DEF CON 31 - SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan - byt3bl33d3r

DEFCONConference
DEFCONConference
128,280
0
Published 2023-09-16
Ever wake up and ask yourself: “Damn, how could I make email security suck even more today”? Tired of your Red Teams phishing emails not landing in your targets inbox?

Do you dislike Boston (the city) and love Satan?

If you answered yes to any of those questions you should come to this talk!

I'll be showing you how to spoof emails from 2 million+ domains (while also “bypassing” SPF & DMARC!) by (ab)using a partnership between Cloudflare and the “biggest transactional email service” on the interwebs. We'll be diving into "edge" serverless applications and the magical world of email security where everything is (still) held up by duct tape, pasta, and marinara sauce. Finally, I’ll be dropping code and releasing a tool that demonstrates how to impersonate emails from 2million+ domains.
All Comments (21)
  • @lrhache
    You should have wrote to the ceo from their own domain
  • @eternalillusion
    Love this mofo. Splendid and efficient, zero-hopium talk. 10/10.
  • @YuanLiuTheDoc
    I can believe that your E-mail to the CEO went to spam folder - because he marked you as nuisance after your second "offense". But I cannot believe that a CEO who was perhaps not very tech savvy didn't pass your concern about the Cloudflare API might change the calculus to CTO.
  • @criticaloptimist
    I’m both shocked this vulnerability is a thing but also not surprised so many companies don’t have SPF/DKIM set up. Email is a mess to secure, super complicated, and I don’t think most companies really have an expert managing their domains. But I do know that any company that would find out about this vulnerability would never be ok with this.
  • @thefloorhasgone
    Great talk. I found his manner of speaking quite relaxing to listen to 😊
  • @juliacaesar8462
    This guy is a great speaker. So comfortable and fun to listen to. Very informative and I enjoyed the humor. Well done!!
  • @Leetfin
    Patched after this talk lol
  • @TheCocoaDaddy
    Awesome video. I have experience with SPF, DKIM and DMARC but have never looked into the ARC headers. Thanks for the thorough explanation!
  • @rhysperry111
    Still can't believe DKIM isn't widely setup and that most mail providers ignore it if SPF passes
  • @idiotwidowmaker8932
    Soooo it would be hypothetically very interesting if some people delivered to the CEOs mailbox AI generated invoices, “escalations” , etc just things that cant be ignored and see how fast it gets fixed
  • @rpm10k.
    This is hilarious and fantastic. Great speaker.
  • @RandornCanis
    You can sometimes enforce DKIM alignment inside DMARC by setting your SPF record to -all. This isn't so uncommon because forwards and mailing lists break SPF anyways. You'll just need another SPF domain for the envelope from header, but this intentionally leaves only DKIM for domain alignment.
  • @drstefankrank
    It would have been so easy, even with their relay in SPF. Do the same like Microsoft or Google does. Do API authentication and tie this authentication to a verified list of domain you own. They all need you to authenticate your domain at initial setup with a unique txt record in dns for example.
  • @jfbeam
    MC's CEO is technically correct... SPF assumes one domain = one IP = one domain. That's not necessarily true. And it's never true on any email aggregation site like MC. Their API needs to authenticate who is attempting to send the message, then they can police what domains are used. The way they've integrated with CF eliminates all that - they just look for it to come from any CF IP, without CF disclosing anything about the CF user / account. (this would be rather simple for both of them to fix.)