undefined | Better HN

0 pointsjosephg3y ago0 comments

> but for most services out there, having missing/invalid anti-spoofing measures will result in your mail ending up in spam or not delivered at all.

You would think so.. but its remarkable how easy it still is to forge email.

My mum was recently the target of such a campaign. She's in the executive team at an international NGO. An attacker found her email address and a bunch of her contacts via the NGO's webpage. Then they forged emails from her email address, with a gmail address set up in the reply-to field. The emails all said it was an emergency, and asked for her colleages to transfer money.

As far as we can tell, most of the emails were delivered and lots of people were fooled - at least for awhile.

Her email address has DKIM and SPF set up, but (like most email providers) it has a lax DMARC policy. It turns out thats all it takes to be vulnerable to this sort of attack.

0 comments

tekknik3y ago

The NGO could also force people to sign their emails. Refuse it from the SMTP if it’s not.

josephgOP3y ago

Are you being serious right now? You understand that that'll never happen in our current technology landscape, right?

Outside of a few niche hardcore technologists, nobody knows what PGP is or how to use it. It would be hard enough getting my mum set up to PGP sign her own emails in Outlook, on the desktop and from her phone. (Is that even possible?). Let alone require anyone emailing her PGP sign their email too? Thats never going to happen for so many reasons, both technical and social.

I'm a software engineer and I tried setting up PGP years ago in thunderbird and it only worked for a few weeks, then it somehow broke. And then later I lost my PGP key. Oh, and then I started using webmail and PGP didn't work there at all.

And then later still I realised my public PGP key (signed by my web of trust) leaked details on the identity of my social network; which bothers me a lot more than any problems I've personally ever had with a forged identity.

PGP is dead. Let it go.

tekknik3y ago

This is just incorrect. Amazon for instance does this.

j / k navigate · click thread line to collapse

0 pointsjosephg3y ago0 comments

> but for most services out there, having missing/invalid anti-spoofing measures will result in your mail ending up in spam or not delivered at all.

You would think so.. but its remarkable how easy it still is to forge email.

As far as we can tell, most of the emails were delivered and lots of people were fooled - at least for awhile.

Her email address has DKIM and SPF set up, but (like most email providers) it has a lax DMARC policy. It turns out thats all it takes to be vulnerable to this sort of attack.

0 comments

tekknik3y ago

The NGO could also force people to sign their emails. Refuse it from the SMTP if it’s not.

josephgOP3y ago

Are you being serious right now? You understand that that'll never happen in our current technology landscape, right?

PGP is dead. Let it go.

tekknik3y ago

This is just incorrect. Amazon for instance does this.

j / k navigate · click thread line to collapse