My key takeaways
- SPF ensures that the SMTP FROM domain explicitly allows the connecting IP address.
- SPF does NOT ensure that the email address seen by the user is the one which was checked.
- the existance of SMTP FROM and the From field is a vulnarability: SPF checks SMTP FROM but most mail clients show the From field.
- DMARC uses the From field after checking SMTP FROM via SPF
- Attacker can bypass DKIM by just passing a selector from an attacker controlled domain
- SMTP FROM and the DKIM d-field don’t have to be the same 😵💫
cado-nfs.py
on a cloud server should be able to crack a rsa 512 key 🤔- a lot of clients send mails signed with RSA512 to spam
-
SPF alignment: Ensures that the domain in the “From” address matches the domain specified in the SPF record, confirming the email’s authenticity
-
DKIM alignment: Ensures that the domain in the “From” address matches the domain in the DKIM signature, validating the email’s integrity.
- DMARC pct is dangerous if not set to 100
- Check NSEC to find zone file for a domain
- openrdap is the new whois
Env
-
Provided by BHIS
-
Speaker