭国军

武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室，湖北武汉 430072

修回日期:2023-05-30 出版日期:2023-06-25 发布日期:2023-06-01
作者简介:袁静怡（1998- ），女，湖南常德人，武汉大学硕士生，主要研究方向为网络安全
李子川（1999- ），男，河北邯郸人，武汉大学硕士生，主要研究方向为网络安全
彭国军（1979- ），男，湖北荆州人，武汉大学教授、博士生导师，主要研究方向为网络安全、信息系统安全
基金资助:
国家自然科学基金(62172308);国家自然科学基金(U1626107);国家自然科学基金(61972297);国家自然科学基金(62172144)

EN-Bypass: a security assessment method on e-mail user interface notification

Jingyi YUAN, Zichuan LI, Guojun PENG

Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China

Revised:2023-05-30 Online:2023-06-25 Published:2023-06-01
Supported by:
The National Natural Science Foundation of China(62172308);The National Natural Science Foundation of China(U1626107);The National Natural Science Foundation of China(61972297);The National Natural Science Foundation of China(62172144)

摘要/Abstract

摘要：

电子邮件是人们日常生活、工作中非常重要的通信手段，往往被攻击者作为钓鱼攻击的入口，而发件人伪造则是实现邮件钓鱼攻击的关键步骤。为防止发件人伪造攻击，邮件厂商往往会部署 SPF、DKIM和 DMARC 等邮件安全协议来验证发件人身份，除此之外，部分厂商会在前端添加代发提醒机制辅助用户判断邮件的真实来源，以降低用户受到钓鱼邮件威胁的可能。但是业界并没有统一标准对代发提醒机制的实现进行规范，各厂商的代发提醒机制实现各不相同，其实现上能否有效防止发件人伪造攻击仍缺少测试和验证。对邮件服务厂商代发提醒机制进行研究，旨在评估厂商邮件代发提醒机制的安全性，消除攻击者绕过代发提醒机制实现发件人伪造的潜在安全威胁。对10个国内外邮件厂商进行调研，其中有7个厂商部署了代发提醒机制。在测试基础上提出了一种新型发件人伪造攻击——EN-Bypass 攻击，该攻击通过构造和变换邮件头中的From和Sender字段，绕过邮件代发提醒机制以实现发件人伪造。为了自动化验证代发提醒机制的安全性和可靠性，基于EN-Bypass攻击的思路实现了工具EmailSenderChecker，用于对厂商代发提醒机制进行自动化测试。实验结果表明，7 个厂商的代发提醒机制均存在不同程度的安全漏洞，攻击者通过构造特殊的邮件头部可以绕过代发提醒机制，实现发件人伪造攻击。最后，为了提高邮件服务的安全性，就邮件厂商代发提醒机制存在的问题，向邮件服务厂商提出了安全建议。

关键词: 电子邮件, 邮件安全, 发件人伪造, 安全扩展协议

Abstract:

Email plays an important role in people’s daily communications, while also attracts the attention of hackers.Email is frequently used in phishing attacks, with email sender spoofing being a key step.To prevent sender-spoofing attacks, email vendors often deploy email security protocols such as SPF, DKIM, and DMARC to verify the sender’s identity.Moreover, some vendors add email UI notification mechanism on email clients to help users identify the real sender.However, there is no uniform standard in the implementation of the email UI notification mechanism, which varies among vendors.Whether the mechanism effectively prevents sender-spoofing attacks still needs verification.In this paper, the security evaluation of the email UI notification mechanism was studied to gain better understanding of its efficacy and to eventually protect users from sender-spoofing attacks.Ten world-famous email services were researched and evaluated, of which seven deployed the email UI notification mechanism.Consequently, a new type of sender-spoofing attack was proposed which was called EN-Bypass, aiming to bypass the email UI notification mechanism by forging the “From” and “Sender” fields in the email header.To verify the email UI notification mechanism’s security and reliability, EmailSenderChecker was implemented, which can automatically evaluate the existence of the EN-Bypass attack.The result shows that all seven email service vendors suffer from EN-Bypass attack.Attackers could bypass the email UI notification mechanism by constructing special email headers and spoofing the sender.Finally, to improve the mail service security, three suggestions about the email UI notification mechanism were proposed for the mail service vendors.

Key words: e-mail, e-mail security, sender spoofing, security extension protocol

中图分类号:

TP393

袁静怡, 李子川, 彭国军. EN-Bypass：针对邮件代发提醒机制的安全评估方法[J]. 网络与信息安全学报, 2023, 9(3): 90-101.

Jingyi YUAN, Zichuan LI, Guojun PENG. EN-Bypass: a security assessment method on e-mail user interface notification[J]. Chinese Journal of Network and Information Security, 2023, 9(3): 90-101.

