Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...]

[Rich Kulawiec via NANOG <nanog () lists nanog org>]

If you recall (or don't ;) ) this thread, my (lengthy) argument was
that all the so-called email anti-forgery technologies have been neatly
undercut by pervasive security problems, and thus the overall effect
of deploying them has been to make the email forgery problem much worse
than it was before they existed.

Some of you agreed, some disagreed, and so on.  The usual. ;)

Well.  Here we are most of a year later and attackers have figured
out how to exploit this exact problem, at scale.  For example:

Zendesk:

        Zendesk ticket systems hijacked in massive global spam wave
        https://www.bleepingcomputer.com/news/security/zendesk-ticket-systems-hijacked-in-massive-global-spam-wave/

Microsoft:

        Crims compromised energy firms' Microsoft accounts, sent 600 phishing emails
        https://www.theregister.com/2026/01/22/crims_compromised_energy_firms_microsoft/

Nordstrom:

        Nordstrom's email system abused to send crypto scams to customers
        https://www.bleepingcomputer.com/news/security/nordstroms-email-system-abused-to-send-crypto-scams-to-customers/

and Zendesk again:
        
        Zendesk spam wave returns, floods users with 'Activate account' emails
        
https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-floods-users-with-activate-account-emails/

and Microsoft again:

        There's a rash of scam spam coming from a real Microsoft address
        
https://arstechnica.com/information-technology/2026/01/theres-a-rash-of-scam-spam-coming-from-a-real-microsoft-address/

These can't possibly be the only instances: I suspect they're just
the ones that have been reported in the press and that I've happened
to notice.  No doubt many more have happened, are happening, and will
happen without coming to the attention of tech journalists.  Or perhaps
anyone -- if  they're sufficiently well-executed.

This is likely to increase exponentially, because that's what these
kinds of problems always do.

This is bad enough already, but there's a way it could -- and probably
will -- get much worse.  Everyone who's paying attention knows that
attackers are using AI/LLM products/services in attacks -- and they're
doing quite well, because the sociopaths at the AI/LLM companies can't
be bothered to build in any guardrails.

This capability combined with DKIM/SPF/et.al. enables automated
spear-phishing at scale.  It won't be necessary for a human to spend the
time to conduct stylometric analysis of someone's outbound email corpus:
given access to that person's email account, they can have an AI do that.
And then they can send outbound messages from that person's email account
to their contact list -- messages which mimic that person's style,
formatting, punctuation, everything -- all of which will of course be
dutifully certifed as authentic by DKIM/SPF/et.al.

And dutifully presented as such to recipients by their MUA.

Imagine what happens if that person is an investment advisor for high net
worth individuals.  Imagine what happens if that person is a political
official.  Imagine what happens [...]

I doubt this will stay a hypothetical for very long.

It's time to recognize that all these email anti-forgery technologies
are not just worthless security theater; they're *worse* than worthless
because they certify as authentic messages that are increasingly NOT
authentic.

---rsk
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/JGA55MTQUEZVHPNGBDMLT7Y2RFMTSRNK/