After years of watching ThioJoe, I’m convinced he lives a secret double-life as an elite hacker, and his RU-vid channel is simply a distraction and fun side hustle.
I actually really admired him to be honest because he started this channel off doing that joke content but you can see when he decided to take this seriously and stop the joke content he lost a lot of subscribers but he's come a long way since then. Over that time period he is built this up to be a legitimate tech channel. He's learned a lot of new stuff in these videos are getting more and more advanced while still keeping the explanation simple enough that you don't have to be too in the weeds with IT to be able to understand it. I think it's pretty awesome how his content has evolved I could see him evolving into an even bigger tech channel like Linus one day. He's getting to the point where I would expect him to start getting corporate sponsors from hardware manufacturers. Can't wait to see what the future of this channel holds It's just gotten better with time.
DMARC only requires one of SPF and DKIM to pass with alignment. The "relaxed" and "strict" only refers to matching of the domain where relaxed allows subdomains. (RFC7489 section 4.2)
The only reason I can think of for UPS removing Microsoft 365's SPF records is because they don't send directly from Microsoft 365 any more but through ProofPoint which is an email filtering service. Technically speaking if you're using an email filtering service you would want to also configure your email service to send through that filtering service and only that service so makes sense why UPS would remove the Microsoft SPF records.
Techs often have managers not wanting to take anything down... so they may have not received approval to take the step to remove it. Manages go "What's the harm?" and when the answer is "It might let someone impersonate..." or "I don't know" rarely is it approved to take something down. I have seen "We are leaving this till we are sure this new system is working before we decommission it" keep getting pushed off for years and years... until something happens, then the tech is yelled at for letting them keep it around...
Yeah not necessarily they use ProofPoint but surely that they don't send anything generated at Microsoft any more. If they were still using Microsoft removing MS servers from their SPF would be catastrophic 😂😂😂
It’s totally legit to override the spf-checks. Microsoft is right, it’s a known issue and SPF has a lot more. That’s the main reason why DKIM was developed. Microsoft just could implement a check for the sender domain of the customers.
The override is not really the issue, just a symptom of the "I don't care I just want to receive my email" type of user. The check of outgoing customer email could go further, it is an issue with "auto forward" emails themselves. As another commenter said elsewhere, Microsoft email clients don't normally allow you to send from some address that is not yours. But that doesn't apply to auto forwards. Auto forwards being a server function could be reimplemented with stricter security.
That would be DMARC. The sender domain is recorded in the envelope from of the email header. DMARC is the mechanism that checks the alignment of envelope from to the from address you actually see. However, email forwarders break this SPF alignment because the forwarders themselves are different senders.
@@spangospanga3564 Auto forwards ARE a server function and have additional security applied that has to be disabled. By default, the Microsoft outbound anti-spam filter will block forwards to external addresses and you have to explicitly allow those forwards through.
@@spangospanga3564 Which is because auto-forwarding may need to happen inside a subnet without breaking DMARC. The is one of the only times in my entire life I'll say Microsoft was 100% right. They are 0% to blame for this boondoggle.
I'm watching this video literally hours after setting up my own mailserver and running through all the DMARK and other hoops to get things working. If one thing, it made me realize that the entire e-mail sending needs a serious redesign. It is horribly complicated to setup and to prevent spam. Isn't it about time someone should re-design this 50-year old technology?
I believe this could have been avoided if you specify your DMARC policy to be "strict" instead of "relaxed" like the default. Which can be done by adding the tags aspf=s; and adkim=s . Though you'd have to make sure that doesn't conflict with any newsletter software that do send emails on your behalf.
@@ThioJoe You add any of those services which send on your behalf to the rules so that they are known to be approved. The oops happen is when the outsourced IT department asked if you have anything which sends... and the managers fail to pass it on... it's a big headache, and often takes days to resolve.
If it worked like the postal system, where there is a cost to the sender to send mail, then the spammers’ business model would be destroyed overnight. All you need is the tiniest of token amounts, say a fraction of a cent per message, which legitimate users would simply not notice. But it would make the volume at which spammers typically operate become completely unsustainable.
I think this is a similar scenario like the "lock icon check" in browsers. This corporations want to make things "easier" by misusing this type of things. So not techie people then tend to "only check the indication" and not the source of the risk, so an impersonation could be more dangerous in this type of cases because the victim trust "the authority" of the control indication and may go forth blindly.
