A recent Trend Micro blog post suggests that the bad actors behind a current ransomware campaign are using email authentication and DMARC to make their messages more effective. One online article citing the post even includes a headline that incorrectly suggests that DMARC somehow enables the malware to bypass filters – which it assuredly does not do.
In fact the adoption of email authentication is much more likely to make it easier to block these campaigns.
Email authentication does not provide a way to bypass anti-malware or bad-url filtering
No competent email filtering system turns off anti-malware or malicious-url scanning just because a message passed an email authentication check. Email authentication results are combined with other information, such as the sending IP address’ history, or sending domain’s reputation, as an input to the whole filtering system. Typically this results in messages that fail authentication, or which come from sources with poor reputations, being subjected to additional, more rigorous scans. Again, no free pass just because a message passed an authentication check.
Email authentication encourages repeated use of domains, which makes it easier to detect and block bad actors
To benefit from email authentication – whether it’s DKIM, SPF, or DMARC – a bad actor has to use domains specifically configured to take advantage of them. They are therefore more likely to keep using these domains, or to keep setting up new ones which won’t have good reputations. Either of these approaches ultimately makes it easier to identify them and block their campaigns – especially as legitimate senders continue to adopt email authentication.
Alternately, having to build up a good reputation for new domains on a large scale before they can be used to send malicious email effectively will raise their costs and make these campaigns less attractive compared to other vectors.
DMARC aggregate reports don’t reveal ways to bypass filters
Bad actors have long probed the filtering systems at the ISPs they target to see whether they can get a given message delivered. They seed their email campaigns with mailboxes they control to monitor performance over time, and use web bugs and other techniques to track message delivery and open rates. Not everybody hawking little blue pills via email is capable of this, but more sophisticated actors certainly are.
Don’t worry – ISPs are used to this cat-and-mouse game and have their defenses.
But by contrast DMARC aggregate reports provide message counts about passing or failing email authentication summarized over the entire reporting period – usually 24 hours. This is not very useful in fine-tuning a malware campaign that needs to change its content and sources every few hours to stay ahead of today’s adaptive anti-malware filters.
DMARC per-message failure reports provide limited information – if they were requested, and only if they were sent
It’s worth noting that the Using DMARC Reports example provided in the blog post would not actually cause any DMARC per-message failure reports to be generated – assuming the receiving systems were configured to send them, and most are not.
But even if the bad actors received them, DMARC failure reports are limited in what information they include – and are not sent when a message is blocked due to malware-filtering or other content-based scanning. While very useful for determining why messages have failed authentication, they don’t provide unrelated information that a bad actor couldn’t obtain another way, without the trouble of implementing DMARC.
All of this has happened before, and all this will happen again
A 2004 study by CipherTrust noted that in a sample of two million email messages they studied, more messages covered by SPF records were sent by spammers than by legitimate senders, and many observers suggested that SPF was therefore doomed. Obviously this was not the case – just as the use of DMARC by some bad actors today won’t outweigh its usefulness to legitimate senders and receivers.
It’s always interesting to discover a change in the opposition’s tactics, and it’s always a little troubling to see them try to benefit from something intended to thwart them. So it’s understandable that the original report generated some excitement.
But no, DMARC is not enabling bad actors to reach their victims. And in the long run, as more and more legitimate email is authenticated, it will make it easier to detect and block them – whether they’ve adopted it or not.