Security News > 2023 > February > If you're struggling to secure email forwarding, it's not you, it's ... the protocols

In a preprint paper titled, "Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy," scheduled to appear at the 8th IEEE European Symposium on Security and Privacy in July, authors Enze Liu, Gautam Akiwate, Mattijs Jonker, Ariana Mirian, Grant Ho, Geoffrey Voelker, and Stefan Savage show that email messages can be easily spoofed despite the existence of supposed defenses.

The researchers, affiliated with UC San Diego and Stanford University in the US, and University of Twente in the Netherlands, reveal that attackers can still easily take advantage of security issues arising from email forwarding.

One problem, the boffins explain, is that forwarding involves at least three parties and that the authenticity of email commonly gets decided by the party with the weakest security settings.

The boffins describe four different email spoofing attacks, each of which works with a different set of commercial email providers.

These involve abusing relaxed forwarding validation, exploiting vulnerabilities in ARC implementations, and laundering spoofed email through mailing lists.

"While there are certain short-term mitigations that will significantly reduce the exposure to the attacks we have described here, ultimately email requires a more solid security footing if it is to effectively resist spoofing attacks going forwards," the paper concludes.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/02/19/forwarding_email_security/