Mailgun: Public Security Disclosure

12 points

3 years ago

TLDR: Inbound email routes don't have SPF/DKIM/DMARC protection, meaning any inbound email sent to a webhook can be trivially spoofed / phished. Using Mailgun Routes is akin to having an SMTP server without spam protection in place, and no ability to put that spam protection in place.

Mailgun describe inbound routes as:

"complex incoming messages are simplified and parsed into all of the data you need with Inbound Routes." [1]

Mailgun refers to DKIM/SPF/DMARC with:

"Mailgun leads the charge in email authentication by requiring DKIM and SPF records by default before you can begin sending." [2]

However, nowhere does it say that Mailgun does not provide SPF or DKIM validation checks on inbound emails. Confusingly, these headers appear only for a subset of inbound emails.

Attack scenario:

1) Pick any domain using mailgun for inbound email processing, trivially found via MX records:

https://securitytrails.com/list/mx/mxa.mailgun.org https://securitytrails.com/list/mx/mxb.mailgun.org

2) Spoof an email from any address you want to impersonate (eg. security@mailgun.com).

If that address is handled via an inbound route to a webhook (eg. CRM system / other), then it will appear as from the spoofed sender without any DKIM/SPF flags. This makes phishing via Inbound Routes trivial.

Requested fix:

Include SPF (X-Mailgun-Spf), DKIM (X-Mailgun-Dkim-Check-Result), and Spam Assassin headers (eg. DMARC_QUAR / DMARC_REJECT / DMARC_NONE / DMARC_MISSING) headers for ALL inbound routes to a webhook. The application can then decide what to do.

Mailgun Response:

"Our security team has confirmed that our routes act as an open relay and that this is not considered a security vulnerability with Mailgun."

Nowhere in the Mailgun documentation / sales pages are inbound routes described like this, and in fact, they pretend to have protection as headers are sometimes present. Furthermore, attempting to perform SPF/DKIM/DMARC checks manually isn't possible due to Mailgun not providing the original message body without modifications so it will fail DKIM by the time it's passed to the route.

Note A: Using throwaway to not give information away for our own exposed systems.

Note B: The spoofed email must not trigger above a certain spam assassin threshold (this is fairly trivial to do and openly testable by any attacker), otherwise it might get blocked by higher level Mailgun spam handling.

[1] - https://www.mailgun.com/products/send/inbound-routing/

[2] - https://www.mailgun.com/blog/deliverability/implement-dmarc/...