The Unintended Consequences of Email Spam Prevention

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10771)


To combat Domain Name System (DNS) cache poisoning attacks and exploitation of the DNS as amplifier in denial of service (DoS) attacks, many recursive DNS resolvers are configured as “closed” and refuse to answer queries made by hosts outside of their organization. In this work, we present a technique to induce DNS queries within an organization, using the organization’s email service and the Sender Policy Framework (SPF) spam-checking mechanism. We use our technique to study closed resolvers. Our study reveals that most closed DNS resolvers have deployed common DNS poisoning defense techniques such as source port and transaction ID randomization. However, we also find that SPF is often deployed in a way that allows an external attacker to cause the organization’s resolver to issue numerous DNS queries to a victim IP address by sending a single email to any address within the organization’s domain, thereby providing a potential DoS vector.



We thank Jared Mauch for contributing the machines we used to scan the Internet address space for MTAs and store our results. Sharon Goldberg thanks Haya Shulman for useful discussions about DNS resolvers and email. This research was supported, in part, by NSF grants 414119 and 1350733.


  1. 1.
    Ballani, H., Francis, P.: Mitigating DNS DoS attacks. In: Proceedings of Computer and Communications Security, pp. 189–198. ACM (2008)Google Scholar
  2. 2.
    Borgwart, A., Shulman, H., Waidner, M.: Towards automated measurements of internet’s naming infrastructure. In: Software Science, Technology and Engineering (SWSTE), pp. 117–124. IEEE (2016)Google Scholar
  3. 3.
    The SPF Council. Sender Policy Framework, April 2014.
  4. 4.
    Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries. In: Proceedings of Computer and Communications Security, pp. 211–222. ACM (2008)Google Scholar
  5. 5.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: King, S.T. (ed.) USENIX Security Symposium, pp. 605–620. USENIX Association (2013). ISBN:978-1-931971-03-4Google Scholar
  6. 6.
    Durumeric, Z., Adrian, D., Mirian, A., Kasten, J., Bursztein, E., Lidzborski, N., Thomas, K., Eranti, V., Bailey, M., Halderman, J.A.: Neither snow nor rain nor MITM: an empirical analysis of email delivery security. In: Internet Measurement Conference, pp. 27–39. ACM (2015). ISBN:978-1-4503-3848-6
  7. 7.
    Foster, I.D., Larson, J., Masich, M., Snoeren, A.C., Savage, S., Levchenko, K.: Security by any other name: on the effectiveness of provider based email security. In: Proceedings of Computer and Communications Security, pp. 450–464. ACM (2015)Google Scholar
  8. 8.
    Gojmerac, I., Zwickl, P., Kovacs, G., Steindl, C.: Large-scale active measurements of DNS entries related to e-mail system security. In: International Conference on Communications, pp. 7426–7432, June 2015.
  9. 9.
    Herzberg, A.: DNS-based email sender authentication mechanisms: a critical review. Comput. Secur. 28(8), 731–742 (2009)CrossRefGoogle Scholar
  10. 10.
    Holz, R., Amann, J., Mehani, O., Wachs, M., Kâafar, M.A.: TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication. CoRR, abs/1511.00341 (2015).
  11. 11.
    Hubert, A., van Mook, R.: Measures for Making DNS More Resilient against Forged Answers. RFC 5452 (Proposed Standard), January 2009.
  12. 12.
    Huston, G.: IPv6 and the DNS, October 2016.
  13. 13.
    Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S.: Detecting DNS amplification attacks. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 185–196. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  14. 14.
    Kaminsky, D.: Its the End of the Cache as we Know It. Black-Hat USA (2008)Google Scholar
  15. 15.
    Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208 (Proposed Standard), April 2014. Updated by RFC 7372
  16. 16.
    Klein, A., Shulman, H., Waidner, M.: Internet-wide study of DNS cache injections. In: INFOCOM, pp. 1–9. IEEE (2017)Google Scholar
  17. 17.
    Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: USENIX Security Symposium, pp. 111–125 (2014)Google Scholar
  18. 18.
    Malatras, A., Coisel, I., Sanchez, I.: Technical recommendations for improving security of email communications. In: Information and Communication Technology, Electronics and Microelectronics, pp. 1381–1386. IEEE (2016)Google Scholar
  19. 19.
    Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. 24(2), 115–139 (2006)CrossRefGoogle Scholar
  20. 20.
    Mori, T., Sato, K., Takahashi, Y., Ishibashi, K.: How is e-mail sender authentication used and misused? In: Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011, pp. 31–37. ACM, New York (2011). ISBN:978-1-4503-0788-8
  21. 21.
    Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001)CrossRefGoogle Scholar
  22. 22.
    Schlitt, W.: libspf2 - SPF Library.
  23. 23.
    Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: Proceedings of Internet Measurement Conference, pp. 77–90. ACM, New York (2013). ISBN:978-1-4503-1953-9
  24. 24.
    Sisson, G.: DNS Survey, The Measurement Factory, November 2010.
  25. 25.
    Wong, M., Schlitt, W.: Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. RFC 4408 (Experimental), April 2006. Obsoleted by RFC 7208, updated by RFC 6652.
  26. 26.
    Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Boston UniversityBostonUSA
  2. 2.Massachusetts Institute of TechnologyCambridgeUSA
  3. 3.Amazon Technologies, Inc.ChicagoUSA

Personalised recommendations