Three email standards too porous

Caute_cautim · ‎08-18-2023

Hi All

It appears that standards for e-mail according to Cloudflare are too porous including SPF, DKIM, and framework DMARC.

https://www.darkreading.com/vulnerabilities-threats/3-major-email-security-standards-falling-down-on...

Perhaps they need some assistance from ChatGPT or Generative AI?

Regards

Caute_Cautim

JoePete · ‎08-18-2023

Email has become one of the most difficult and expensive services to administer, largely due to the constant "next great idea" (DKIM, SPF, DMARC) to protect users. In turn, businesses and consumers have gravitated toward putting their email with one of a handful of providers, which carries a whole separate risk (how's Outlook 365 working out for the government?).

A lot of these issues can be fixed rather simply (flame away/launch your Shmoo balls):

Stop reading HTML email - certainly for anything outside your domain.
Stop sending HTML email - it's the equivalent of sneezing in someone's face in the midst of a cyber pandemic. But more important it doesn't do what you think it does, especially once outside your own domain/ecosystem.
Better email client choices. That's pretty simple. If your all-in-one client seamlessly opens attachments or renders embedded content, that's like deciding to eat the chewing gum off the bus floor. No matter how clean the thing looks, you're going to get any garbage that's been embedded.

Certainly, moving beyond the client there are things that do help (DNSSEC, SPF), but we have to get past this notion that we can keep the inbox clean. No, spam, phishing, and even malware will find its way to you inbox. Accept that, and stop using clients and practices that obfuscate these dangers for no good reason.

JKWiniger · ‎08-18-2023

This article lost me at : (89%) of unwanted messages passed a check of at least one of the three major email security standards. To me it makes the article seem silly because this would be an issue is they passed all of the standards and got through, but it does not mention if any at all got through. Or did I miss that part?

Nothing is perfect, and nothing ever will be, but it you have these in place and do some education for the things get get though there should not be much of an issue. I would hope people and companies scan outgoing requests and block things going to know bad sites.

John-

JoePete · ‎08-18-2023

@JKWiniger wrote:
This article lost me at : (89%) of unwanted messages passed a check of at least one of the three major email security standards. To me it makes the article seem silly because this would be an issue is they passed all of the standards

I agree. My guess would be most passed DMARC, whose purpose isn't so much to filter email or validate domains or senders. It's just a resource to help resolve issues. As they even quote in the article, you need a multi-layered approach. This is just CloudFlare generating free publicity: "Here we did a study and it means absolutely nothing, but we'll tell people its news."

denbesten · ‎08-18-2023

@JoePete wrote:
Email has become one of the most difficult and expensive services to administer, largely due to the constant "next great idea" (DKIM, SPF, DMARC) to protect users.

I believe the primary limitation is trying to maximize interoperability with other companies who are not keeping up with the standards. This has resulted in the "next great idea" being watered down until it does not actually solve the problem.

Stop reading HTML email - certainly for anything outside your domain

Unfortunately, avoiding HTML does not address the problem reported in the article -- detecting forgeries and separating the good from the spam. As I see it, the only real "fix" is some sort of sender-validation that depends upon technologies like public-key-infrastructure, digital signatures, extended-validation, etc.

DKIM is part-way there, but does not protect end-to-end and there is no way to enforce its use without compromising interoperability in ways that focus the blame on the laggard on the other end, instead of the tech-forward recipient.

I do think you are onto something, though. Disabling HTML when the sender has not been positively identified might well create the necessary incentive to get the laggards to play ball.

JoePete · ‎08-18-2023

@denbesten wrote:
Disabling HTML when the sender has not been positively identified might well create the necessary incentive to get the laggards to play ball.

Yes, that kind of triage/intelligence would be useful. When we strip away all the periphery, email is a world-writeable/user-readable file. Email is not designed to authenticate to the recipient server. To me, I think we need to stop trying to use the dumptruck of authentication, DNS records, etc. in an effort to build a sports car of content-filtering.

Do we really care that Fred@Fred.com is really Jane@verizon.com ? No, as a matter of fact, as long Jane authenticates to version's smtp server, that server doesn't care what the envelope says. SPF doesn't care either. As long as there is a DNS record saying verizon can send on behalf of fred.com, all's good. The problem is the content hitting the inbox: Is it is spam, is it malware, is it phishing? Sure, we can try to use authentication on SMTP servers and authorization via SPF to triangulate an answer to whether we trust the content, but I see the problem as a content one - not authentication or authorization.

Boren4 · ‎08-21-2023

Nearly 90% of malicious emails manage to get past SPF, DKIM, or DMARC, MyBalanceNow since threat actors are apparently using the same filters as legitimate users.