J. Trent Adams, Dynamic Email Security SIG Co-Chair

Email security professionals have long been worried about attackers abusing shared SPF authorization within a multitenant hosting service. When many customers share the same infrastructure, there are increased concerns about abuse. Just such an attack against members sharing the same sending servers led to a deep dive session on the topic at the recent M3AAWG 51 meeting. During the panel discussion, the security analysts who detected the attack explained what they found, and participants from the abused hosting service shared lessons learned with the broader community.

For background on the Multipass Attack, it’s important to understand SPF. Sender Policy Framework (SPF) is used to identify servers that are authorized to send email on behalf of specific domains. This could be the servers operated by organizations sending their own email or in other cases servers that are authorized to send email on behalf of multiple organizations and domains.  A common reason for a hosting provider to enable shared sending is to allow customers to leverage shared infrastructure.

Unless access to the sending server is carefully controlled, it may be possible for one customer to utilize the server to send email impersonating another customer.  Then, when the receiver evaluates the SPF record, the sending server appears to be authenticated and, absent any other signal, the email may be accepted as legitimate.

This is precisely the type of attack that was detected by UK security firm 7 Elements when they found one of their customers, hosted at Rackspace, was being targeted.  Following appropriate disclosure of the attack, they published a complete writeup of what they found on their blog, naming it the “SMTP Multipass Attack”.  They joined representatives from Rackspace in the panel presentation to share what they learned at M3AAWG 51.

Following the presentation, the M3AAWG members who attended the session discussed options on how to help secure shared email services on other networks.  A benefit of M3AAWG is that it brings together email security professionals with diverse experiences and provides a platform for sharing information.  In this case, the group discussed topics that may become the foundation for a more complete best practices document.

For example, the group identified a handful of topics to help secure shared SMTP servers:

• Configure shared servers so that they can only be accessed by authorized organizations.
• Ensure that the server requires that organizations authenticate when using it.
• Ensure that the sender details match authorized configurations (e.g. the customer is allowed to send email on behalf of the domain in the “from” address).
• Provision enough shared sending servers such that not all customers authorize the same servers within their SPF record.

Members also discussed that this type of shared resource abuse is not limited to just SPF.  Similar attack vectors have been identified when hosting services provide common DKIM signatures across multiple customers.  While the SMTP Multipass Attack focused on SPF, M3AAWG will consider broadening best practices advice for securing all forms of shared email authentication.

Watch for a comprehensive best practices document on the topic to be published by M3AAWG.

“Multipass Attack” Image (CC BY-SA 4.0) 2021 J. Trent Adams