Towards Understanding the Adoption of Anti-Spoofing Protocols in Email Systems

Email spoofing is a critical step in phishing attacks, where the attacker impersonates someone that the victim knows or trusts. Even today, email providers still face key challenges to detect or prevent spoofing, despite the years of efforts to design and develop anti-spoofing protocols (e.g., SPF, DKIM, DMARC). The key problem is that anti-spoofing protocols are not widely adopted, especially for the new DMARC protocol (5.1%). In this paper, we seek to understand the reasons behind the low adoption rates of anti-spoofing protocols. We conduct a user study with N=9 email administrators from different institutions to understand their perceptions towards anti-spoofing protocols. Our result suggests that email administrators are aware of and concerned about the technical weaknesses in SPF, DKIM, and DMARC that can easily cause errors (e.g., blocking legitimate emails). Email administrators believe the current protocol adoption lacks the crucial mass due to the protocol defects, weak incentives, and practical deployment challenges. Based on these results, we discuss the key implications to protocol designers, email providers and users, and future research directions to mitigate the email spoofing threats.

[1]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[2]  Viswanath Venkatesh,et al.  Technology Acceptance Model 3 and a Research Agenda on Interventions , 2008, Decis. Sci..

[3]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[4]  Michael T. Goodrich,et al.  Accredited DomainKeys: A Service Architecture for Improved Email Validation , 2005, CEAS.

[5]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[6]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[7]  C. Shapiro,et al.  Technology Adoption in the Presence of Network Externalities , 1986, Journal of Political Economy.

[8]  Peter W. Resnick,et al.  Internet Message Format , 2001, RFC.

[9]  Stefan Savage,et al.  Security by Any Other Name: On the Effectiveness of Provider Based Email Security , 2015, CCS.

[10]  David A. Wagner,et al.  Detecting Credential Spearphishing in Enterprise Settings , 2017, USENIX Security Symposium.

[11]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[12]  David Thaler,et al.  What Makes for a Successful Protocol? , 2008, RFC.

[13]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[14]  Stuart E. Schechter,et al.  Bootstrapping the Adoption of Internet Security Protocols , 2006, WEIS.

[15]  Murray S. Kucherawy,et al.  Domain-based Message Authentication, Reporting, and Conformance (DMARC) , 2015, RFC.

[16]  Gang Wang,et al.  End-to-End Measurements of Email Spoofing Attacks , 2018, USENIX Security Symposium.

[17]  Böhme,et al.  Internet Protocol Adoption: Learning from Bitcoin , 2013 .

[18]  P C Lai,et al.  THE LITERATURE REVIEW OF TECHNOLOGY ADOPTION MODELS AND THEORIES FOR THE NOVELTY TECHNOLOGY , 2017 .

[19]  Murray S. Kucherawy,et al.  The Authenticated Received Chain (ARC) Protocol , 2019, RFC.

[20]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[21]  Liviu Iftode,et al.  Improving Email Trustworthiness through Social-Group Key Authentication , 2008, CEAS.

[22]  Ponnurangam Kumaraguru,et al.  Analyzing social and stylometric features to identify spear phishing emails , 2014, 2014 APWG Symposium on Electronic Crime Research (eCrime).

[23]  Murray S. Kucherawy,et al.  DomainKeys Identified Mail (DKIM) Signatures , 2011, RFC.

[24]  J. Alex Halderman,et al.  Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security , 2015, Internet Measurement Conference.

[25]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[26]  William K. Robertson,et al.  EmailProfiler: Spearphishing Filtering with Header and Stylometric Features of Emails , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).