Australian Business Email (In)security

A small investigation reveals Australian business emails are ripe for attack

Email spoofing is as rampant as ever, as it usually nets quick results for scammers as they piggy-back off the trust of well-known institutions. By design, the Internet's email delivery protocol allows any mail server to claim to be any other company's mail server. If it weren't for SPF, DKIM & DMARC, I could send emails from scomo@gov.au or passwordreset@my.gov.au (if I were happy to commit fraud). SPF and DMARC in particular are frighteningly easy to implement as it simply involves adding two DNS TXT records to a domain, and instantly it's forever protected against (most)
[?] They don't protect against integrity attacks, which is why DKIM is also useful, but it can be difficult to implement.
spoofing attacks (maintenance withstanding).
I aim to answer one question: What proportion of Australia's most visited 3,000 domains perfectly implement SPF and DMARC to prevent mail spoofing?

What's SPF and DMARC exactly?

Put simply, SPF (Sender Policy Framework) dictates which mail servers (or IPs) can send mail for that domain. For instance, I use gmail for my email here on harrisonm.com, so my SPF record says only Google IPs can send mail on behalf of harrisonm.com. If a scammer pretends to send mail for harrisonm.com from their mail server, the mail client that receives the spoofed mail will look up the SPF TXT record at harrisonm.com, see that the spoofing mail server's IP doesn't match Google's IPs, and reject the mail.
Flowchart showing SPF process
Email processing with SPF courtesy of ACSC. Source
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the most boring acronym ever, but it serves an important purpose. SPF's (and DKIM's for that matter) conformance and rejection specifications are loosely defined (due to the use of SHOULD rather than MUST in the RFCs), so various mail providers reject mail differently. DMARC was brought about to set definitive actions if mail were to fail SPF (or DKIM) checks
[?] Yes, I'm aware harrisonm.com doesn't have a (at the time of writing) DMARC record. Long story short I'm using a gmail hack and due to differences between SPF/DKIM and DMARC RFCs, gmail's DMARC record is used which I have no influence over, so a DMARC record under my current setup is of no use to me.
, and provide reporting metrics for email administrators. DMARC records are a TXT record in the _dmarc. subdomain.
Flowchart showing DMARC process
Email processing with DMARC courtesy of ACSC. Source
As these are simply TXT DNS records, they are easy to collect and analyse en-masse
[?] Whereas DKIM is not as it requires you know the selector name, which could be random.
. They also have a number of configuration options, simply implementing a record does not necessarily make it a secure one.

Collection

Alexa tracks which sites are visited most often, and publish a list of the top 1,000,000 websites. So I grabbed this list, pulled out all the .au sites, and trimmed it to the top 3000
[?] Why 3000? The top 1 million sites only contains 3116 .au sites, so I made it a nice round number. wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip && unzip top-1m.csv.zip && grep '\.au$' top-1m.csv | head -n 3000 top-1m.csv | cut -d "," -f 2 > au3000.txt
.
I then used a script
[?] Well... maybe a "script" is being generous: while read line; do dig +short txt "_dmarc.$line" @1.1.1.1 | tee -a DMARCs.txt; done > au3000.txt
to pull the SPF and DMARC records (if present) for each domain, and used another script to pull out the following metrics.

Results

SPF DMARC

Analysis

Most of Australia's top 3,000 sites bothered to implement SPF and DMARC records. Clearly the knowledge in how to implement it, and the importance of implementation is there; just not the knowledge of the importance in fine-tuning their security; given that only 22% had secure SPF records, and less than 1% of domains had secure DMARC records. Australian businesses are thus overwhelmingly exposed to the ever-increasing risk of email spoofing attacks; and the secure implementation of SPF and DMARC could see a large reduction in the $81 million lost by Australian businesses from email attacks every year.
Chart showing per-email compromise event costs increasing
Per-email compromise event costs are also on the rise.