Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Sereri
Sep 30, 2008

awwwrigami

It's a German company, be glad it's not done via fax

Adbot
ADBOT LOVES YOU

fritz
Jul 26, 2003

Subjunctive posted:

I hope so, because the "download your stuff" service seems to be broken

it took a couple days for them to process mine but it came thru yesterday

or at least somebody's did, i haven't looked at it yet

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually

College Slice
mine eventually worked but it took like 5 days

Kuvo
Oct 27, 2008

Blame it on the misfortune of your bark!
Fun Shoe
I got my Twitter archive the other day too. 4gb of my finest poo poo posts :dance:

maxwellhill
Jan 5, 2022
Anyone else's DMs all scrambled up in there?

B33rChiller
Aug 18, 2011




Shifty Pony posted:

after seeing the "think you're a hardcore enough coder to save Twitter? click here or be fired." email I've come to the conclusion that the only thing preventing the company from getting absolutely wrecked is that nobody knows who is still working there to send the spear phishing email to.

My guess is that they're compromised 9 ways to Sunday, but everyone is still busy exfiltrating data / hasn't been noticed by the non-existent staff.

Cold on a Cob
Feb 6, 2006

i've seen so much, i'm going blind
and i'm brain dead virtually

College Slice

maxwellhill posted:

Anyone else's DMs all scrambled up in there?

in a way - DMs to people that no longer have accounts are now one-sided or messed up. DMs to people that are still around are fine.

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

B33rChiller posted:

My guess is that they're compromised 9 ways to Sunday, but everyone is still busy exfiltrating data / hasn't been noticed by the non-existent staff.

There was already a couple known state spies working at twitter, and I have no doubt the chaos right now has only allowed more to slip in even as people flee the boat.

They are not even sure of who's accounts actually need to be disabled and whose don't. And most of their senior security staff resigned.

SIGSEGV
Nov 4, 2010


CommieGIR posted:

There was already a couple known state spies working at twitter, and I have no doubt the chaos right now has only allowed more to slip in even as people flee the boat.

They are not even sure of who's accounts actually need to be disabled and whose don't. And most of their senior security staff resigned.

Considering that the few who actually got caught were for the KSA and that the KSA, or rather MBS personally, is, I think, the largest individual investor in the Twitter deal, I think dissident tracking is going to get a little easier for the KSA.

Hed
Mar 31, 2004

Fun Shoe
Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees?

We use MS-provided O365 as email and supposedly Exchange Online Protection is supposed to handle this... our first MX record is companyname-com.mail.protection.outlook.com. It seems kind of hosed up, for example if I query a DMARC record for example nothing comes up.

Our finance & accounting team gets emails that are properly marked as "EXTERNAL" in the subject line but then go right ahead and let the "From:" be bob@companyname.com with a reply-to of bob@pwned.pics

Feel free to tell me to gently caress off to the grey forums for this, I just want to understand and find if there's a checker or what I need to yell at my MSP to do.

Volmarias
Dec 31, 2002

EMAIL... THE INTERNET... SEARCH ENGINES...

Hed posted:

Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees?

We use MS-provided O365 as email and supposedly Exchange Online Protection is supposed to handle this... our first MX record is companyname-com.mail.protection.outlook.com. It seems kind of hosed up, for example if I query a DMARC record for example nothing comes up.

Our finance & accounting team gets emails that are properly marked as "EXTERNAL" in the subject line but then go right ahead and let the "From:" be bob@companyname.com with a reply-to of bob@pwned.pics

Feel free to tell me to gently caress off to the grey forums for this, I just want to understand and find if there's a checker or what I need to yell at my MSP to do.

Without guessing at anything else, what do the headers say?

SlowBloke
Aug 14, 2017

Hed posted:

Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees?

We use MS-provided O365 as email and supposedly Exchange Online Protection is supposed to handle this... our first MX record is companyname-com.mail.protection.outlook.com. It seems kind of hosed up, for example if I query a DMARC record for example nothing comes up.

Our finance & accounting team gets emails that are properly marked as "EXTERNAL" in the subject line but then go right ahead and let the "From:" be bob@companyname.com with a reply-to of bob@pwned.pics

Feel free to tell me to gently caress off to the grey forums for this, I just want to understand and find if there's a checker or what I need to yell at my MSP to do.

You need to set up antiphish in 365 security portal to quarantine/drop impersonation attempts.

Hed
Mar 31, 2004

Fun Shoe

Volmarias posted:

Without guessing at anything else, what do the headers say?

Thanks, I didn't want to pastebomb so I put the email headers here: https://dpaste.com/6U7T8686C.

outhole surfer
Mar 18, 2003

is that your actual domain in the headers? it doesn't look like you have any spf or dmarc records if so...

regardless of whether it's the actual domain... you need to set up spf and dmarc

Authentication-Results: spf=none (sender IP is 216.69.139.52)
smtp.mailfrom=gwendolynw.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none
header.from=companyname.com;compauth=none reason=905
Received-SPF: None (protection.outlook.com: gwendolynw.com does not designate
permitted sender hosts)

outhole surfer fucked around with this message at 19:37 on Nov 21, 2022

Hed
Mar 31, 2004

Fun Shoe

nudgenudgetilt posted:

is that your actual domain in the headers? it doesn't look like you have any spf or dmarc records if so...

regardless of whether it's the actual domain... you need to set up spf and dmarc

Authentication-Results: spf=none (sender IP is 216.69.139.52)
smtp.mailfrom=gwendolynw.com; dkim=none (message not signed)
header.d=none;dmarc=none action=none
header.from=companyname.com;compauth=none reason=905
Received-SPF: None (protection.outlook.com: gwendolynw.com does not designate
permitted sender hosts)

Sorry, the "companyname.com" is our domain, and gwendolynw.com is whatever the attacker is using. I thought it looked like we just weren't DOING anything with a failed spf. SPF is set up, DMARC isn't, which is weird because according to M365 they do it. That might be just on the companyname.onmicrosoft.com though.

SlowBloke posted:

You need to set up antiphish in 365 security portal to quarantine/drop impersonation attempts.

thanks I'll tell our MSP to do this. I don't have access to that.

outhole surfer
Mar 18, 2003

Hed posted:

Sorry, the "companyname.com" is our domain, and gwendolynw.com is whatever the attacker is using. I thought it looked like we just weren't DOING anything with a failed spf. SPF is set up, DMARC isn't, which is weird because according to M365 they do it. That might be just on the companyname.onmicrosoft.com though.

huh, I'd have sworn o365 said spf=failed rather than spf=none when spf failed. does your spf end with '?all' or something?

unless your dns is hosted at o365, dmarc isn't something they can set up for you. I guess they could let you cname to _dmark.companyname.onmicrosoft.com but that wouldn't make much sense unless they also exposed the knobs for tweaking that dmarc record -- a dmarc record is just defining a policy for your domain regarding whether spf and/or dkim is required, and providing reporting endpoints, so big vendors can notify you that your messages were caught in spam

Hed
Mar 31, 2004

Fun Shoe

nudgenudgetilt posted:

huh, I'd have sworn o365 said spf=failed rather than spf=none when spf failed. does your spf end with '?all' or something?

unless your dns is hosted at o365, dmarc isn't something they can set up for you. I guess they could let you cname to _dmark.companyname.onmicrosoft.com but that wouldn't make much sense unless they also exposed the knobs for tweaking that dmarc record -- a dmarc record is just defining a policy for your domain regarding whether spf and/or dkim is required, and providing reporting endpoints, so big vendors can notify you that your messages were caught in spam


As I understand it our SPF record ends in -all
code:
❯ dig companyname.com txt

; <<>> DiG 9.16.33-Debian <<>> companyname.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22119
;; flags: qr rd ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;companyname.com.            IN      TXT

;; ANSWER SECTION:
companyname.com.     0       IN      TXT     "MS=ms22642062"
companyname.com.     0       IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"

;; Query time: 89 msec
;; SERVER: 172.30.144.1#53(172.30.144.1)
;; WHEN: Mon Nov 21 12:50:56 CST 2022
;; MSG SIZE  rcvd: 209
Isn't the line 15 of that pastebin where it says spf=none checking that the attacker's Mail From: domain (gwendolynw.com) not have SPF? I believe that

Shaggar
Apr 26, 2006
so SMTP is really loving stupid and there are a load of hacks piled upon it. There are generally 2 from addresses on an email.

The first is the smtp Mail From. This is issued as part of the smtp session creation at the protocol level and represents the sending domain of the originating server. This is also referred to sometimes as the envelope from.
The second is the From header. This is an optional client specific header that is present in the message itself.

If you use the envelope metaphor, think of smtp from as the return address on an envelope and then the From header as the from line at the bottom of the letter. Just like with physical mail, they can be the same, but there is nothing that mandates they be the same.

The from header was added for marketing reasons to allow marketingcompany.com to provide services to clientcompany.com from marketingcompany.com's servers while appearing to come from clientcompany.com

SPF works on the smtp mail from, which is not enough to prevent From header spoofing. Your SPF record is probably correct, but it is not enough to prevent spoofing of your domain.

You need to setup DKIM to sign all of the mail sent on behalf of your domain and then setup a DMARC rule to require all mail sent from your domain to have both valid SPF and DKIM. This will take care of From header checks.

The downside to this is if you are using 3rd party marketing mail services who send legitimate mail on your behalf, you will have to put their DKIM keys into your DNS before you turn on DMARC enforcement otherwise you will dumpster the mail they send. This is not hard at all and is probably like a day of work coordinating everything and getting DNS set up.

If you're using an MSP, though, its probably gonna be a pain in the rear end

Shaggar fucked around with this message at 01:50 on Nov 22, 2022

Shaggar
Apr 26, 2006
In DNS you should have:

1 SPF record: A list of your company's mail servers
1 or more DKIM selector records: A list of public keys used to sign mail from your domain regardless of sending server
1 DMARC record: A rule that defines how recipient servers should use SPF and DKIM records to verify mail from your domain


If you're not an idiot, you're using office 365 which will provide the SPF record and DKIM records you need to create in your DNS. These will point to CNAMEs @ outlook.com so your records always match the current office 365 ip addresses and DKIM keys for your office 365 instance.

You then need to find any 3rd party mail services you use, and get their DKIM records. It should be very easy to find in their system and will be another CNAME just like with office 365.

After you gather them all, you setup a DMARC record in audit mode with a failure address. Under this mode DMARC validation will be done by recipient servers, but failures will be ignored and delivery allowed. Reports of those failures will then be sent to the address you specify so you can see if there are any legitimate services you missed.

Once you're satisfied you got everything legitimate into DKIM, you flip the switch in DMARC to enforce the rule and anything that fails SPF or DKIM validation will be dumped.

Shaggar
Apr 26, 2006
atleast thats how i remember setting it up forever ago, but i think its probably right

evil_bunnY
Apr 2, 2003

post hole digger posted:

every time i think i understand dmarc, i guess i dont :psyduck:
Don't think I've been a day without a guy in our email team with dmarc/dkim docs open so don't feel too bad.

outhole surfer
Mar 18, 2003

if you think dmarc is rough to grok, check out spf macros

Shaggar
Apr 26, 2006
imo your spf records should never get long enough that you need macros.

outhole surfer
Mar 18, 2003

Shaggar posted:

imo your spf records should never get long enough that you need macros.

eh, it's really really easy to need them if you're dealing with multiple vendors. my last gig at a university had to deal with both gmail and o365 on the same domain, so that consumed 4 lookups thanks to google, plus o365 which is thankfully only 1 request, plus service now at 2 requests, plus zendesk at 1 request, plus the initial request putting us at a total of 9 of the 10 allowed dns lookups in an spf.

there's also the problem that the group using zendesk can now send mail as any address at the university.

spf macros would allow for scoping spf includes to a set of local parts while also reducing the number of lookups. i.e. one include for each service now local part, one include for each zendesk local part, and includes of both google/o365 in the wildcard

Shaggar
Apr 26, 2006
just setup the vendors with DKIM. the only thing sending via SPF should be office 365

outhole surfer
Mar 18, 2003

that's not how reality works.

a lot of vendors will refuse to send mail as your domain if you don't include their spf record.

Shaggar
Apr 26, 2006
drop them as a vendor

outhole surfer
Mar 18, 2003

lol. yeah, i'll get right on telling the office of the president that their vendor is unacceptable because it makes me feel icky to set up dns to correctly support the vendor.

champagne posting
Apr 5, 2006

YOU ARE A BRAIN
IN A BUNKER

nudgenudgetilt posted:

lol. yeah, i'll get right on telling the office of the president that their vendor is unacceptable because it makes me feel icky to set up dns to correctly support the vendor.

you should tell them you need to switch to office 365 because honestly unless your needs are incredibly esoteric, as in you are running an intelligence agency, there's really no reason to not do it

outhole surfer
Mar 18, 2003

champagne posting posted:

you should tell them you need to switch to office 365 because honestly unless your needs are incredibly esoteric, as in you are running an intelligence agency, there's really no reason to not do it

you might read above that o365 is one of the two mail vendors the university supports... as the guy who did nothing more than manage the university system dns in an it department of 500+ people at a large university, it wasn't really my place to tell the e-mail team to migrate several thousand users from one platform to another, nor did i want to pick fights with random department heads and administrators who insisted on being able to use their help desk vendor of choice on an @university.edu address.

that sort of fight at best would lead to being roped into several hours of meetings where i'm expected to explain my objection, and if there isn't a strong technical reason the implementation isn't possible or isn't reasonably secure, the result of this will be a memorandum of understanding where my objection is noted, but i'm told to move forward with the implementation anyway.

champagne posting
Apr 5, 2006

YOU ARE A BRAIN
IN A BUNKER

welp i scrolled over most of it

sounds like it sucks, but then again it's a university so working at it not being terrible would be the odd one out

outhole surfer
Mar 18, 2003

yeah, i mean, i quit that in favor of doing stupid startup poo poo. who knows which is really less obnoxious at the end of the day.

the point though was that while spf macros are loving gnarly, they're better than having to subscribe to or operate an spf flattening service, or deal with the political fallout of trying to keep the spf record small and macrofree

endlessmonotony
Nov 4, 2009

by Fritz the Horse

nudgenudgetilt posted:

you might read above that o365 is one of the two mail vendors the university supports... as the guy who did nothing more than manage the university system dns in an it department of 500+ people at a large university, it wasn't really my place to tell the e-mail team to migrate several thousand users from one platform to another, nor did i want to pick fights with random department heads and administrators who insisted on being able to use their help desk vendor of choice on an @university.edu address.

that sort of fight at best would lead to being roped into several hours of meetings where i'm expected to explain my objection, and if there isn't a strong technical reason the implementation isn't possible or isn't reasonably secure, the result of this will be a memorandum of understanding where my objection is noted, but i'm told to move forward with the implementation anyway.

"I could do this better, but that would be a lot of extra work for no extra compensation."

You're doing it right, it's a job.

Hed
Mar 31, 2004

Fun Shoe
Thanks guys for the help and effortposts, I have a much better mental model of how this poo poo should be set up. Hopefully my Finance & accounting team doesn't succumb to "To my good friend Bob, " emails until DMARC gets enforced. Working through it.

sb hermit
Dec 13, 2016





yeah, if you don't have dmarc then setting spf and dkim doesn't really do anything

we had a lot of people try to spoof our email systems when we had dmarc set to quarantine but they stopped when we finally moved to reject.

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
we have a lot of clients on 365 and using spf with "-all" seems to work fine for spoofing. they generally only have one or two mailing solutions outside office itself, so we haven't run into issues with record length yet.

the bigger problem we have is people responding to random gmail addresses that someone slapped a partner's name on and then freaking out about phishing.

the email address is right there, and you know bob is not actually emailing you from sally3765@gmail.com, so what do you want exactly?

e: i guess the partial solution is automatic tagging of external messages with even more obtrusive klaxons and flashing lights

CRIP EATIN BREAD
Jun 24, 2002

Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T



Soiled Meat
our compliance reqs has us slap [EXTERNAL] on every subject that comes from outside

kind of nice to filter it all out

infernal machines
Oct 11, 2012

we have sealed ourselves away behind our money, growing inward, generating a seamless universe of self.
yeah, it's either that or inserting it into the top of the message body, which at least doesn't mess with threading

Midjack
Dec 24, 2007



looks like also-ran messaging app wickr is ending its free app and focusing on paying customers:
https://wickr.com/our-focus-on-end-to-end-encrypted-enterprise-communications/

Adbot
ADBOT LOVES YOU

lousy hat
Jul 17, 2004

bone appetit
Clapping Larry

infernal machines posted:

yeah, it's either that or inserting it into the top of the message body, which at least doesn't mess with threading

my last job was not a very big company but had lots of phishing/gift card scam email attempts from things like “$FounderName <bigscam42069@gmail.com>” so I stole a SwiftOnSecurity tip to set up a list of VIP names and emails. then if something like the above came it there’s be a big annoying banner at the top like, “HEY THIS IS SOMEONE IMPERSONATING AN EXECUTIVE”

and also it got dropped into the recipient’s junk folder

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply