Is Mailsploit for real?
Earlier this week, the developer Sabri Haddouche announced with great fanfare a “collection of bugs in email clients that allow effective sending spoofing and code injection attacks,” under the name Mailspoit. He found bugs in more than 30 different email apps that supposedly circumvented email protocols such as DMARC, DKIM and SPF, the holy trinity of protection that I have written about extensively on my blog here and in past newsletters.
There are actually two different attack vectors mentioned on the Mailsploit website. The first has to do with malformed mail headers, using punycode character sets for email spoofing. The second has to do with XSS and code injection attacks in the message bodies. Let’s address them in order.
The spoofing attack isn’t really new. While email clients have some issues, what Mailsploit is saying is far from the Chicken Little scenario. DMARC et al. are still sound, and these exploits have little or nothing to do with them. The second XSS attack is more serious, and certain email clients will need patching.
Contributing to the bad information here are my colleagues in the trade press. Wired says: “Haddouche has shown that he can trick email servers into reading email headers one way, while email client programs read them differently.” Well yes, that is essentially true. But not news. Catalin Cimpanu of Bleeping Computer, who normally is very accurate with his reporting, says this email spoofing attack circumvents all modern anti-spoofing protection mechanisms such as DMARC (DKIM/SPF) or various spam filters. That is just false.
“Mailsploit fools DMARC in much the same way that putting Donald J. Trump as your display name in Gmail ‘fools DMARC.’ That is to say, not at all,” says a post on Valimail’s blog. John Wilson from Agari has a similar response on their blog. Note: Both Valimail and Agari sell DMARC-based protection services, so they have some vested interest here. But that doesn’t excuse the sloppy reporting.
The spoofing issue is how punycode characters are interpreted and displayed, which is an issue that I recently wrote about in this newsletter. This has to do with how clients interpret non-Latin alphabets, and has been a staple of phishing attacks for years.
So what should you do? First, look at Haddouche’s spreadsheet of mail clients (a portion shown below) and who has patched and who hasn’t. Most of the major email vendors, including Gmail, Office 365 and Outlook aren’t affected, and Yahoo has already fixed the vulnerability. (Kudos to Haddouche for working responsibly with the vendors prior to disclosing the issue.)
Second, if you are using an email client that hasn’t been patched, now is the time to switch to one that has. Just in time for consideration is a new free product from ProtonMail called Bridge that will allow you to use their end-to-end encrypted email client with Thunderbird, Apple Mail or Outlook. Bridge will automatically encrypt/decrypt in the background.
Finally, study the punycode attacks of the past so you understand what is going on.