KELIHOS Spambot Highlights Security Risk in SPF Records

During the last week of August 2014, we observed a salad spam surge caused by KELIHOS spambot. Salad spam contains gibberish words in the email body, and is usually employed by cybercriminals so as to bypass spam filters. Here are some samples we spotted:

Figures 1-2: Screenshots of spammed messages

Majority of this outbreak’s victims are from the United States. Based on our data, the top sending countries for this spam run are Spain, Germany, Italy, Iran, and the United States.

Figure 3: Top sending countries by KELIHOS spam attack

The spammed emails sent out by KELIHOS used a similar spoofing technique as RUSTOCK, another spam botnet that acts as proxy server, which allows it to control infected systems to send spam emails with pharmacy/medical content. Both KELIHOS and RUSTOCK send out spam via getting templates from C&C servers.

In the past, KELIHOS has launched various spam runs. In one instance, it copied sentences from several Wikipedia articles last April to pass spam as a legitimate and/or normal. The tragic explosion on Boston Marathon last year was also leveraged by a KELIHOS variant.

Security risks that improperly configured SPF Records pose

During our investigation, we found that the KELIHOS spam surge inadvertently highlighted a security risk in SPF records. SPF functions as a checking system to verify if a particular domain of a sender is included in the authorized list. This is typically done to prevent email spoofing. However, if the SPF records is misconfigured, it allows ‘authentication’ or to pass as originating from a certain domain, when in theory, only legitimate email is supposed to pass an email authentication check. As such, when spammers compromised at least one IP from a certain block, SPF check has no way of verifying or knowing that the IP has been compromised already.

Our findings also show that KELIHOS spam run used bogus From field and envelope information, which can also pass the email authentication of sender policy framework (SPF). In this specific case, it is able to bypass SPF via a spoofing technique similar to RUSTOCK. For example:

domain.net. XXX IN TXT “v=spf1 include:_spf.{HOST}.com ip4:192.168.0.0/16 ip4:192.168.10.1/32 ip4: 192.168.10.2/32 ip4: 192.168.10.3/32 -all”

As seen here, the SPF record of {domain}.net shows three /32 (single IPs) and an IP block of /16, containing around 65,000 or unique IPs that are allowed to send email in behalf of {domain}.net. As previously mentioned, spammers can potentially leverage even at least one of these IPs in the list, compromised it so as to use it for sending spam emails. The IP block also makes it arduous for IT administrators to monitor each one of this IP. Hence, we highly advised that the SPF record should contain only a few IPs or be limited to a certain number for easy monitoring.

One indication of a bad setting in SPF record is if it contains too-large range, considering that a small number of IP addresses (e.g., two to eight) are typically responsible for the relay of a domain. Furthermore, if the SPF settings do not contain smaller or more specific range, it’s possible that machines (which fall under the too-large range) can become compromised and used to send spam.

Best Practices

Spam continues to be a security problem for enterprises and large organizations, given that it can be a malware carrier or infection vector for targeted attacks, potentially leading to data theft. And while security measures like SPF provides another layer of protection, it can still be circumvented, if the configurations are not set properly set as seen in the recent KELIHOS spam run.

To protect your network from such security risk, we advised enterprises to configure their SPF policy to allow only the authorized domains from sending email. This should go hand in hand with an authenticated SMTP. It is also important to check first if the email address is existing or not instead of checking the sender. Once they determine that the email address does not exist, it should automatically fail the SPF results.

With additional insights from Jon Oliver and Loseway Lu

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

KELIHOS Spambot Highlights Security Risk in SPF Records