How DMARC Helps Detect Organized SPF Abuse Schemes
In this article, our Service Delivery Specialist Steven Iacoviello discusses how criminals are targeting dangling CNAMES and DNS entry errors to hijack domains for phishing exploits.
In our daily work of helping people deploy and manage DMARC, we are finding domains that are used to send fraudulent, yet DMARC-compliant emails. These emails are SPF-authenticated, and most of the related SPF records originate from abusive CNAMEs. All the while, the domain owner isn’t aware of the compromised SPF records.
The Culprit: Dangling DNS CNAMEs
We are seeing a variety of organizations affected, and no vertical seems to be spared. Everyone is targeted as bad actors take advantage of dangling DNS CNAMEs and typos in DNS text records. Many domains with a dangling DNS issue share the same SPF records received from the CNAMEs and appear to be part of an organized CNAME abuse scheme.
Bad actors are isolating dangling DNS CNAMEs and targeting multiple domains by adding an malicious SPF record that consists of includes and IPs for sending fraudulent, yet authenticated emails.
Typosquatting and lookalike domains leveraged
Some of the CNAMEs that share the same corrupted SPF record come from a look-alike domain that may have been added as a typo from the domain owner’s side. Public records show that attackers register the typo-squatted domains after the misspelled CNAME is added to the DNS.
Even typos in CIDR (Classless Inter-Domain Routing) masks are being targeted, e.g., when a user means to enter /32 and mistakenly uses /3. When this happens, the lower number authorises millions of IP addresses compared to just one with the /32 entry. This opens up the SPF record for extensive abuse.
When bad actors find these mistakes, they begin sending fake emails that are SPF authenticated. We believe that bad actors are scanning DNS records looking for typos to take advantage of and then registering domains to exploit. When this happens, bad actors need only a couple weeks to find DNS record typos and start their phishing campaigns.
Commonalities we’re seeing in abused domains
All the domains found with CNAME abuse share similar characteristics. Some of the CNAMEs are pointed to the same SPF records that change frequently by rotating the IPs and/or includes.
While identifying a malicious CNAME can be difficult, we can evaluate it by tracking its SPF record history. Even if several unrelated domains seem to have nothing in common, you can identify a malicious CNAME by checking if they all share the exact same SPF records.
We also discovered that bad actors continuously update these SPF records to swap out IP addresses with bad reputations for new ones, allowing them to bypass authentication and maintain the appearance of legitimate email infrastructure.
Six Ways to Discover and Stop CNAME Abuse
- Set up DMARC, SPF, and DKIM.
- Monitor your data and check for any unused CNAMEs in your DNS.
- Set up alerts within your dmarcian account with Alert Central to be notified of DNS changes.
- Review your sources in our Source Viewer
- See details of sent emails in the Detail Viewer.
- Keep track of your DNS changes in our Timeline tool.
If you regularly monitor your dmarcian account, you can pick up on these abusive SPF campaigns before they start. We’re here to help people understand and deploy DMARC securely, so get in touch with us if you have any questions about CNAMEs or our support services.
Want to continue the conversation? Head over to the dmarcian Forum.
