This paper shares examples of a novel approach to finding Dangling DNS targets where, due to typos or lack of tracking, DNS MX records may point to domains that are available for third-party purchase and potentially be abused for impersonation, social engineering attacks, and private information theft with partial (like collect some messages) or complete (for two-way communications) email take over.
Abstract: Routing of email generally relies on DNS MX (Mail Exchange) resource records. In addition, the MX definition may be used in Sender Policy Framework (SPF) rules. In this paper, we explore Dangling MX record targets which are available for third-party purchase and control. Depending on corresponding, potentially valid MX records and SPF rules, the vulnerabilities range from little impact to complete two-way email communication compromise, without snooping or man-in-the-middle techniques. Even if the organization does not use the domain for email, a third-party could still use it in a phishing attack where the phisher can actually use a valid and legitimate domain for increased credibility. We discovered 393 domain names with a Dangling MX record. This paper shares real-world examples of Dangling MX records and techniques for finding them. While the Dangling MX concept is already known, this paper also describes a novel vulnerability and research approach where the Dangling MX or other DNS target is an existing registered domain, but available for purchase or unknown third-party use.
What if the company's email doesn't work and they don't use it anyways?
While they will unlikely notice at first, a third party could represent them via email using the "legitimate" domain name for social engineering attacks. Advertising, even in print, can convince existing customers and contacts to start using "official" email addresses controlled by an unrelated third-party.
Who cares if it is lower priority (larger number) MX target?
Whether it is part of a DNS round robin or lower priority, a MX listener could slowly collect some emails here and there. Email participants are unlikely to notice a real problem, while information disclosure continues to happen. In addition, higher priority (small number) MX target mail servers could be made to be temporarily be off-line for various senders' point of views.
Isn't this an already known problem?
Yes this is documented in papers and various articles, but with little focus on email specifically. This paper highlights it specifically for email and, in addition, it introduces a new approach to discover and recognize Dangling DNS targets.
Why disclose all these organizations?
We attempted to contact companies about this since 2019. See What does "Responsible" mean for Vulnerability Disclosures? We had a less than three percent success rate. Imagine the problem already exists and working mail servers may already be handling other's MX targets maliciously — and would not be detected by these methods.