Full Report
Kent Ickler // TL;DR: This post describes the process of building an active system to automatically recon SPF violations. Disclaimer: There are parts of this build that might not be legal […] The post Offensive SPF: How to Automate Anti-Phishing Reconnaissance Using Sender Policy Framework appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: AutoSPFRecon
## Overview
AutoSPFRecon is a custom system designed to automatically detect and gather intelligence on systems sending unauthorized email (SPF violations) for a defined domain. It achieves this by leveraging the `exists` and macro features within Sender Policy Framework (SPF) records, configuring a custom DNS infrastructure to log queries, and then processing these logs to trigger further actions, such as running Shodan queries against the offending IP addresses.
## Technical Details
- Type: Tool/Framework (Automation System)
- Platform: Linux (BIND9, SSMTP, Python environment)
- Capabilities: DNS logging, automated DNS querying, Shodan integration, email notification, potential integration with defensive tools (Fail2Ban, IPTables).
- First Seen: Not explicitly mentioned, associated with a BHIS blog post reference.
## MITRE ATT&CK Mapping
This system is primarily defensive/intelligence-gathering but exploits SPF mechanisms which can be used offensively.
- **TA0007 - Discovery** (If used to map out external mail systems)
- T1598 - Gather Victim Identity Information
- T1598.003 - Email Accounts (By identifying senders attempting to spoof the domain)
- **TA0009 - Collection** (By gathering data from Shodan)
- T1592 - Gather Victim Identity Information
- T1592.001 - Gather Network Infrastructure (Via Shodan queries on discovered IPs)
## Functionality
### Core Capabilities
* **SPF Exploitation via `exists` Mechanic:** Configures SPF records (TXT type) to utilize `% {i}.autorecon.yourdomain.com` within an `exists:` mechanism. This forces receiving mail servers to perform a DNS lookup against a zone controlled by the attacker/analyst.
* **Custom DNS Authoritative Server (BIND9):** Sets up BIND9 to be the authoritative name server for the subdomain (e.g., `autorecon.yourdomain.com`) to log all incoming DNS queries generated by the SPF check.
* **Log Monitoring:** Uses `logtail` or similar methods to monitor `/var/log/syslog` for entries generated by BIND9 when an SPF check query occurs.
* **Automated Response Script (`AutoReconSPF.sh`):** Reads logged queries, extracts the originating IP (`%{i}`), performs background intelligence gathering (e.g., Shodan search), and emails the results to a designated recipient.
### Advanced Features
* **Active Reconnaissance Trigger:** Turns failed/unauthorized email sources into active reconnaissance targets by automatically querying known intelligence platforms (Shodan).
* **Defensive Integration Potential:** The framework is explicitly designed to be expanded to integrate with defensive mechanisms like Fail2Ban or IPTables to automatically block detected malicious IP addresses.
## Indicators of Compromise
* **File Hashes:** Not provided in the text.
* **File Names:** `AutoReconSPF.sh`
* **Registry Keys:** N/A (Linux-based system).
* **Network Indicators:**
* Custom Subdomain for Querying: `autorecon.yourdomain.com`
* Example Query Format: `[ORIGINATING.MAIL.SERVER.NAME].autorecon.yourdomain.com`
* **Behavioral Indicators:**
* Receiving mail servers querying a specific, custom-controlled DNS zone authority (`autorecon.yourdomain.com`).
* Log entries in syslog related to BIND9 query logging for reverse-DNS style lookups in the custom domain.
## Associated Threat Actors
* The creator/implementer of the tool, associated with Black Hills Information Security (BHIS) (Example implementation by Kent Ickler/Relkci).
## Detection Methods
* **Signature-based detection:** Likely detection based on the custom SPF record structure (`-exists:{d}.AutoRecon.yourdomain.com -all` or `?exists:%{i}.autorecon.yourdomain.com -all`).
* **Behavioral detection:** Monitoring DNS query logs for anomalous lookups directed at the controlled subdomain (`autorecon.yourdomain.com`).
* **YARA rules:** Not specified.
## Mitigation Strategies
* **Prevention Measures:** Ensure your organization's legitimate SPF records are correctly configured to prevent relying on custom or complex `exists:` mechanisms unless they are part of a vetted internal process.
* **Hardening Recommendations:** If monitoring for such activity, monitor DNS server logs for unexpected queries against your authoritative zones. Implement strict ingress control on DNS servers running BIND9. Ensure only necessary logging is enabled to reduce noise.
## Related Tools/Techniques
* SPF (Sender Policy Framework) RFC 4408
* Shodan CLI/API integration
* BIND9 (DNS Server software)
* Fail2Ban (For integrated blocking)
* IPtables (For integrated blocking)