True, I'm still pissed off they are now hiding the companies name next to the padlock and Let's Encrypt is muddying the waters when it comes to confidentiality vs authenticity. We have taught people that "padlock means secure" but padlock just means that nobody can listen in, NOT that whoever you are talking with is indeed who you think they are* (*Technically TLS does ensure authenticity, but browsers try their best to hide certificate information...)
@@soulife8383 that is a bot (i think) that is just replying to comments with what the comment said. Your comment contains the setop spelling mistake which is why that bot also made that mistake.
@@soulife8383I assume that it's some sort of method to legitimise the account in youtube's eyes so that in the future it can transition to a scam bot that passes the bot filters.
Microsoft generally implements protocols as they are written. Which is actually the right way to do it. The problem is that everywhere else it is accepted to do otherwise.
True. There are legit reasons you might want to ignore a DMARC policy which is why the option was written into the spec in the first place. But I'm surprised they allow customers to forward emails with in-tact info that would allow spoofing like that.
Maybe I'm old school (okay, I definitely am) but look at IE5.5 and 6. Those browsers caused web devs to create an art out of writing broken code that standards compliant browsers would discard, yet IE would accept just to fix the MANY rendering errors. You say generally, but you might mean recently.
Microsoft generally implements protocols as they are written. Which is actually the right way to do it. The problem is that everywhere else it is appepted to do otherwise.
@@anonymousalexander6005 DKIM and DMARC are handled at the mail server level, not at the email client level (postal mail: it would be handled by the post office before it is delivered to your mailbox, not by you when you check your mail). The client and mail service are hard to tell apart when you use the online sites, but they are actually separate. The client is the website which checks the mailbox on the server, but that is an optional server role separate from the SMTP receiver which actually receives the mail and the mailbox storage. @ThioJoe a good video would be one which dives into how email works and how the separate parts are (POP, SMTP, Mailbox, Webmail, Desktop and Phone mail clients), and how the security to keep spam away from you (DMARC, DKIM, Blacklists, Anti-Malware, etc), and how some companies have issues sending messages (usually from them not securing systems and getting flagged as suspect).
Not Microsoft's fault. The reason they allow it, like many email providers, is that you would be surprised how many domains and email servers are misconfigured, which means a lot of Microsoft customers would complain they are not receiving mails from other companies. Hence, they allow settings to be turned off. And as mentioned, this is not a strict requirement, gazillion of domains and email servers still use none. This is basically Google's mistakes for assuming emails coming from Microsoft are automatically safe and mismatching them to another source like UPS because they failed to check the senders headers properly.
Not the blue check mark thing but, This is what happened to our own domain emails last 2 years ago I think, after setting up Microsoft account for our Sharepoint requirements, it created a exchange server within our domain address (which I had no idea that will happen at that time) which thus, our users can't even receive their emails without knowing it was Microsoft's email service handles all our email transactions. I had to create a connector within Microsoft to our email domain after that to fix that issue. Which if, I created a microsoft email exchange server for a certain company email, maybe I can do some illegal transactions. 😅
Sounds more like whoever was setting up SharePoint and was updating DNS goofed by changing the MX record. If all you're using of MS is SharePoint and you have something else handling your mail, you DO Not change your MX record even though MS thinks you should, thinking you're using their mail service. MS would not be changing your domain records
i think its time to have 2 factor authentication in emails where you authorize certain site to only be able to email with exact "tokens" like tokenizing emails themselves or have total private email where you can by design only receive emails from certain emails addresses
SPF is like a second authentication factor. You announce to the world "my emails come from here only" and when someone receives email from your domain, they check if where the email came from matches your announcement. But what if you say "my emails come from Microsoft"? In this case, the scammers saw that UPS announce "my emails come from Microsoft" and said 'ok, we get a Microsoft account' et voila, now email passes SPF check. DKIM sort of does something like email tokenizing. With DKIM you "sign" your email and the receiver checks with you (again you "announce" something about your email) to verify the signature. As someone else said, it's a lot harder to pass DKIM checks when impersonating. None of the authentication methods are perfect but if you check as many as possible that seems to be the best approach at the moment
Honestly, I think google is fully at fault. Why would you initially accept a mail whose dkim signature fails alignment, this alone is a sign, that the mail is definitely insecure, worse than missing dkim sign. In the end i think the blue check mark should only be applied if dmarc passes with full spf and dkim alignment
Maybe Google allows override of security features as well? Agree with your latter point though, probably some Very Important Customer with lower security standards wanted the blue check
Not possible. DMARC is hard coded for just one alignment, and this is necessary for personal email forwarders to work. SPF breaks easily with legitimate routing.
