Abstract:

Email plays an important role in people’s daily communications, while also attracts the attention of hackers.Email is frequently used in phishing attacks, with email sender spoofing being a key step.To prevent sender-spoofing attacks, email vendors often deploy email security protocols such as SPF, DKIM, and DMARC to verify the sender’s identity.Moreover, some vendors add email UI notification mechanism on email clients to help users identify the real sender.However, there is no uniform standard in the implementation of the email UI notification mechanism, which varies among vendors.Whether the mechanism effectively prevents sender-spoofing attacks still needs verification.In this paper, the security evaluation of the email UI notification mechanism was studied to gain better understanding of its efficacy and to eventually protect users from sender-spoofing attacks.Ten world-famous email services were researched and evaluated, of which seven deployed the email UI notification mechanism.Consequently, a new type of sender-spoofing attack was proposed which was called EN-Bypass, aiming to bypass the email UI notification mechanism by forging the “From” and “Sender” fields in the email header.To verify the email UI notification mechanism’s security and reliability, EmailSenderChecker was implemented, which can automatically evaluate the existence of the EN-Bypass attack.The result shows that all seven email service vendors suffer from EN-Bypass attack.Attackers could bypass the email UI notification mechanism by constructing special email headers and spoofing the sender.Finally, to improve the mail service security, three suggestions about the email UI notification mechanism were proposed for the mail service vendors.

Key words: e-mail, e-mail security, sender spoofing, security extension protocol