As technologies evolve and develop rapidly, so do virtual threats and attacks. New forms of email-based threats are taking shape, with higher degrees of intensity and scale. One important example of a recently discovered email-based threat is highlighted in a detailed study by Researchgate – known as BreakSPF, which exploits existing vulnerabilities in one of the most widely used email authentication protocols, the Sender Policy Framework (SPF). What is particularly concerning about this new type of threat is that it can cause harm at a massive scale and endanger millions of domains simultaneously.

What is BreakSPF Attack – Hackers’ New Trick

BreakSPF is a new attack framework that bypasses SPF checks to attempt email spoofing. Domains with permissive SPF configurations are particularly vulnerable to this kind of attack. BreakSPF feeds on the fact that many organizations use shared email infrastructures, whether provided by cloud email service providers, proxies, or content delivery networks (CDNs) with shared IP pools. The broadly defined IP ranges in SPF records of these shared email infrastructures create a fertile ground for hackers and attackers to take action.

BreakSPF Attack vs. Other Email-Based Threats

Most traditional email spoofing or phishing attacks attempt to bypass email security through social engineering or malware. BreakSPF, on the other hand, targets the SPF mechanism itself, exploiting the very system designed to protect you from email spoofing attempts. To put it differently, while basic, traditional email spoofing or phishing attacks can be blocked by SPF or DKIM checks, in a BreakSPF attack, threat actors can bypass these verification checks, enabling spoofed emails to easily reach unsuspecting recipient mailboxes.

How BreakSPF Works: Bypassing SPF checks

According to the conference paper by Researchgate, “51.7% of domains have SPF records that include more than 65,536 (216) IP addresses.” Not only is such a large range dangerous, but it is also completely unnecessary as most email domains do not require so many IP addresses. Overly nested, overwhelmingly large SPF records may lead to a situation where SPF lookup limits are potentially being exceeded. This might enable hackers to slip through the existing security protocols. This is because, when the SPF record is too complex and the SPF lookup limit is exceeded, the protective layer is no longer doing the job that it was initially intended to do.

Here’s how the attack works: an attacker identifies a popular domain (like example.com) that has a vulnerable SPF configuration, meaning its SPF record allows a wide range of IP addresses. The attacker uses public services that provide access to IP addresses within this allowed range. They then send spoofed emails from these IP addresses to the victims. Because the SPF validation checks the sender’s IP address and sees it as legitimate (since it falls within the domain’s SPF record), the spoofed emails pass SPF and DMARC checks. As a result, the victims receive authentic-looking emails that have bypassed standard email authentication measures.

The key elements in this attack include:

The target domain has an SPF record with overly permissive IP ranges.
The attacker controls enough public infrastructure to select IP addresses included in that SPF record.
The attacker can send spoofed emails without needing advanced capabilities like DNS spoofing or modifying DNS entries.

Types of BreakSPF Attacks

Email transmission generally occurs through two main channels: HTTP servers and SMTP servers. Based on this, the BreakSPF attack itself is categorized into three distinct groups by Researchgate:

1. Fixed IP Address Attacks

In fixed IP address attacks, attackers maintain long-term control over specific IP addresses. Acting as Mail Transfer Agents (MTAs), they send malicious, spoofed emails directly to the victim’s email service. These attacks often make use of shared infrastructure like cloud servers and proxy services. Traditional spam defense mechanisms, including greylisting, are generally ineffective against fixed IP address attacks.

2. Dynamic IP Address Attacks

When using this method, attackers don’t have control over specific outgoing IP addresses for each connection. However, they dynamically asses which domains are most vulnerable based on the current outgoing IP and thereby temporarily gain control through various functionalities or methods. As these IP addresses constantly change, traditional IP blacklisting methods again become ineffective against dynamic IP address attacks. While the previous method, fixed IP address attacks used cloud servers and proxy services, dynamic IP address attacks leverage public infrastructure (e.g. serverless functions, CI/CD platforms, etc.).

3. Cross-Protocol Attacks

When using cross-protocol attacks, the attackers don’t even need to have direct control over IP addresses. Instead, hackers embed SMTP data within HTTP data packets. Then, they forward these packets to the intended victim’s email service by using HTTP proxies and CDN exit nodes. When targeting the victim with cross-protocol attacks, hackers often use shared infrastructure (e.g. open HTTP proxies, CDN services, etc.). This type of attack is extremely hard to detect or trace since it takes place in a very intransparent way.

The Impact of BreakSPF Attacks

Domains worldwide can easily fall victim to phishing attacks and expose very sensitive, confidential data to hackers as a result of BreakSPF attacks. Businesses can also lose their reputation among the people who trusted them and the communications coming from them.