Maybe it has to do with how the forwarding was allowed, but MS365 doesn't usually allow you to send as an address that isn't associated with your mailbox, let alone a domain not associated with your MS365 organization/tenant
There are thousands of poorly configured spf, dkim, dmarc records that if you impose strict rules very little email would make it to your inbox. Don't blame the companies but the onus is on the user to configure everything correctly. Email by default is the most insecure method of collaboration and always will be. It relies on open trust rather than encrypted trust.
This person is an expert. Whatever new security measures come, someone will always complain that they need a workaround because they are too special to have to tell their VIP customer to be responsible. Use email with the expectation that security workarounds are always present. Use some other communication tool where there are no security workarounds (lol) if you want to be lazy about scrutiny.
wow a video that posted 1 minute ago that I am watching yay. with long waits and persistence I get to cross that out of my bucket list. btw love you videos ;)
Relaxed versus strict DMARC alignment only affects whether to allow wildcard subdomains. Strict alignment just means you need an SPF policy and DKIM key record for each subdomain in your DNS. I believe the original UPS spoof used a nonexistent subdomain, but this attack works the same with the root domain. Strict alignment would not have stopped this attack. DMARC only requires one of either SPF or DKIM to align. This is hard coded into DMARC and its RFC specifications. Even with both SPF and DKIM set to strict alignment under DMARC, only one needs to pass. This is actually necessary because email forwarders outside of the sender's control usually break SPF alignment. Potentially helpful aside, DMARC aligns different aspects for SPF than DKIM. SPF alignment checks the envelope from in the header against the visible from. SPF can be spoofed, and is often broken by legitimate handling. DKIM alignment checks a signed key against the visible from. DKIM allows multiple signatures in case there's complicated routing, and is difficult to spoof without control of a domain's DNS.
"They had their whole thing configured correctly and standard." I'd argue that if your security configuration allows for spoofing, you have not configured it correctly, or to any worthwhile standard. They left everything on defaults. Those were bad defaults (clearly). Sadly, a lot of software defaults are bad or insecure. I'd describe the situation as "They set up DMARC but never bothered to configure it for their use case."
He misses the fact the UPS removed the MS servers from their trust list. Like, he mentions it, but doesn't factor it into his analysis. Clearly, if they could just remove those servers at the drop of a hat, it meant they (the servers) were actually a misconfiguration in the domain's allowed senders. He also misses the fact that he's blaming everyone for a problem that was mostly G's fault, not MS or even UPS despite their misconfiguration. I mean, if a server picks up a whole bunch of "auth failed" messages, it shouldn't treat it as trusted. In short, this video is flat-out incorrect.
Now i know what i did wrong, to have someone use my debit card, of $300. I had a USPS delivery yrs ago that never got delivered. & recently had a spoofed mail (similar to the UPS one in the vid.), from USPS, saying i need to pay $3 for shipping. In hopes of getting my product, thinking its in USPS storage, i put my full card number, & all info, while something in the back of my head telling me something is off
If Microsoft disable overriding security policies it would break a huge number of completely valid workflows. It is extremely common. Google is the only one giving the checkmark for a not entirely validated mail flow. They are 100% to blame.
I saw one of those spams with the checkmark and it was the first time I'd seen such a mark at all. At first I thought it was a thing the spammers added somehow but then I wasn't convinced. What I did know was it certainly didn't belong on that Email if it were a legit symbol. You did an excellent job explaining DMARC, DKIM and SPF. I set all these for my clients when setting up their domains. It's a pain but if it means their mail gets delivered, it's worth it. I've had far less issues with clients having problems sending mail since these three protocols came about than in the several years previous.
My capability theory sensibilities say that the only reliable verification protocol would have to be either "hey verified domain, did you send this (hash+timestamp) email" or "does the pubkey fetched from the site verify the signature on the email", and anything less is full of holes.
The reason to allow it is simple, it is so you can see the attack attempts, and be ready for them. Not for most email users, but for the security crew.
