Patrik Ostrihon COMDOM Software
Reza Rajabiun COMDOM Software and York University
download slides (PDF)
Vulnerabilities in email protocols allow spammers to readily hide their true identities. This has motivated a number of proposals to adopt new standards for authenticating messages. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) represent two such proposals. Both mechanisms are nevertheless open to abuse by spammers. This paper analyses how spammers exploit SPF and DKIM to hide their true origins and send large volumes of advertisements, or more pernicious content, from compromised networks.
SPF provides domain owners with a range of rules for identifying who is authorized to use the particular domain name as a sender origin. These rules range from the very simple, such as elementary IP address listings, to complex rule-set definitions. With improper configuration of rules, spammers can misuse the settings, infiltrate a domain unrecognized, and send spam from that system. DKIM utilizes an electronic signature mechanism instead, but is also vulnerable to spamming techniques aiming to infiltrate and misguide the mechanism. The analysis shows neither approach credibly constrains the ability of spammers to cloak their identities and will only serve as complements to statistical content filters.