图/表 11

图1

表1

图2

图3

表2

图4

图5

表3

表4

图6

表5

参考文献 12

[1]	AL-MUSIB N S , AL-SERHANI F M , HUMAYUN M ,et al. Business email compromise (BEC) attacks[J]. Materials Today:Proceedings, 2021.
[2]	WONG M , SCHLITT W . Request for comments 7208,sender policy framework (SPF) for authorizing use of domains in email,version 1[S]. RFC Editor, 2006.
[3]	CROCKER D , HANSEN T , KUCHERAWY M . Request for comments 6376,Domainkeys identified mail (dkim) signatures[S]. RFC Editor, 2011.
[4]	KUCHERAWY M , ZWICKY E . Request for comments 7489,domain-based message authentication,reporting,and conformance (DMARC)[S]. RFC Editor, 2015.
[5]	HU H , PENG P , WANG G . Towards understanding the adoption of anti-spoofing protocols in email systems[C]// IEEE Secure Development Conference (SecDev). 2018: 94-101.
[6]	HU H , WANG G . End-to-end measurements of email spoofing attacks[C]// 27th USENIX Security Symposium (USENIX Security 18). 2018: 1095-1112.
[7]	尚菁菁, 朱宇佳, 刘庆云 . 电子邮件安全扩展协议应用分析[J]. 网络与信息安全学报, 2020,6(6): 69-79.
	SHANG J J , ZHU Y J , LIU Q Y . Analysis of security extension protocol in e-mail system[J]. Chinese Journal of Network and Information Security, 2020,6(6): 69-79.
[8]	CHEN J , PAXSON V , JIANG J . Composition kills:a case study of email sender authentication[C]// 29th USENIX Security Symposium (USENIX Security 20). 2020: 2183-2199.
[9]	SHEN K , WANG C , GUO M ,et al. Weak links in authentication chains:a large-scale analysis of email sender spoofing attacks[C]// 30th USENIX Security Symposium (USENIX Security 21). 2021: 3201-3217.
[10]	DECCIO C , YADAV T , BENNETT N ,et al. Measuring email sender validation in the wild[C]// Proceedings of the 17th International Conference on Emerging Networking Experiments and Technologies. 2021: 230-242.
[11]	KLENSIN J . Request for comments 5321,simple mail transfer protocol[S]. RFC Editor, 2008.
[12]	RESNICK P . Request for comments 5322,Internet message format[S]. RFC Editor, 2008.

邮件服务厂商	发件检查	收件检查	DMARC对齐检查	代发提醒
国外厂商A	√	×	√	√
国外厂商B	√	√	√	√
国内厂商C	×	×	×	√
国内厂商D	×	×	×	√
国内厂商E	×	×	×	√
国内厂商F	√	×	×	√
国内厂商G	√	×	√	√
国外厂商H	√	×	√	×
国内厂商I	√	×	×	×
国外厂商J	—	√	√	×

攻击类型	攻击者-被伪造发件人	攻击者-收件人	攻击场景示例
A1	同域伪造	域内发件	攻击者、收件人都拥有同一厂商的邮箱，攻击者伪装为邮箱管理员，向收件人发送带有钓鱼链接的邮件
A2	同域伪造	跨域发件	适用于受害人（收件人）邮箱为企业内部邮箱的攻击场景，攻击者将发件人伪装成发件域内收件人信任的用户，对收件人进行欺骗
B1	跨域伪造	域内发件	攻击者将邮箱伪装成某公司人力资源部门或政府机构的官方邮箱对收件人进行钓鱼或诈骗
B2	跨域伪造	跨域发件	攻击者与收件人不在同一域，攻击者将自己的邮箱伪造成其他域任意邮箱或收件人域内的其他用户。例如，攻击者伪造成企业内部高管，向该企业的员工发送包含恶意附件的邮件

邮件服务厂商	A1（同域伪造-域内发件）	A2（同域伪造-跨域发件）	B1（跨域伪造-域内发件）	B2（跨域伪造-跨域发件）
国外厂商A	×	√	×	×
国外厂商B	×	√	×	×
国内厂商C	√	×	√	×
国内厂商D	√	×	√	×
国内厂商E	√	×	√	×
国内厂商F	×	√	×	√
国内厂商G	×	√	×	√

邮件服务厂商	漏洞类型	攻击方法	时间/s
国外厂商A	A2	伪造From	—
国外厂商B	A2	伪造From	—
国内厂商C	A1.B1	伪造From和Sender	186
国内厂商D	A1,B1	伪造From和Sender	63
国内厂商E	A1,B1	伪造From和Sender	53
国内厂商F	A2,B2	伪造From和Sender	32
国内厂商G	A2,B2	伪造From	—

邮件服务厂商	有效种子数	命中率
国内厂商C	50	11.74%
国内厂商D	184	43.19%

EN-Bypass：针对邮件代发提醒机制的安全评估方法

EN-Bypass: a security assessment method on e-mail user interface notification

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 12

相关文章 2

Metrics

推荐阅读 0

[1]	尚菁菁,朱宇佳,刘庆云. 电子邮件安全扩展协议应用分析[J]. 网络与信息安全学报, 2020, 6(6): 69-79.
[2]	郭川,冷峰. DNSSEC自动化部署相关问题分析[J]. 网络与信息安全学报, 2017, 3(3): 58-63.