Numerous high-profile companies may suffer significant financial losses as well as market share due to a worsening in reputation. This implies that BreakSPF attacks can have both direct and indirect consequences on not only data security and privacy but also other aspects of a business such as brand image, sales, and market position.

Looking beyond the micro-level impact on organizations, we can note that such kind of massive phishing attacks and extensive email spoofing will also deplete trust in email exchanges in general, constraining people’s freedom in day-to-day communications in both personal and professional settings and forcing individuals to switch to other platforms. This can be detrimental to existing established frameworks and even marketing campaigns that use emails and newsletters as an integral part of their marketing strategy.

Thus, the impact of BreakSPF attacks will be beyond any specific geographical or categorical area. It affects individuals and businesses who use email communications for a variety of needs and purposes.

How to Prevent BreakSPF Attack

There are several key steps you can take to prevent such attacks on your domain and protect your business and employees:

1. Make SPF Records Less Complex

According to SPF best practices, there should be only one SPF record for a given domain. Unfortunately, complex, multiple SPF records for a single domain are very common today, as domain owners do not pay sufficient attention to accurate SPF management.

This malpractice leads to SPF validation failures, as a result of which even legitimate emails are often marked as spam. This harms email deliverability as a whole, endangering business communications and reputation.

2. Avoid Exceeding the DNS Lookup Limit of 10

“SPF Permerror: too many DNS lookups” is the message you will receive when you exceed the DNS lookup limit of 10. Permerror is treated as an SPF fail due to a permanent error, and may often prevent the email from reaching the inbox of the intended recipient or flag it as suspicious. This might cause serious issues with email deliverability rates.

There are several steps you can take to avoid exceeding the DNS lookup limit of 10. For example, you can remove unnecessary “include” statements and nested IPs by using an SPF flattening service.

Preferably, you can optimize your SPF record using SPF Macros. At PowerDMARC, we help our clients achieve error-free SPF with unlimited lookups every time with our hosted SPF solution that leverages Macros integration.

For more information, you can check out our blog post about the necessary steps to fix SPF Permerror.

3. Fix Gaps in Protocol Misconfigurations

BreakSPF can bypass SPF and DMARC verification. It is important to identify and fix any gaps or misconfigurations in both SPF and DMARC adoption to prevent attackers from bypassing the verification checks. Such gaps and misconfigurations may include incorrect DMARC and SPF adoption, lack of timely updates or optimizations, etc.

4. Monitor Your DMARC Reports

Enabling DMARC reporting for your domains and paying careful attention to them can also help you detect any problems and misconfigurations in the existing email authentication protocols. These reports provide you with a wealth of information that may lead to the detection of suspicious IP addresses.

5. Enforce Your DMARC Policies

Not only should DMARC be combined with SPF and DKIM, but it also should be deployed with strict policies such as DMARC Reject to avoid overly permissive policies. The DMARC none policy does not offer any protection against cyber attacks. It should be used only in the initial phase of email authentication (i.e. the monitoring phase).

However, if you keep following this policy beyond the initial, monitoring phase, it might cause serious security issues, as it will leave your domain vulnerable to cyber attacks. This is because even when DMARC fails for your email, under the none policy the email will still be delivered to the recipient’s inbox, often with malicious contents.

6. Strengthening Port Management

Strengthening and enhancing port management for cloud services will also help stop attackers from cloud IP abuse. Cloud services are a common source of cyber attacks. This is because the cloud is often used as a storage for important, sensitive data, making it an attractive target for hackers. Moreover, cloud attacks can also lead to data breaches as, once the hackers manage to get access to the cloud account, they can immediately see and steal all the data at once.

So while having all your data in one centralized cloud platform may come with its set of advantages, it might also be very dangerous for your security online. Thus, proactive measures such as data encryption, intrusion detection, and strict access control are of paramount importance to enhance the security of your cloud services and your business as a whole.

Summing Up

Do you need help and advice regarding the correct adoption of your email authentication protocols? PowerDMARC is here to help!

PowerDMARC’s customary managed SPF service — PowerSPF, offers an extensive range of hosted SPF management and optimization solutions for businesses from all around the world, helping you prevent BreakSPF and many other SPF-related errors and issues. Enhance your domain’s security — contact PowerDMARC today and enjoy peace of mind when communicating digitally!

About
Latest Posts

Yunes Tarada

Domain & Email Security Expert at PowerDMARC

Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.

BreakSPF Attacks: Outsmart the Hackers and Protect Your Email