How a single DMARC misconfiguration can be exploited to launch an email-based DDoS attack.
Many companies want to receive DMARC reports for all their subsidiaries in one centralized email account. They often use a wildcard EDV record instead of defining an explicit hostname, which creates a high-risk entry point.
Exploit:
- today, 5,000+ mail servers send DMARC aggregate reports
- if an attacker registers a throwaway domain and sets its DMARC RUA to a wildcard EDV-enabled domain, reports are redirected to your internal mailbox
- one email sent per server = 5,000 reports the next day
- 10 throwaway domains = 50,000 inbound emails per day
- they loop it
- all reports come from trusted companies with authenticated domains: Google, Microsoft, Yahoo, etc.
This is real email-based DDoS aka spam bombing. It causes:
- server slowdowns
- missed legitimate emails
- team inboxes flooded with junk
- engineering resources wasted on mitigation and cleanup
- organizations running out of cloud storage
Fix:
- never use a wildcard EDV record for your main domain
- always define specific hostnames that you control
- ensure your infrastructure can’t be co-opted into someone else’s feedback loop
.DMARC is a good and incredibly helpful standard but there are still many ways it can be turned against companies.
Watch your DMARC.
