News stories are popping up about Mailsploit, a supposed email spoofing technique that is “virtually unstoppable,” according to its creator.
In particular, reporters are homing in on the creator’s claim that it “fools DMARC.”
This is not true. Mailsploit fools DMARC in much the same way that putting “Donald J. Trump” as your display name in Gmail “fools DMARC.”
That is to say, not at all.
The exploit is a variety of display-name spoofing, which means it uses the “friendly name” that appears in mail clients alongside (or sometimes instead of) the actual email address in the From field.
Here's the actual list of mail services affected by Mailsploit. As you can see, most major services (Gmail, Microsoft O365, Exchange, and Outlook) were not affected while others (Yahoo Mail) have already fixed the vulnerability.
The wrinkle is that a few mail clients — notably Apple Mail on iOS — can be fooled by this trick, thanks to the way it uses different character encodings.
However, this is a well-known problem in the email world (and in the browser world, where URLs using international domain names have been an occasional issue). Fortunately, there are best practices for dealing with this, and most major email server and email clients follow them, rendering the exploit useless.
For example, these “spoof” emails look obviously fake after passing through Gmail’s servers, as you can see in these screenshots. The screenshot on the left is Android; the other one is Apple Mail on iOS.
(Side note: Mailsploit uses whitehouse.gov as an example of the kind of email addresses you could spoof. That’s pretty ironic, because whitehouse.gov is not protected by DMARC — so this is a case where DMARC would actually help!)
We asked Murray Kucherawy (who contributed to the DKIM and DMARC specs, and runs the Trusted Domain Project when he’s not developing software for Facebook) what he thought about it. His response: “It's a modified display name attack. It's slightly more clever than those are in general, I'd say.”
Despite that cleverness, most major email clients already reject Mailsploit emails. And as the spreadsheet makes clear, most major clients were never even vulnerable to it in the first place.
The creator of Mailsploit, Sabri Haddouche, plays up the threat — but if you look at the spreadsheet he uses to track the vulnerability, it’s clear that most people are quite safe.
If you sort the Mailsploit spreadsheet to highlight the clients that have fixed the problem (or which were never vulnerable to it in the first place), this becomes even more clear.
In other words, it’s not a DMARC problem or a phishing problem per se. It’s an implementation problem for Apple Mail on iOS (when it’s not connected to a Gmail server) and a handful of other mail clients.
And Apple appears to be working on fixing it already.