For some reason otherwise legitimate ESPs have over the years picked up a habit of obfuscating who they are. I don’t mean those cases where they use a customers subdomain for their infrastructure or bounce address. If the customer is Harper Collins then mail “from” @bounce.e.harpercollins.com sent from a server claiming to be mail3871.e.harpercollins.com isn’t unreasonable...
If you follow any infosec sources you’ve probably already heard a lot about Meltdown and Spectre, Kaiser and KPTI. If not, you’ve probably seen headlines like Major flaw in millions of Intel chips revealed or Intel sells off for a second day as massive security exploit shakes the stock. What is it? These are all about a cluster of related security issues that exploit features shared...
I just got some mail claiming to be from “Bank of America <secure@bofasecure.com>”. It passes SPF: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=185.235.176.160; helo=bofasecure.com; It passes DKIM: Authentication-Results: mx.wordtothewise.com (amavisd-new); dkim=pass (1024-bit key) header.d=bofasecure.com The visible RFC 822 From address is strictly...
We often want to know whether two hostnames are controlled by the same person, or not. One case for that is cookie privacy in web browsers. We want pages at www.blighty.com and images.blighty.com and blighty.com to all be able to set and read cookies for each other – so a user only needs to log in once for pages or images on all of them to work well together. So we allow all of them to...
There are a bunch of online communities – mailing lists, Slack channels, etc. – where “people who do email” interact. Some of them are open to anyone to subscribe, some of them are semi-private and require an invitation, others are closed and only available by invitation and yet others are associated with trade associations and only open to their members. Many of them...
The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email. It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication. Set up a centralized reporting repository for DMARC failure...
We just bought some new desks, to replace the old ones that date back to the days of CRT monitors. The supplier we bought them from, Autonomous, did a nice set of triggered sends throughout the sales process – “we’ve received your order”, “we’ve shipped your order”, “your order has been delivered”. That’s not rocket science – you...
Happy Labor Day! Celebrate it with the perfect email-themed cocktail – a spam-infused Mai Tai, served in the traditional glass. A speciality of the Duck Inn in Chicago, it’s made from a fat-washed dark rum: Slice Spam thin and lay the slices onto a small sheet pan. Cover with 5oz of melted lard. Bake at 250 degrees for one hour, or until the Spam is thoroughly browned. Fine strain...
Well, not exactly mandatory but Chrome will start labeling any text or email form field on a non-TLS page as “NOT SECURE”. Chrome 62 will be released as stable some time around October 24th. If you want to avoid the customer support overhead then, regardless of whether any of the information on a form is sensitive, you should probably make sure that all your forms are accessible via...
In April of last year I created a new twitter account. I can’t remember exactly why, but it was a throwaway created to look at some aspect of how twitter interacts with new accounts. As part of the account creation process I gave Twitter an email address. They sent me a confirmation message right away: I didn’t click the button. Four months later they sent me another confirmation...
RSS - Posts