There are a bunch of online communities – mailing lists, Slack channels, etc. – where “people who do email” interact. Some of them are open to anyone to subscribe, some of them are semi-private and require an invitation, others are closed and only available by invitation and yet others are associated with trade associations and only open to their members. Many of them...
The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email. It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication. Set up a centralized reporting repository for DMARC failure...
We just bought some new desks, to replace the old ones that date back to the days of CRT monitors. The supplier we bought them from, Autonomous, did a nice set of triggered sends throughout the sales process – “we’ve received your order”, “we’ve shipped your order”, “your order has been delivered”. That’s not rocket science – you...
Happy Labor Day! Celebrate it with the perfect email-themed cocktail – a spam-infused Mai Tai, served in the traditional glass. A speciality of the Duck Inn in Chicago, it’s made from a fat-washed dark rum: Slice Spam thin and lay the slices onto a small sheet pan. Cover with 5oz of melted lard. Bake at 250 degrees for one hour, or until the Spam is thoroughly browned. Fine strain...
Well, not exactly mandatory but Chrome will start labeling any text or email form field on a non-TLS page as “NOT SECURE”. Chrome 62 will be released as stable some time around October 24th. If you want to avoid the customer support overhead then, regardless of whether any of the information on a form is sensitive, you should probably make sure that all your forms are accessible via...
In April of last year I created a new twitter account. I can’t remember exactly why, but it was a throwaway created to look at some aspect of how twitter interacts with new accounts. As part of the account creation process I gave Twitter an email address. They sent me a confirmation message right away: I didn’t click the button. Four months later they sent me another confirmation...
An email address has two main parts. The local-part is the bit before the @-sign and the domain is the bit after it. Loosely, the domain part tells SMTP how to get an email to the destination mailserver while the local part tells that server whose mailbox to put it in. I’m just looking at the local part today, the “steve” in “steve@example.com”. Talkin’...
Transport Layer Security (TLS) is what gives you the little padlock in your browser bar. Some people still call it SSL, but TLS has been around for 18 years – it’s time to move on. TLS provides two things. One is encryption of traffic as it goes across the wire, the other is a cryptographic proof that you’re talking to the domain you think you’re talking to. The second...
The FTC (US Federal Trade Commission) is soliciting comments on CAN-SPAM legislation: A. General Issues 1. Is there a continuing need for the Rule? Why or why not? 2. What benefits has the Rule provided to consumers? What evidence supports the asserted benefits? 3. What modifications, if any, should be made to the Rule to increase its benefits to consumers? (a) What evidence supports the proposed...
Not a new thing, but a nice example just popped up in my inbox on my phone. But FedEx solved their entire phishing problem when they published a strict p=reject DMARC record, right? This didn’t come from fedex.com. It came from another domain that looks vaguely like fedex.com – what that domain is doesn’t matter, as the domain it’s sent from isn’t displayed to...
RSS - Posts