#4 No SPF

The attack

Half past six in the morning in Germany. Bianca at MedienBude GmbH starts her workday by checking her email inbox.
There you will find an urgent email from your boss asking you to check the last statement.

After 30 minutes Bianca still hadn’t found the error, but decided that it was time for a Knoppers…

What happened?

After the attacker selected his target, the attacker checked to see if an SPF record had been set for the target’s domain. Here he noticed that no SPF record was set. This means that the e-mail server of the MedienBude cannot check whether the sender is authorized to transmit this e-mail.

This enabled him to forge any internal sender addresses and to suggest to the victim that the e-mail came from the boss.

The countermeasure

Check if your company has already set an SPF record. The easiest way to do this is with online tools such as SPF-Record.de.

Here you get (if a SPF is set) such a result:

Otherwise, it looks like this:

At the latest now you should inform yourself, which systems in the internet should/are allowed to send e-mails in your name. Then you create a simple TXT record for your domain. How this works exactly you can find out with the help of Dr. Google “SPF set up providerXY” ūüôā

Have fun

PS: There are other security features in email that further raise the barrier for attackers. Namely these are DMARC and DKIM, but since these often have an impact on production, you should read up more here ūüėČ

Safety gain


*From the blog series Top Security QuickFails