Some notes on some of the different protocols used for authentication and authentication-adjacent things in email. Some of this is oral history, and some of it may be contradicted by later or more public historical revision. SPF Associates an email with a domain that takes responsibility for it. Originally Sender Permitted From, now Sender Policy Framework. It allows a domain owner to announce...
For a long time one of the “best practices” for links in html content has been to avoid having anything that looks like a URL or hostname in the visible content of the link, as ISP phishing filters are very, very suspicious of links that seem to mislead recipients about where the link goes to. They’re a very common pattern in phishing emails. /* This is bad: */ <a href="">>...
It’s not too difficult to build your own link redirector, perhaps a few hours work for a basic implementationme, yesterday Yesterday I suggested that link tracking wasn’t too complex, but didn’t really have anything to back the claim up. And nobody trusts developer time estimates. So I cranked DEF CON Radio and wrote a dedicated click-tracking webserver, mostly as a demo of how to use...
Almost every bulk mail sent includes some sort of instrumentation to track which users click on which links and when. That’s usually done by the ESP rewriting links in the content so they point at the ESP’s tracking server, and include information about the customer, campaign and recipient. The recipient clicks on the link in the email, their web browser fetches the link from the...
I have a new laptop.
New OS (maybe this year will be the year of Linux on the Desktop?). New hardware problems. New applications. New keyboard layout.
New mail client.
It reminded me of another reason why you want to keep the email address in your From: consistent – it’s something some users will use to automatically load images, which is something you probably want.
The US CAN-SPAM act is the primary US legislation covering commercial email. It’s been around since 2003, but I still see a steady stream of questions about it, and the folkloric answers to some of them are all over the place. What does CAN-SPAM require? The important requirements are Don’t use false or misleading header information Don’t use deceptive subject lines Make it...
Over on twitter Alwin de Bruin corrected me on an aspect of DMARC soft rollout I’d entirely forgotten about. It’s useful, so I thought I’d write a quick post about it. If you have a large mail stream and you want to avoid the Scary Red Flag Day when you turn on DMARC p=reject enforcement and wait for people to complain you can use the DMARC policy “pct=” tag to roll...
You take a turn, I take a turn At the SMTP level email is very much a simple line-by-line text based protocol. The client sends a command on a single line, the server responds with one or more lines (the last one marked by having a space in the fourth column), and then the client sends another command. The main exception to that is when the client sends the payload of the email. Once the server...
Captchas – those twisty distorted words you have to decipher and type in to access a website – have been around since the 1990s. Their original purpose was to tell the difference between a human user and an automated system, by requiring the user to answer a challenge – one that was supposedly hard for computers to solve, but easy for humans. A few years later they acquired the...
A few days ago Laura noticed a bug in one of our in-house tools – it was sometimes marking an email as SPF Neutral when it should have been a valid SPF pass. I got around to debugging it today and traced it back to a bug in the Go standard library. A DNS TXT record seems pretty simple. You lookup a hostname, you get some strings back. Those strings can be used for all sorts of things, but...
RSS - Posts