Most of the Largest US Voting Districts Are Vulnerable To Email Spoofing

Researchers at Valimail found that only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks. TechCrunch reports: Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender's email and rejects fraudulent or spoofed emails. DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target's inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know.

But the research found that although DMARC is enabled on many domains, it's not properly enforced, rendering its filtering efforts largely ineffective. The researchers said 66% of the district election-related domains had no DMARC entry at all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether. [...] The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data or delete it altogether, a move that would potentially disrupt the democratic process.

Re:

[110010001000]

Yeah, basically. I mean the Russians got Trump in. I guess they also liked Obama (twice) and Clinton (twice) too. Plus they kept putting Hillary in the Senate. Those clever Russians!

patently wrong.

[Gravis Zero]

Not true. There seems to be no interest in addressing the causes of climate change in the Republican party (they still don't even acknowledge it). Just because politicians do not do exactly what you want doesn't mean none of them are acting to benefit you.

Politics is fraught with problems but not voting is perhaps the biggest problem because if 100% of voters voted then we'd have more politicians fighting to save us from this self-inflicted mass extinction event.

Solution

[110010001000]

Hire Valimail to consult and fix it. LOL "Researchers".

Just sounds like a company peddling it's wares

[rsilvergun]

Don't get me wrong, we've got massive election security issues [thehill.com], but this is so tangential as to be ridiculous. Just somebody angling for a gov't contract.

DANE would have been useful

[johnjones]

If they had implemented DANE like europe that would have been useful :

https://blog.apnic.net/2019/11/20/better-mail-security-with-dane-for-smtp/ [apnic.net]

regards

John Jones

And Email and Voting are

[oldgraybeard]

connected? How?

Just my 2 cents ;)

Re:

[The New Guy 2.0]

Basically, if you are registered to vote, and somebody sends a spoof e-mail saying you've moved, you lost your ability to vote. What this company is saying is that they need an e-mail authentication program to make sure they're dealing with the person they think they are.

DMARC is not a silver bullet

[somenickname]

DMARC is just a suggestion you publish on how to deal with e-mails with invalid SPF or DKIM. It doesn't prevent spoofing if the receiver doesn't use DMARC or if the receiver doesn't act on your DMARC suggestion. It's my understand that very few mail receivers actually honor your DMARC suggestion if your suggestion is to reject e-mails that fail SPF or DKIM so, it's mostly useless.

I'm not sure why we keep seeing /. articles about how lack of DMARC is going to ruin democracy.

Re:

[_merlin]

Yeah, this exactly. You get pretty much all the benefits from deploying SPF and DKIM, as that lets the sender verify that the source is authorised to send from your domain and the headers weren't tampered with. DMARC is just a way to get people to send you reports if they receive spoofed mail from your domain. So you get an e-mail telling you that there are people sending spoofed e-mail from your domain. What are you going to do? In order to receive the DMARC report, you know the receiver detected that

Re:

[gmack]

This is very wrong. DKIM on it's own is close to useless since if the outgoing mail has no DKIM header, the receiving side has no way to know there needed to be one in the first place since it doesn't know what selector to use. DMARC plugs that hole by letting you tell the receiving side know it should exist and to take the specified action if the header isn't there.

Re:

[gmack]

It's my understand that very few mail receivers actually honor your DMARC suggestion if your suggestion is to reject e-mails that fail SPF or DKIM so, it's mostly useless.

Judging from the number of bounces seen after a co worker broke the DKIM/DMARC settings, I'm going to have to disagree with you.

Re:

[The-Ixian]

After setting up DMARC for our e-mail domain we get 0 spoofed e-mails. SPF and DKIM are not sufficient by themselves because you can still spoof the 5321.MailFrom header and still pass SPF which only checks the 5322.From header.

However, it is rare to receive spoofs anymore anyway. Most of the malicious e-mail that come into our system these days are from trusted senders whose accounts were compromised in a credential phishing campaign.

From https://en.wikipedia.org/wiki/... [wikipedia.org]

SPF checks that the IP address of the sending server is authorized by the owner of the domain that appears in the SMTP MAIL FROM command. (The email address in MAIL FROM is also called envelope-from or 5321.MailFrom.) In addition to requiring that the SPF check pass, DMARC additionally checks that 5321.MailFrom aligns with 5322.From.

that's not like ID is it

[liquid_schwartz]

If it's like ID then it's racist to require it because everyone knows that poor people don't have ID. (rolls eyes)