Ruixuan Li (Tsinghua University and Beijing National Research Center for Information Science and Technology), Chaoyi Lu (Zhongguancun Laboratory), Baojun Liu (Tsinghua University and Beijing National Research Center for Information Science and Technology), Yanzhong Lin (Coremail Technology Co. Ltd), Qingfeng Pan (Coremail Technology Co. Ltd), Jun Shao (Zhejiang Gongshang University and Zhejiang Key Laboratory of Big Data and Future E-Commerce Technology)
This paper introduces a novel and powerful email convergence amplification attack, named COORDMAIL. Traditional email DoS attacks primarily send spam to targeted mailboxes, with little ability to affect email servers’ operation. In contrast, COORDMAIL exploits the inherent properties of the SMTP protocol, i.e., long session timeouts and client-controlled interactions, to cleverly coordinate reflected emails from various email middleware and eventually direct them to an incoming mail server simultaneously. As a result, the amplification capabilities of different email middleware are concentrated to form highly amplified attack traffic. From the SMTP session state machine and email reflection behaviors, we identify many real-world email middleware suitable for COORDMAIL, including 10,079 bounce servers, 584 open email relays, and 6 email forwarding providers. By building SMTP command sequences, COORDMAIL can maintain prolonged SMTP communications with these middleware at an extremely low rate and control them to reflect emails steadily at any given moment. We show that COORDMAIL is effective at a low cost: 1,000 SMTP connections can achieve more than 30,000 times of bandwidth amplification. While most existing security mechanisms are ineffective against COORDMAIL, we propose feasible mitigations that reduce the convergence amplification power of COORDMAIL by tens of times. We have responsibly reported COORDMAIL to email middleware and popular email providers, some of which have accepted our recommendations.