Overview: Security researchers recently uncovered a straightforward method to spoof more than 2 million domains, raising significant concerns in the cyber security community.
Risk Factor: Critical
Date: Sept 2023
Get Help Now
Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.
What We Know About The MailChannels Spoofing Issue
The news comes after the recent Defcon hacking conference where Marcello Salvati, a researcher affiliated with Rapid 7, gave an eye-opening talk that demonstrated a method for leveraging the “biggest transactional email service” and Cloudflare, effectively circumventing the safeguards of SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
While the initial insights shared during the talk have seen some partial mitigation measures implemented, particularly with the use of Cloudflare workers and MailChannels, a disconcerting concern still persists.
What is the ongoing risk to MailChannels Users?
The issue poses a substantial risk for MailChannels customers, as well as those whose hosting providers rely on their services. Even if your domain has SPF and DMARC measures well-configured, the possibility remains that your domain could be maliciously spoofed by other MailChannels customers.
This alarming revelation underscores the persistent challenges in ensuring the security and authenticity of email communications, compelling organisations to remain vigilant and consider additional protective measures to safeguard their digital identities.
What’s The Impact on MailChannels Services?
Inclusion of the MailChannels SPF record may expose domains and users to impersonation risks. A recent solution has been introduced to address this concern. Given that a significant portion of the 2 million domains lacks these protective measures, it opens the door to widespread misuse of the MailChannels service.
The author highlights the absence of sender identity verification, allowing anyone to register on their website for a mere $80 and employ their “normal” SMTP relay to maliciously spoof customer domains.
Furthermore, another discovery reveals the adoption of a novel email service known as ARC, which inherently reduces spam scores.
Solace Cyber’s threat researchers, utilising SMTP, have validated these findings as genuine threats, emphasising the importance of organisations implementing countermeasures promptly.
Solace Cyber Recommendations
Ensure that your organisation has adequate email safeguards activated, including SPF, DMARC, and DKIM protocols.
Confirm the integrity of your SPF records and check for the presence of MailChannels. If you do, it will look like this: “include:relay.mailchannels.net.” Ensure the necessity of all other entries in your SPF record, and if the MailChannels entry is unnecessary, remove it from your SPF configuration, along with any other superfluous entries.
Alternatively, if you require the MailChannels SPF record, add the recommended MailChannels lockdown TXT record. You may need to speak to your webhosting provider.
- Create a DNS TXT record following the pattern _mailchannels.yourdomain.com, replacing yourdomain.com with your domain name.
- In the DNS TXT record, specify one or more MailChannels account ids (auth) or sender ids (senderid) that are permitted to send emails for their domain, using the following syntax: v=mc1 auth=myhostingcompany senderid=mysenderid
Furthermore, it is advisable to evaluate your supply chain for potential vulnerabilities in their email configurations.
Useful Resources
Need help?
Solace Cyber security specialists can perform a detailed mail security review and assist you with your supply chain risk.