![]() Donec at orci accumsan, vehicula nulla at, pharetra odio. Sed viverra massa vitae diam cursus laoreet. Donec augue eros, sodales ut vulputate ac, convallis sit amet massa. Nullam ac enim ac velit bibendum tristique a eu nisl. I would love to book you for an assessment of mail defence chain of Denmark's institutions. ![]() Rk.dk is the official domain name of the Rødovre Kommune (municipality).Īs a test, we forged a mail with a non-existent sender address from rk.dk: From: Jeffrey Bencteux The SPF record of Simply is: $ dig +short txt We rented a server on for around 200DKK (including a required domain registration) which was attributed to IP 185.20.205.41.įrom the results of running the script, we could see that the following domains were using simply's SPF records and/or IP ranges: It makes it a good target for our experiment. Simply is one of Denmark's biggest VPS providers. What we found was that providers offered to rent servers that have IPs in, enabling a rented server to serve as a legitimate mail sender for. Then if SPF record looks like the below: $ dig +short txt ![]() So if SPF record looks as such: $ dig +short txt This means that anyone able to rent a server within the range can pass the SPF checks made by the defense mail chain for a domain that includes the provider in the record. Unfortunately for their clients, these providers do not only include the IP addresses of the provider's SMTP servers made available for their clients, but also the IP addresses of servers available for rent. This gave us a list of domains having these providers in their SPF includes. Next, we identified Denmark's main hosting providers and searched for occurrences of these in the results of the previous step. Running the script for our dataset takes about a minute. While this is definitively not the most scalable approach, it does the job for small lists. We made a shell script to recursively query the SPF record of a list of domains. The result was a list of 259 unique domains, including ministries, municipalities, and diverse official institutions. Most of the domain names we gathered come from listing official government websites and crawling PDFs from these websites to get email addresses and extract the domain part of them. We used a rather restricted dataset to specifically target Danish institutions. They were all contacted in due time before this post. We identified 4 of 259 tested domains at risk of this technique. Do the above for the least amount of money possible.Targeting governmental or critical institutions in Denmark.Spoofing mails sender domains via loose SPF configurations.The objectives of the experiment were the following: As an example, we successfully impersonated top-level employees of Danish institutions for around 600DKK ($88).īecause detection and prevention of these types of attacks are difficult, we also included our recommendations in this article. While the technical requirements to conduct the attack are pretty simple, the impact on an organization can be high. Note that the techniques used below have been found by others and used before, this article is however a real-life example that confirms SPF risks. In particular, we focused on spoofing certain mail domains that have an SPF configuration that introduces the risks of impersonating mail addresses at these domains. Both an article written by Sebastian Salla and observations made during technical assessments lead us to an experiment on SPF records of Danish domains.
0 Comments
Leave a Reply. |