Ruixuan Li (Tsinghua University and Beijing National Research Center for Information Science and Technology), Chaoyi Lu (Zhongguancun Laboratory), Baojun Liu (Tsinghua University and Beijing National Research Center for Information Science and Technology), Yanzhong Lin (Coremail Technology Co. Ltd), Qingfeng Pan (Coremail Technology Co. Ltd), Jun Shao (Zhejiang Gongshang University and Zhejiang Key Laboratory of Big Data and Future E-Commerce Technology)

This paper introduces a novel and powerful email convergence amplification attack, named COORDMAIL. Traditional email DoS attacks primarily send spam to targeted mailboxes, with little ability to affect email servers’ operation. In contrast, COORDMAIL exploits the inherent properties of the SMTP protocol, i.e., long session timeouts and client-controlled interactions, to cleverly coordinate reflected emails from various email middleware and eventually direct them to an incoming mail server simultaneously. As a result, the amplification capabilities of different email middleware are concentrated to form highly amplified attack traffic. From the SMTP session state machine and email reflection behaviors, we identify many real-world email middleware suitable for COORDMAIL, including 10,079 bounce servers, 584 open email relays, and 6 email forwarding providers. By building SMTP command sequences, COORDMAIL can maintain prolonged SMTP communications with these middleware at an extremely low rate and control them to reflect emails steadily at any given moment. We show that COORDMAIL is effective at a low cost: 1,000 SMTP connections can achieve more than 30,000 times of bandwidth amplification. While most existing security mechanisms are ineffective against COORDMAIL, we propose feasible mitigations that reduce the convergence amplification power of COORDMAIL by tens of times. We have responsibly reported COORDMAIL to email middleware and popular email providers, some of which have accepted our recommendations.

View More Papers

CRISP: An Efficient Cryptographic Framework for ML Inference Against...

Xiaoyu Fang (Beijing University of Posts and Telecommunications), Shihui Zheng (Beijing University of Posts and Telecommunications), Lize Gu (Beijing University of Posts and Telecommunications)

Read More

Work-in-progress: Spurious Credentials in Breach Compilations

Lucas Stephens (Oregon State University), Jacob Porter (Oregon State University), Zane Ma (Oregon State University)

Read More

MVPNalyzer: An Investigative Framework for Auditing the Security &...

Wayne Wang (University of Michigan), Aaron Ortwein (University of Michigan), Enrique Sobrados (University of New Mexico), Robert Stanley (University of Michigan), Piyush Kumar Sharma (University of Michigan, IIT Delhi), Afsah Anwar (University of New Mexico), Roya Ensafi (University of Michigan)

Read More