Check your SPF records: Wide IP ranges undo email security and make for tasty phishes

Image: Can I Phish/Sebastian Salla

You’ve done the right thing by your organisation and made sure that DMARC and SPF (sender policy framework) records are set in an effort to reduce email spoofing, but all that good work could be undone if the SPF is too permissive in the stated IP range.

Such a situation was pointed out by Can I Phish CEO Sebastian Salla who scanned 1.8 million Australian domain records in search of email security snafus.

The mistake Salla was looking for was within SPF records, which handles individual IP addresses, but also IP ranges. If an organisation had entered a wide IP range, and had their email infrastructure sitting on a cloud provider, which reuse IP addresses unless an organisation pays extra for a dedicated IP address, there could be scope to take over an address covered by someone else’s SPF record.

Finding 60,000 IPs pointed towards various regions within Amazon Web Services (AWS), Salla was well on his way, and able to start EC2 instances on AWS that were handed an IP address that another organisation said it had control of. This happened 264 times.

Among those caught out were Australian Parliament House, the

Read More: