Automatic Insecurity: Exploring Email Auto-configuration in the Wild
Shushang Wen
Network and Distributed System Security (NDSS) Symposium 2025 · Day 2 · Email Security
Email remains a cornerstone of digital communication, underpinning both personal and professional interactions. Setting up an email account, however, often involves a complex array of technical configurations, including protocol types, server hostnames, port numbers, and connection security. To simplify this process, **email auto-configuration** mechanisms were developed, allowing users to merely input their email address and password while the client automatically discovers and applies the necessary server settings. This talk, presented by Shushang Wen from the University of Science and Technology of China, along with collaborators from Sinua University and Behan University, delves into the security landscape of these critical yet often overlooked mechanisms.
AI review
Legitimate academic security research with real measurement data — 1M+ domains scanned, 29 clients tested, 10 attack scenarios documented. Solid empirical work on a genuinely neglected attack surface, but the vulnerabilities themselves aren't novel enough to make this a must-see: plaintext config fetching, downgrade attacks, and stale built-in lists are well-understood classes of failure applied to a specific mechanism.