June 27

Webinar takeaway – MailFail – Who’s Spoofing Your Email and How Are They Doing It?

0  comments

My key takeaways

  • SPF ensures that the SMTP FROM domain explicitly allows the connecting IP address.
  • SPF does NOT ensure that the email address seen by the user is the one which was checked.
  • the existance of SMTP FROM and the From field is a vulnarability: SPF checks SMTP FROM but most mail clients show the From field.
    • DMARC uses the From field after checking SMTP FROM via SPF
  • Attacker can bypass DKIM by just passing a selector from an attacker controlled domain
    • SMTP FROM and the DKIM d-field don’t have to be the same 😵‍💫
  • cado-nfs.py on a cloud server should be able to crack a rsa 512 key 🤔
    • a lot of clients send mails signed with RSA512 to spam
  • SPF alignment: Ensures that the domain in the “From” address matches the domain specified in the SPF record, confirming the email’s authenticity

  • DKIM alignment: Ensures that the domain in the “From” address matches the domain in the DKIM signature, validating the email’s integrity.

  • DMARC pct is dangerous if not set to 100
  • Check NSEC to find zone file for a domain
  • openrdap is the new whois

Env

additional links


Tags

dkim, dmarc, spf


You may also like

Webinar takeaway: Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox

Webinar takeaway: Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}