External Link
https://dl.acm.org/doi/10.1007/978-3-032-07901-5_8
BibTeX
@inproceedings{10.1007/978-3-032-07901-5_8, author = {Guo, Bingyang and Liu, Mingxuan and Ma, Yihui and Li, Ruixuan and Shi, Fan and Zhang, Min and Liu, Baojun and Xu, Chengxi and Duan, Haixin and Hong, Geng and Yang, Min and Pan, Qingfeng}, title = {Email Cloaking. Deceiving Users and Spam Email Detectors with Invisible HTML Settings}, year = {2025}, isbn = {978-3-032-07900-8}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, url = {https://doi.org/10.1007/978-3-032-07901-5_8}, doi = {10.1007/978-3-032-07901-5_8}, abstract = {Development of HTML emails increases parsing complexity and discrepancies. Owing to parsing and rendering differences, email systems expose a new attack surface: Cloaked Spam Email (CSE). CSE exploits the legitimate functions of HTML and Cascading Style Sheets (CSS) to build invisible content for cloaking. It can stealthily bypass spam engines and deceive users. However, there is a lack of the understanding of this novel email cloaking threat, let alone a systematic assessment of its threat impacts, leaving a defense gap.To fill the understanding gap of CSE risk, this paper reveals its threat impacts via empirical analysis and real-world measurements. First, through systematic analysis of CSS rendering features and their applicability to email clients, we identified 16 invisible configurations. Based on these findings, we conducted a comprehensive evaluation of 14 well-known email services. Our results reveal 12 services vulnerable to CSE, with our constructed spam samples successfully bypassing their detection and reaching victim inboxes, including Gmail, Fastmail, and QQ. To systematically assess the impact of CSEs in the wild, we developed a detection framework and applied it to two real-world spam datasets: an open-source spam dataset and the actual logs from a renowned email service provider. Through analyzing a combined total of 8,816,785 emails, we successfully detected 102,156 CSE attacks, highlighting the presence of such threats in the email ecosystem. Finally, we responsibly disclosed these vulnerabilities to affected email providers and provided mitigation recommendations against CSE threat.}, booktitle = {Computer Security – ESORICS 2025: 30th European Symposium on Research in Computer Security, Toulouse, France, September 22–24, 2025, Proceedings, Part IV}, pages = {147–168}, numpages = {22}, keywords = {Abusive Content, Email Cloaking, Spam Detection Bypass}, location = {Toulouse, France} }