There is another horrible thing from Microsoft Exchange: if you set up a Forwarding Address and also make a blacklist of domains, the servers will foward the message BEFORE checking the blacklist. So you end with junk messages on your forwarded email address despite trying to avoid it.
SMTP was a protocol that was invented 50 years ago now. Many of those venerable protocols are suffering. They were designed for simplicity in the event of a catastrophic situation and not for what we are using them for today. I remember the days before SPAM became the issue it is today. I spun up my own SMTP server (which is dirt simple for a basic configuration) back in the early 90s. I was spoofing my friends and family with emails from Santa Claus or the Easter Bunny. This was right before Gmail came on the picture, so it was mostly sending to Yahoo accounts ;). Gmail in the early days wasn't even a shadow of what it is today either. It was invitation only at first and I was able to get an invite.
That's basically how Minecraft legacy authentication worked a few years ago, it was exploited for a cracked client, for about 2 days, and then it got fixed. xD It essentially allowed someone to log into a Minecraft account, if that account is currently logged in somewhere, without the need to know the session ID or password.
I miss the days when you sent emails by telnetting to port 25 of your friend's SMTP server, entering a few keywords-HELO, MAIL FROM, RCPT TO, DATA-and typing away, ending with QUIT. You read your emails in a similar fashion: telnet to port 110 of your own email server; USER; PASS; LIST; RETR; DELE; QUIT.
If headers on emails clearly say failed headers that’s where Microsoft and UPS jobs end. Note that we are talking about SMTP protocol. However showing authenticated on a the final Gmail is the issue here. Even then can’t fully fault Gmail. We need to remember the display of the email on the header is another.
Yeah, I had to set up SPF, DKIM and DMARC on my personal website emails. It was frustrating as I don't have a lot of resources or in-depth knowledge, but suffice it to say, the standards do allow methods to relax the enforcement, some of which gets pretty sophisticated. So on the one hand I'm not surprised someone figured out a way to game the system, but on the other, as you say, there is some culpability on MS and Googles part - which again I can understand because little tweaks they can make could have huge knock on effects and implications for people in my situation. The one thing you didn't cover is that these technologies have the provision for mail processing companies like Google to send reports, like DMARC reports, on mail that has failed, softfailed or passed the checks. These are quite enlightening. You would think that companies like Google and MS would have alternate ways to check up on their handling services just to make sure that what they thought should/was happening, was actually happening. Many thanks though for making these videos. You fill an invaluable niche between the tech impossible to understand and those who need to know what is going on but doesn't have the god-background the techies have.
That would give you a good warning when seeing mail passing with an external DKIM. Downsides being reports come 24 hours later and there's no way to see the actual email addresses.
A better analogy for the signatures than the check would be to say that you create a check, but before you sign it you laminate it and sign the check on the laminate, so now the check cannot be modified without damaging the laminate and thus the signature.
If DKIM now becomes the norm to passing alignment, doesn't that mean that all the emails in the world should from now on be enforced to make sure they have a valid DKIM signature? I'm surprised organizations such as UPS didn't have have to rely on DKIM signatures.
There are users that want you to ignore the SPF policy becase they have some weird email forwarding that block their message if you configure a strict SPF policy. Some mailiong list for example will distribute the ail in the name of the sender and not in the name of the mailing list server, breaking SPF (you cannot include just any possible mailing list server in your SPF policy)
Can confirm we had a similar systems to the scammers for sending out our accounts, printer emails etc emails We had to add our local server to the spf records yesterday due to ms changing how they verify emails and us ending up being blocked
I think that list of servers should be replaced with something similar, yes it still includes the servers but should also include a pre-hashed 1024bit token to verify against, if the e-mail to be sent does not include that token for the server then it straight up gets deleted, if the target server finds fault with the token then again it gets deleted, no questions asked, instead a replacement email get's sent to both sender & receiver notify the email was deleted under that rule and whatever arrangements need to be made should be made instead or after the sender updates their token.
That's actually basically what DKIM is. You sign your emails with a private key, then publish a DKIM record that contains the public key half, which lets servers use the public key to verify it was signed by the private key published by the original supposed sender.
