June 27

Webinar takeaway – MailFail – Who’s Spoofing Your Email and How Are They Doing It?

Email, Security

0 comments

My key takeaways

SPF ensures that the SMTP FROM domain explicitly allows the connecting IP address.
SPF does NOT ensure that the email address seen by the user is the one which was checked.
the existance of SMTP FROM and the From field is a vulnarability: SPF checks SMTP FROM but most mail clients show the From field.
- DMARC uses the From field after checking SMTP FROM via SPF
Attacker can bypass DKIM by just passing a selector from an attacker controlled domain
- SMTP FROM and the DKIM d-field don't have to be the same 😵‍💫
cado-nfs.py on a cloud server should be able to crack a rsa 512 key 🤔
- a lot of clients send mails signed with RSA512 to spam
SPF alignment: Ensures that the domain in the “From” address matches the domain specified in the SPF record, confirming the email’s authenticity
DKIM alignment: Ensures that the domain in the “From” address matches the domain in the DKIM signature, validating the email’s integrity.
DMARC pct is dangerous if not set to 100
Check NSEC to find zone file for a domain
openrdap is the new whois

Env

Provided by BHIS
Speaker
- Jack Hyland

additional links

Webinar takeaway: Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox

My key takeaways DMARC uses SPF and/or DKIM In 2021 the National Defense Authorization Act says the Department of Homeland Security (DHS) must implement DMARC US wide there exists an RFC for "email from" SPF = receiving email server checks MAIL FROM address or the domain’s IP address in the HELO handshake against the sender’s

Jean-Christoph von Oertzen

Blog

Infosec glossary

Webinar takeaway – MailFail – Who’s Spoofing Your Email and How Are They Doing It?

My key takeaways

Env

additional links

You may also like

Webinar takeaway: Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox