|
It's a German company, be glad it's not done via fax
|
#
?
Nov 20, 2022 11:26
|
|
|
|
| # ? Jun 2, 2023 08:42 |
|
|
Subjunctive posted:I hope so, because the "download your stuff" service seems to be broken it took a couple days for them to process mine but it came thru yesterday or at least somebody's did, i haven't looked at it yet
|
|
#
?
Nov 20, 2022 16:42
|
|
|
mine eventually worked but it took like 5 days
|
|
#
?
Nov 20, 2022 16:43
|
|
|
I got my Twitter archive the other day too. 4gb of my finest poo poo posts 
|
|
#
?
Nov 20, 2022 20:30
|
|
|
Anyone else's DMs all scrambled up in there?
|
|
#
?
Nov 20, 2022 23:23
|
|
|
Shifty Pony posted:after seeing the "think you're a hardcore enough coder to save Twitter? click here or be fired." email I've come to the conclusion that the only thing preventing the company from getting absolutely wrecked is that nobody knows who is still working there to send the spear phishing email to. My guess is that they're compromised 9 ways to Sunday, but everyone is still busy exfiltrating data / hasn't been noticed by the non-existent staff.
|
|
#
?
Nov 20, 2022 23:44
|
|
|
maxwellhill posted:Anyone else's DMs all scrambled up in there? in a way - DMs to people that no longer have accounts are now one-sided or messed up. DMs to people that are still around are fine.
|
|
#
?
Nov 21, 2022 01:07
|
|
|
B33rChiller posted:My guess is that they're compromised 9 ways to Sunday, but everyone is still busy exfiltrating data / hasn't been noticed by the non-existent staff. There was already a couple known state spies working at twitter, and I have no doubt the chaos right now has only allowed more to slip in even as people flee the boat. They are not even sure of who's accounts actually need to be disabled and whose don't. And most of their senior security staff resigned.
|
|
#
?
Nov 21, 2022 01:07
|
|
|
CommieGIR posted:There was already a couple known state spies working at twitter, and I have no doubt the chaos right now has only allowed more to slip in even as people flee the boat. Considering that the few who actually got caught were for the KSA and that the KSA, or rather MBS personally, is, I think, the largest individual investor in the Twitter deal, I think dissident tracking is going to get a little easier for the KSA.
|
|
#
?
Nov 21, 2022 03:01
|
|
|
Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees? We use MS-provided O365 as email and supposedly Exchange Online Protection is supposed to handle this... our first MX record is companyname-com.mail.protection.outlook.com. It seems kind of hosed up, for example if I query a DMARC record for example nothing comes up. Our finance & accounting team gets emails that are properly marked as "EXTERNAL" in the subject line but then go right ahead and let the "From:" be bob@companyname.com with a reply-to of bob@pwned.pics Feel free to tell me to gently caress off to the grey forums for this, I just want to understand and find if there's a checker or what I need to yell at my MSP to do.
|
|
#
?
Nov 21, 2022 18:40
|
|
|
Hed posted:Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees? Without guessing at anything else, what do the headers say?
|
|
#
?
Nov 21, 2022 19:14
|
|
|
Hed posted:Email is way away from what I do now but how do email spoofers get through to our finance & accounting team masquerading as our employees? You need to set up antiphish in 365 security portal to quarantine/drop impersonation attempts.
|
|
#
?
Nov 21, 2022 19:25
|
|
|
Volmarias posted:Without guessing at anything else, what do the headers say? Thanks, I didn't want to pastebomb so I put the email headers here: https://dpaste.com/6U7T8686C.
|
|
#
?
Nov 21, 2022 19:31
|
|
|
is that your actual domain in the headers? it doesn't look like you have any spf or dmarc records if so... regardless of whether it's the actual domain... you need to set up spf and dmarc Authentication-Results: spf=none (sender IP is 216.69.139.52) smtp.mailfrom=gwendolynw.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=companyname.com;compauth=none reason=905 Received-SPF: None (protection.outlook.com: gwendolynw.com does not designate permitted sender hosts) nudgenudgetilt fucked around with this message at 19:37 on Nov 21, 2022 |
|
#
?
Nov 21, 2022 19:35
|
|
|
nudgenudgetilt posted:is that your actual domain in the headers? it doesn't look like you have any spf or dmarc records if so... Sorry, the "companyname.com" is our domain, and gwendolynw.com is whatever the attacker is using. I thought it looked like we just weren't DOING anything with a failed spf. SPF is set up, DMARC isn't, which is weird because according to M365 they do it. That might be just on the companyname.onmicrosoft.com though. SlowBloke posted:You need to set up antiphish in 365 security portal to quarantine/drop impersonation attempts. thanks I'll tell our MSP to do this. I don't have access to that.
|
|
#
?
Nov 21, 2022 19:41
|
|
|
Hed posted:Sorry, the "companyname.com" is our domain, and gwendolynw.com is whatever the attacker is using. I thought it looked like we just weren't DOING anything with a failed spf. SPF is set up, DMARC isn't, which is weird because according to M365 they do it. That might be just on the companyname.onmicrosoft.com though. huh, I'd have sworn o365 said spf=failed rather than spf=none when spf failed. does your spf end with '?all' or something? unless your dns is hosted at o365, dmarc isn't something they can set up for you. I guess they could let you cname to _dmark.companyname.onmicrosoft.com but that wouldn't make much sense unless they also exposed the knobs for tweaking that dmarc record -- a dmarc record is just defining a policy for your domain regarding whether spf and/or dkim is required, and providing reporting endpoints, so big vendors can notify you that your messages were caught in spam
|
|
#
?
Nov 21, 2022 19:49
|
|
|
nudgenudgetilt posted:huh, I'd have sworn o365 said spf=failed rather than spf=none when spf failed. does your spf end with '?all' or something? As I understand it our SPF record ends in -all code:
|
|
#
?
Nov 21, 2022 19:57
|
|
|
so SMTP is really loving stupid and there are a load of hacks piled upon it. There are generally 2 from addresses on an email. The first is the smtp Mail From. This is issued as part of the smtp session creation at the protocol level and represents the sending domain of the originating server. This is also referred to sometimes as the envelope from. The second is the From header. This is an optional client specific header that is present in the message itself. If you use the envelope metaphor, think of smtp from as the return address on an envelope and then the From header as the from line at the bottom of the letter. Just like with physical mail, they can be the same, but there is nothing that mandates they be the same. The from header was added for marketing reasons to allow marketingcompany.com to provide services to clientcompany.com from marketingcompany.com's servers while appearing to come from clientcompany.com SPF works on the smtp mail from, which is not enough to prevent From header spoofing. Your SPF record is probably correct, but it is not enough to prevent spoofing of your domain. You need to setup DKIM to sign all of the mail sent on behalf of your domain and then setup a DMARC rule to require all mail sent from your domain to have both valid SPF and DKIM. This will take care of From header checks. The downside to this is if you are using 3rd party marketing mail services who send legitimate mail on your behalf, you will have to put their DKIM keys into your DNS before you turn on DMARC enforcement otherwise you will dumpster the mail they send. This is not hard at all and is probably like a day of work coordinating everything and getting DNS set up. If you're using an MSP, though, its probably gonna be a pain in the rear end Shaggar fucked around with this message at 01:50 on Nov 22, 2022 |
|
#
?
Nov 21, 2022 20:20
|
|
|
In DNS you should have: 1 SPF record: A list of your company's mail servers 1 or more DKIM selector records: A list of public keys used to sign mail from your domain regardless of sending server 1 DMARC record: A rule that defines how recipient servers should use SPF and DKIM records to verify mail from your domain If you're not an idiot, you're using office 365 which will provide the SPF record and DKIM records you need to create in your DNS. These will point to CNAMEs @ outlook.com so your records always match the current office 365 ip addresses and DKIM keys for your office 365 instance. You then need to find any 3rd party mail services you use, and get their DKIM records. It should be very easy to find in their system and will be another CNAME just like with office 365. After you gather them all, you setup a DMARC record in audit mode with a failure address. Under this mode DMARC validation will be done by recipient servers, but failures will be ignored and delivery allowed. Reports of those failures will then be sent to the address you specify so you can see if there are any legitimate services you missed. Once you're satisfied you got everything legitimate into DKIM, you flip the switch in DMARC to enforce the rule and anything that fails SPF or DKIM validation will be dumped.
|
|
#
?
Nov 21, 2022 20:39
|
|
|
atleast thats how i remember setting it up forever ago, but i think its probably right
|
|
#
?
Nov 21, 2022 20:40
|
|
|
post hole digger posted:every time i think i understand dmarc, i guess i dont
|
|
#
?
Nov 21, 2022 20:46
|
|
|
if you think dmarc is rough to grok, check out spf macros
|
|
#
?
Nov 21, 2022 20:48
|
|
|
imo your spf records should never get long enough that you need macros.
|
|
#
?
Nov 21, 2022 21:02
|
|
|
Shaggar posted:imo your spf records should never get long enough that you need macros. eh, it's really really easy to need them if you're dealing with multiple vendors. my last gig at a university had to deal with both gmail and o365 on the same domain, so that consumed 4 lookups thanks to google, plus o365 which is thankfully only 1 request, plus service now at 2 requests, plus zendesk at 1 request, plus the initial request putting us at a total of 9 of the 10 allowed dns lookups in an spf. there's also the problem that the group using zendesk can now send mail as any address at the university. spf macros would allow for scoping spf includes to a set of local parts while also reducing the number of lookups. i.e. one include for each service now local part, one include for each zendesk local part, and includes of both google/o365 in the wildcard
|
|
#
?
Nov 21, 2022 21:20
|
|
|
just setup the vendors with DKIM. the only thing sending via SPF should be office 365
|
|
#
?
Nov 21, 2022 21:36
|
|
|
that's not how reality works. a lot of vendors will refuse to send mail as your domain if you don't include their spf record.
|
|
#
?
Nov 21, 2022 21:41
|
|
|
drop them as a vendor
|
|
#
?
Nov 21, 2022 21:44
|
|
|
lol. yeah, i'll get right on telling the office of the president that their vendor is unacceptable because it makes me feel icky to set up dns to correctly support the vendor.
|
|
#
?
Nov 21, 2022 21:45
|
|
|
nudgenudgetilt posted:lol. yeah, i'll get right on telling the office of the president that their vendor is unacceptable because it makes me feel icky to set up dns to correctly support the vendor. you should tell them you need to switch to office 365 because honestly unless your needs are incredibly esoteric, as in you are running an intelligence agency, there's really no reason to not do it
|
|
#
?
Nov 21, 2022 21:54
|
|
|
champagne posting posted:you should tell them you need to switch to office 365 because honestly unless your needs are incredibly esoteric, as in you are running an intelligence agency, there's really no reason to not do it you might read above that o365 is one of the two mail vendors the university supports... as the guy who did nothing more than manage the university system dns in an it department of 500+ people at a large university, it wasn't really my place to tell the e-mail team to migrate several thousand users from one platform to another, nor did i want to pick fights with random department heads and administrators who insisted on being able to use their help desk vendor of choice on an @university.edu address. that sort of fight at best would lead to being roped into several hours of meetings where i'm expected to explain my objection, and if there isn't a strong technical reason the implementation isn't possible or isn't reasonably secure, the result of this will be a memorandum of understanding where my objection is noted, but i'm told to move forward with the implementation anyway.
|
|
#
?
Nov 21, 2022 22:04
|
|
|
welp i scrolled over most of it sounds like it sucks, but then again it's a university so working at it not being terrible would be the odd one out
|
|
#
?
Nov 21, 2022 22:13
|
|
|
yeah, i mean, i quit that in favor of doing stupid startup poo poo. who knows which is really less obnoxious at the end of the day. the point though was that while spf macros are loving gnarly, they're better than having to subscribe to or operate an spf flattening service, or deal with the political fallout of trying to keep the spf record small and macrofree
|
|
#
?
Nov 21, 2022 22:27
|
|
|
nudgenudgetilt posted:you might read above that o365 is one of the two mail vendors the university supports... as the guy who did nothing more than manage the university system dns in an it department of 500+ people at a large university, it wasn't really my place to tell the e-mail team to migrate several thousand users from one platform to another, nor did i want to pick fights with random department heads and administrators who insisted on being able to use their help desk vendor of choice on an @university.edu address. "I could do this better, but that would be a lot of extra work for no extra compensation." You're doing it right, it's a job.
|
|
#
?
Nov 21, 2022 22:42
|
|
|
Thanks guys for the help and effortposts, I have a much better mental model of how this poo poo should be set up. Hopefully my Finance & accounting team doesn't succumb to "To my good friend Bob, " emails until DMARC gets enforced. Working through it.
|
|
#
?
Nov 21, 2022 23:48
|
|
|
yeah, if you don't have dmarc then setting spf and dkim doesn't really do anything we had a lot of people try to spoof our email systems when we had dmarc set to quarantine but they stopped when we finally moved to reject.
|
|
#
?
Nov 22, 2022 01:44
|
|
|
we have a lot of clients on 365 and using spf with "-all" seems to work fine for spoofing. they generally only have one or two mailing solutions outside office itself, so we haven't run into issues with record length yet. the bigger problem we have is people responding to random gmail addresses that someone slapped a partner's name on and then freaking out about phishing. the email address is right there, and you know bob is not actually emailing you from sally3765@gmail.com, so what do you want exactly? e: i guess the partial solution is automatic tagging of external messages with even more obtrusive klaxons and flashing lights
|
|
#
?
Nov 22, 2022 03:00
|
|
|
our compliance reqs has us slap [EXTERNAL] on every subject that comes from outside kind of nice to filter it all out
|
|
#
?
Nov 22, 2022 03:50
|
|
|
yeah, it's either that or inserting it into the top of the message body, which at least doesn't mess with threading
|
|
#
?
Nov 22, 2022 04:00
|
|
|
looks like also-ran messaging app wickr is ending its free app and focusing on paying customers: https://wickr.com/our-focus-on-end-to-end-encrypted-enterprise-communications/
|
|
#
?
Nov 22, 2022 04:30
|
|
|
|
| # ? Jun 2, 2023 08:42 |
|
|
infernal machines posted:yeah, it's either that or inserting it into the top of the message body, which at least doesn't mess with threading my last job was not a very big company but had lots of phishing/gift card scam email attempts from things like “$FounderName <bigscam42069@gmail.com>” so I stole a SwiftOnSecurity tip to set up a list of VIP names and emails. then if something like the above came it there’s be a big annoying banner at the top like, “HEY THIS IS SOMEONE IMPERSONATING AN EXECUTIVE” and also it got dropped into the recipient’s junk folder
|
|
#
?
Nov 22, 2022 04:44
|
|
