MailChannels

Last updated
MailChannels
Company type Private
Industry Information Security, SaaS
Founded2004;20 years ago (2004)
Headquarters Vancouver, Canada
Area served
Worldwide
Key people
Ken Simpson, CEO
Products Spam Filtering, Anti-spam
Services Computer Security

MailChannels is a Canadian technology company that specializes in email security for businesses and internet service providers (ISPs). Founded in 2004 by Ken Simpson and headquartered in Vancouver, British Columbia, the company operates in email security and the infrastructure market. The business provides a products and services designed to safeguard email systems against spam, phishing, and other harmful content. They guarantee the dependable delivery of legitimate messages and offer a mail relay API for numerous websites[ citation needed ].

Contents

Company history

MailChannels was founded in 2004 by former engineers of ActiveState (acquired by Sophos), who created one of the first commercial spam filters.

The company's first product was an SMTP proxy that provides tar-pitting and transparent SMTP proxy functionality for inbound email filtering.

In 2007, MailChannels joined M³AAWG and closed a series A round led by early Microsoft employees.

In 2010, the company launched an outbound email filtering software that claims to be capable of filtering up to 30 million messages per hour, transparently in the network. Outbound email filtering involves scanning email traffic as it exits the network, identifying compromised accounts, and reducing the risk of having IP addresses blocked by receiving networks.

In 2013, the company launched a cloud-based outbound email filtering service.

In 2018, the company launched a cloud-based inbound email filtering service.

In 2022, the company decided to stop supporting Plesk for outbound email filtering.

MailChannels and Email Authentication Considerations

In August 2023, security researcher Marcello Salvati presented findings at DEF CON 31 regarding what he termed a potential vulnerability in MailChannels' email infrastructure. [1] Salvati's research demonstrated that it was possible to send emails addressed from any domain through a free email sending API that MailChannels had been offering to Cloudflare Workers users. Salvati's talk highlighted how email receivers often interpret a passing SPF check as an indication that an email message was authentically sent by the owner of a given domain name, even though the SPF RFC specifically advises against interpreting SPF results in this manner. [2]

SPF has several notable limitations that are described in the RFC: [2]

  1. SPF only authenticates the envelope sender (MAIL FROM) and HELO/EHLO identities, not other identities in the message headers.
  2. A passing SPF result does not guarantee the message is not spoofed or malicious.
  3. SPF can't verify specific email addresses, only domains.

The authors recommend receivers use SPF as part of a larger set of evaluations rather than treating it as dispositive on its own. [2]

Furthermore, RFC 5321, which defines SMTP, explicitly states that SMTP mail is inherently insecure:

SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else. [...] Real mail security lies only in end-to-end methods involving the message bodies, such as those that use digital signatures.

RFC 5321, Section 7 [3]

MailChannels' Response

MailChannels CEO Ken Simpson addressed the complexity of the situation, stating, "MailChannels sends email for 30 million different domains that are hosted behind over 600 web hosting provider networks. We cannot force every domain owner to verify the ownership of their domain because domain owners do not even authenticate domain ownership with their own hosting provider". [4]

In response to these findings, MailChannels developed and implemented a new security feature called "Domain Lockdown." This feature enhances domain authentication by linking registered domain names to MailChannels accounts and implementing sender ID verification, providing an additional layer of security beyond SPF. [5] While not requiring Cloudflare users to register an account with MailChannels, since the mechanism operates using DNS records alone.

See also

Related Research Articles

<span class="mw-page-title-main">Email</span> Mail sent using electronic means

Electronic mail is a method of transmitting and receiving messages using electronic devices. It was conceived in the late–20th century as the digital version of, or counterpart to, mail. Email is a ubiquitous and very widely used communication medium; in current use, an email address is often treated as a basic and necessary part of many processes in business, commerce, government, education, entertainment, and other spheres of daily life in most countries.

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

An email address identifies an email box to which messages are delivered. While early messaging systems used a variety of formats for addressing, today, email addresses follow a set of specific rules originally standardized by the Internet Engineering Task Force (IETF) in the 1980s, and updated by RFC 5322 and 6854. The term email address in this article refers to just the addr-spec in Section 3.4 of RFC 5322. The RFC defines address more broadly as either a mailbox or group. A mailbox value can be either a name-addr, which contains a display-name and addr-spec, or the more common addr-spec alone.

Various anti-spam techniques are used to prevent email spam.

Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address, and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing, and is often used in phishing and email spam.

Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again after a delay, and if sufficient time has elapsed, the email will be accepted.

A bounce message or just "bounce" is an automated message from an email system, informing the sender of a previous message that the message has not been delivered. The original message is said to have "bounced".

Sender ID is an historic anti-spoofing proposal from the former MARID IETF working group that tried to join Sender Policy Framework (SPF) and Caller ID. Sender ID is defined primarily in Experimental RFC 4406, but there are additional parts in RFC 4405, RFC 4407 and RFC 4408.

Email filtering is the processing of email to organize it according to specified criteria. The term can apply to the intervention of human intelligence, but most often refers to the automatic processing of messages at an SMTP server, possibly applying anti-spam techniques. Filtering can be applied to incoming emails as well as to outgoing ones.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

<span class="mw-page-title-main">Message submission agent</span>

A message submission agent (MSA), or mail submission agent, is a computer program or software agent that receives electronic mail messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. It uses ESMTP, a variant of the Simple Mail Transfer Protocol (SMTP), as specified in RFC 6409.

Forward-confirmed reverse DNS (FCrDNS), also known as full-circle reverse DNS, double-reverse DNS, or iprev, is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain Name System (DNS) entries that match each other. This is the standard configuration expected by the Internet standards supporting many DNS-reliant protocols. David Barr published an opinion in RFC 1912 (Informational) recommending it as best practice for DNS administrators, but there are no formal requirements for it codified within the DNS standard itself.

The Sender Rewriting Scheme (SRS) is a scheme for bypassing the Sender Policy Framework's (SPF) methods of preventing forged sender addresses. Forging a sender address is also known as email spoofing.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam.

Email forwarding generically refers to the operation of re-sending a previously delivered email to an email address to one or more different email addresses.

Backscatter is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

A bounce address is an email address to which bounce messages are delivered. There are many variants of the name, none of them used universally, including return path, reverse path, envelope from, envelope sender, MAIL FROM, 5321-FROM, return address, From_, Errors-to, etc. It is not uncommon for a single document to use several of these names.

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby a client may log in using any authentication mechanism supported by the server. It is mainly used by submission servers, where authentication is mandatory.

Spam reporting, more properly called abuse reporting, is the action of designating electronic messages as abusive for reporting to an authority so that they can be dealt with. Reported messages can be email messages, blog comments, or any kind of spam.

A mailbox provider, mail service provider or, somewhat improperly, email service provider is a provider of email hosting. It implements email servers to send, receive, accept, and store email for other organizations or end users, on their behalf.

References

  1. DEF CON 31 - SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan - byt3bl33d3r, 16 September 2023, retrieved 2023-09-27
  2. 1 2 3 Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. April 2014. sec. 2.4. doi: 10.17487/RFC7208 . RFC 7208.
  3. Simple Mail Transfer Protocol. October 2008. sec. 7. doi: 10.17487/RFC5321 . RFC 5321.
  4. Sabin, Sam (11 August 2023). "Exclusive: An email security vendor is leaving 2M domains open to phishing hacks, study finds". Axios. Archived from the original on 16 August 2023. Retrieved 28 September 2023.
  5. "Introducing MailChannels Domain Lockdown". Cloudflare. 21 June 2023. Retrieved 28 September 2023.