Cybersecurity

30 readers

4 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

founded 2 years ago

MODERATORS

shellsharks@fedia.io

tweedge@fedia.io

submitted 4 months ago by Jerry@hear-me.social to c/cybersecurity@fedia.io

3 comments fedilink hide all child comments

To me, it's idiocy to design a complex email security system consisting of spf and DKIM checks, leading to emails coming in from scammers that are screaming, I'M SPAM!!, but then get delivered anyway because the very same scammer sets up a dmarc record in their DNS that simply says, yes, my stuff is obvious dangerous spam, but deliver it anyway. And the mail clients go, OK, if you say so.

They gave scammers and spammers a spam detection kill switch?

Why have all this in place if a scammer can just tell my email client it must deliver their junk? Why don't email clients at least put the email into the inbox in red if it fails spf and DKIM and the domain was created 10 minutes ago? Or at least give me the option to send email that fails spf to a special folder?

The Scam:
A scammer registers a new domain (e.g., totalBS.com).

They set up a DMARC record for that domain with p=none that instructs the email client to ignore the spf and DKIM failures.

They send out phishing emails from that domain, often spoofing legitimate addresses.

Even though SPF and DKIM checks fail, receiving mail servers honor DMARC and deliver it anyway, bypassing a significant layer of email security.

Why bother setting up this who complicated scheme then?

What got me started is that hotmail put one of these into my inbox today, and I just couldn't believe they presented it to me like any other email when all security checks clearly failed because of spoofing.

#CyberSecurity #Phishing

top 3 comments

sorted by: hot top controversial new old

[–] limer@lemmy.dbzer0.com 3 points 4 months ago

Well spoken!

These are some reasons I hate email, just clearly articulated instead of mumbled curses, for instance

[–] socialmedia@lemmy.world 3 points 4 months ago

People used to argue email can't be fixed because it's ubiquitous and there would never be a flag day where everyone changed to a new protocol.

That has changed. Now 90% of email comes from a big 3 providers, gmail, Microsoft, whoever. They could implement protocol changes and everyone else would be forced to follow.

The second thing is you could just add a v2 header and include some backword compatibilty.

Things email is desperately missing: Attestable records. Anyone can append anything anywhere INA message. Breaking DKIM all the time.

Rather than that they need to make the format append only. Each new part can add headers that are signed by the forwarding node but they can't tocuh the original message.

At that point you still wouldn't know if you could trust the originating mailserver or mail agent, but you could at least be sure of who the originator was, and it allows you to establish trust based on that (with further things like deferred emails for untrusted senders using something like postgrey, but with better support due to trusting keys rather than domain addresses)

The problem then becomes forcing the big three to implement changes that rock the boat for them.

People have largely accepted spam as a fact of life on email and shifted conversations to less infested platforms.

The other problem is the obvious one that no matter what technical solution you come up with it'll be ruined in 24hrs by spammers.

[–] lurch@sh.itjust.works 3 points 4 months ago

I think these just make sure the sender registered a domain and may even be held accountable, because they had to pay for it and put contact info. If an attacker hijacks a device that isn't meant to send mail, they can't use it for spamming, as they also need DNS control.