Category: Email

Block real-name email spoofing
article #1572, updated 375 days ago

We see it fairly often. An email comes “From” a real name, but the actual email address is wrong, a spammer’s or scammer’s Gmail or worse. Once we saw this with a very slightly misspelled domain — let’s say “pondervorthy” instead of “ponderworthy”. I just learned of a way to handle it, when one has email filtration which can do it, and when it works for another reason:

Let’s say we’re protecting me. I know all of my email addresses, at work and home. If I set my email filtration system to consider spam everything From “Jonathan E. Brickman” and “Jonathan Brickman”, which does not come from any of my email addresses, that will take good care. The biggest risk is another person named Jonathan Brickman trying to email me. Reportedly, one should actually do it like this, scanning email headers:

FROM: Jonathan Brickman, FROM: "Jonathan Brickman

This is because some of the bad actors are adding spaces after the name text. So the final quote is not set up in the filter rule. It’s really two different FROM field lookups within headers of the email, OR’d, in this system.

Now there are a number of Jonathan Brickmans in the world, but I haven’t met one yet (if you are one, please do email me at jeb@ponderworthy.com, that way we both will have done so at least once); I’m not sure there are many Jonathan Edward Brickmans; but if I found that there were, I’d put in a nickname in parenthesis, set the filtration rule for it

FROM: Jonathan Brickman (JEB), FROM: "Jonathan Brickman (JEB)

and that should do the job nicely, giving me a unique “From” real name for filtration purposes.

There may be other “gotchas”, I will test this over time. It cannot do a comprehensive block, but can clearly help.

In Microsoft Outlook rules, some of the above logic seems to be missing: one cannot filter based on text or email addresses not in the header. I will be checking Exchange Online shortly. One third-party service is confirmed as working well for this.

Categories:      

==============

SMTP conversation
article #133, updated 540 days ago

A sample SMTP conversation.  You’ll need Putty (telnet mode!) in Windows, or Cygwin with ‘inetutils’ installed (for telnet), or the telnet for your Linux. The idea is that you are playing the role of a machine trying to send email through a mail server you select. You can learn causes of failure this way that you cannot learn any other way, or not at all easily.

  • Blue is transmit.
  • Red is receive
  • We start with a telnet on port 25. The first step is a Linux command line as written, directly translatable to Cygwin’s telnet, and GUIable in Putty.
  • The messages received will vary somewhat, but the initial numbers won’t. 
  • The greater-than and less-than signs (< >) are required.
  • Replace mail.domain.com with the FQDN or IP of the mail server. This is essential to get to the correct SMTP server.
  • Replace test.domain.com with the Internet FQDN of the machine you are on if it exists, and otherwise, use test and the final domain name of the mail server you are trying to reach. This is how you are identifying yourself, as legitimately as available, to that mail server.
  • Most SMTP servers, especially ESMTP servers, respond well to EHLO these days. A few still need the original, HELO.
  • If it says OK at each step, the mail server has accepted what you have sent. Otherwise, it will give a short error, generally with a standard SMTP error code which you can look up.
  • Choose the sender and the recipient carefully, according to what kind of test you are needing. For instance, if you are testing a simple mailbox, the FROM can be your own email address, and the TO can be a mailbox to which you have access, behind that mail server. Distribution lists and scan-to-email can indicate needed variations.

telnet mail.domain.com 25

220 mail.domain.com ESMTP

EHLO test.domain.com

250 test.domain.com

MAIL FROM: <sender@domain.com>

250 2.1.0 Sender OK

RCPT TO: <recipient@domain.com>

250 2.1.5 Ok

DATA

354 Enter mail, end with “.” on a line by itself

testing
testing
testing
.

250 2.0.0 Ok: queued as xxxxxxx

Categories:      

==============

Send passwords securely
article #1525, updated 604 days ago

Something new:

https://pwpush.com

Categories:      

==============

Betterbird: Vastly Improved Fork of Thunderbird
article #1520, updated 628 days ago

Try it. https://www.betterbird.eu/. The Thunderbird team has been ignoring huge quantities of bugs and usability issues for decades. They kicked out a profoundly gifted developer several years ago, who has been leading Betterbird, a careful “soft fork” of Thunderbird, which maintains all helpful interoperability while fixing many, many bugs. Betterbird is lighter and faster, it does CardDav address books natively to Gmail and other providers, it has a far better HTML email composer, and much, more more!

Categories:      

==============

Report Bad Actor Emails
article #1413, updated 1390 days ago

If (when) anyone gets a bad actor email, i.e., a “phishing” scam trying to produce misdirection of funds and/or identity theft, those emails should be sent here:

reportphishing@apwg.com

and if it was sent from or arrived into a Microsoft mailbox, also here:

phish@office365.microsoft.com

Categories:      

==============

DMARC analyzer
article #1284, updated 2069 days ago

Here’s a good one:

https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

Categories:      

==============

A web tool to test DKIM
article #1141, updated 2522 days ago

Here is one:

http://www.appmaildev.com/en/dkim

Categories:      

==============

Test DMARC record for a domain
article #1086, updated 2650 days ago

A free tool:

https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

Categories:      

==============

SPF for Constant Contact
article #873, updated 2657 days ago

Awhile ago it came to light that the following needed to be added to SPF records for email-enabled domains using Constant Contact:

include:ccsend.com include:constantcontact.com include:confirmedcc.com

Things have gotten a lot better. The following now covers all of the above:

ip4:208.75.120.0/22

Categories:      

==============

SPF and Email Flow Analysis Tools
article #998, updated 2831 days ago

A very good SPF checker:

https://vamsoft.com/support/tools/spf-policy-tester

Here is possibly the original SPF checker:

http://www.kitterman.com/spf/validate.html

To do a deep study of a bounceback, the best tool this writer has ever seen is here:

https://testconnectivity.microsoft.com/

in the Message Analyzer tab. Just paste every header you have into there and submit, and then read. Lots and lots of excellent information comes up.

Categories: