Towards the Adoption of Anti-spoofing Protocols for Email Systems

Email spoofing is a critical step of phishing, where the attacker impersonates someone the victim knows or trusts. In this paper, we conduct a qualitative study to explore why email spoofing is still possible after years of efforts to develop and deploy anti-spoofing protocols (e.g., SPF, DKIM, DMARC). First, we measure the protocol adoption by scanning 1 million Internet domains. We find the adoption rates are still low, especially for the new DMARC (3.1%). Second, to understand the reasons behind the low-adoption rate, we collect 4293 discussion threads (25.7K messages) from the Internet Engineering Task Force (IETF), a working group formed to develop and promote Internet standards. Our analysis shows key security and usability limitations in the protocol design, which makes it difficult to generate a positive "net effect" for a wide adoption. We validate our results by interviewing email administrators and discuss key implications for future anti-spoofing solutions.

[1]  C. Shapiro,et al.  Technology Adoption in the Presence of Network Externalities , 1986, Journal of Political Economy.

[2]  Peter W. Resnick,et al.  Internet Message Format , 2001, RFC.

[3]  Mohammad Chuttur,et al.  Overview of the Technology Acceptance Model: Origins, Developments and Future Directions , 2009 .

[4]  William K. Robertson,et al.  EmailProfiler: Spearphishing Filtering with Header and Stylometric Features of Emails , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[5]  Minaxi Gupta,et al.  Behind Phishing: An Examination of Phisher Modi Operandi , 2008, LEET.

[6]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[7]  Böhme,et al.  Internet Protocol Adoption: Learning from Bitcoin , 2013 .

[8]  Lorrie Faith Cranor,et al.  Protecting people from phishing: the design and evaluation of an embedded training email system , 2007, CHI.

[9]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[10]  Viswanath Venkatesh,et al.  Technology Acceptance Model 3 and a Research Agenda on Interventions , 2008, Decis. Sci..

[11]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[12]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.

[13]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[14]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[15]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[16]  Ramana Rao Kompella,et al.  PhishNet: Predictive Blacklisting to Detect Phishing Attacks , 2010, 2010 Proceedings IEEE INFOCOM.

[17]  Eric Paulos,et al.  Exploring Barriers to the Adoption of Mobile Technologies for Volunteer Data Collection Campaigns , 2015, CHI.

[18]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[19]  Stephen L. Parente,et al.  Barriers to Technology Adoption and Development , 1994, Journal of Political Economy.

[20]  Stefan Savage,et al.  Security by Any Other Name: On the Effectiveness of Provider Based Email Security , 2015, CCS.

[21]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[22]  Murray S. Kucherawy,et al.  Domain-based Message Authentication, Reporting, and Conformance (DMARC) , 2015, RFC.

[23]  David A. Wagner,et al.  Detecting Credential Spearphishing in Enterprise Settings , 2017, USENIX Security Symposium.

[24]  Bruce M. Maggs,et al.  Understanding the role of registrars in DNSSEC deployment , 2017, Internet Measurement Conference.

[25]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[26]  David Thaler,et al.  What Makes for a Successful Protocol? , 2008, RFC.

[27]  Ponnurangam Kumaraguru,et al.  Analyzing social and stylometric features to identify spear phishing emails , 2014, 2014 APWG Symposium on Electronic Crime Research (eCrime).

[28]  Shion Guha,et al.  Privacy, Security, and Surveillance in the Global South: A Study of Biometric Mobile SIM Registration in Bangladesh , 2017, CHI.

[29]  Murray S. Kucherawy,et al.  DomainKeys Identified Mail (DKIM) Signatures , 2011, RFC.

[30]  Miriam Sturdee,et al.  Implications for Adoption , 2017, CHI.

[31]  P C Lai,et al.  THE LITERATURE REVIEW OF TECHNOLOGY ADOPTION MODELS AND THEORIES FOR THE NOVELTY TECHNOLOGY , 2017 .

[32]  Murray S. Kucherawy,et al.  The Authenticated Received Chain (ARC) Protocol , 2019, RFC.

[33]  Viktor Krammer Phishing defense against IDN address spoofing attacks , 2006, PST.

[34]  Timm Dickfeld Quo vadis ventricular tachycardia ablation: new horizons and developments , 2011, Expert review of medical devices.

[35]  Lorenzo Colitti,et al.  Evaluating IPv6 Adoption in the Internet , 2010, PAM.