@@ThioJoe I was more thinking the key would be shared between the server in the list and the sender, a 3 way key if you will, the server would have it's private key, it would then generate a key for the sender that can be decrypted by the public key (in the list) to then pass onto the server to decrypt the result and verify the sender was permitted to send as them. The server can just use the sender's public key to encrypt and send the dedicated key to the sender who can then unencrypt the encrypted key to get what they should re-encrypt (using whatever private key is assigned to the target server that has the list) to pass on to the target server. Because the sender never knows what the public key given to the target server was they cannot generate their own key. Because the key must be tied to an account that has a money trail back to the sender (for licensing or whatever to pretend to send from said server) it would be impossible to abuse without leaving an obvious trail back to the abuser. I'd like to explain it better but I'm sure you get the gist even if I've explained it poorly.
@@zxuiji That's a good idea, but in practice is no more secure. As a former dev, it's also much harder to implement. It's standard practice to buy servers, or the payment details with with they're purchased, from the dark web. What authorities get is not the spammer's name but some guy who doesn't know his identity's been taken. This is why it won't increase security.
@@Mavendow I'm not expecting it to be a silver bullet, just that it increases the time it takes to match the keys to the hardcoded list, plus at that size it will be much more noticable by the memory footprint. Additionally it's not hard to do arbitrary precision integer math, did it myself in various forms too
I hardly ever use e-mail and only have g-mail because of my tablet. I deleted the app on my phone and going forward I may move to a Librem or something similar. I don't understand why anyone would trust checkmarks for verification. Read the from field and be discerning people. If you get a lot of e-mail and expect it to save you time, you're doing it wrong, because there is no saving time if you want security.
I guess individuals who knew back in the early 90’s that Microsoft systems were effectively Swiss cheese for broken code, and thus open to hacks and exploits once online, could at least maintain an appropriate level of distrust of anything they do. Some things never change.
I've noticed that Microsoft's consumer e-mail anti spam is terrible. I've been getting spam mail on my old MS account for years. I've tried cleaning it up. I've noticed that many e-mails actually fail on SPF but are put into my inbox anyways. I can't change the behavior of the SPF check either. I want spf=fail to be sent to be put into junk/spam but I can't.
I didn't watch the first video. But, it doesn't matter. Anything you get through email or any electronic means, can and should be checked by NOT using any links in those communications. Most companies don't give you these notifications unless you can opt in for them. You have to also take into consideration whether or not you actually ordered anything that would require a special carrier. If not, you shouldn't be getting information on that package. The sender should. It really just means being a little more vigilant and suspicious of anything on the web.
I dunno about UPS..I always set policy to strict..Just seemed like a dumb idea to do anything else..Even for my side project test app I was setting up last night, strict.
I understand that there are times where it is necessary for an email sender to be verified. My personal experience, though, is that the CONTENT of the email is often (but not always) enough to conclude that the email is total BS regardless of any blue checkmark.
Год назад
I see that UPS wanted to send some emails by Microsoft because they could partially use Exchange instances hosted by Microsoft and partially theirs.
This is not a Microsoft issue at all. Any professional email admin would know why those settings are permissable and there no reason for Microsoft to change/restrict that functionality. I don't see how this could be seen as anything else than Gmail not using the security checks like they are intended. There is a reason those security protocols were created and it's up to the receiving party admins to implement such measure properly. Attempting to blame Microsoft is like trying to blame your neighbor for someone getting into your house when you left the door unlocked, simply because the burglar used your neighbors sidewalk on the way to your house. And getting mad at the neighbor because he didn't somehow block the person from using the sidewalk.
Google has a blue checkmark like twitter has/had? I don't think I've ever noticed. I often read the email address it's self to find out it makes zero since vs what it's claiming to be.
Not that I condone the hacking itself, but being able to figure out ways to exploit security measures is pretty cool. Or maybe I'm just a really uncreative person.
The last time I set up email forwarding from a Microsoft account to a Gmail, it required confirmation in both directions; I had to show that I had control of both inboxes.
@ThioJoe -- can you perhaps go into details with spoofing Phone Numbers, and IF there is some way to fully stop this nonsense as i've been getting a lot of phone calls that should originate in my home country, but are often spoofed from innocent peoples phone numbers instead, and really come from a call center in India or something to that effect.
security imo still very weak, for this reason tripple check and be allways all time cautous, it will not keep you safe, but should lower the riscs abit.
Hey, I don't know how but one of my accounts keeps getting emails (replies) from mail delivery system saying that the email couldn't be sent or there was a delay in sending the email, now the email to which these replies are coming are apparently sent by me. So, my gmail keeps sending to hundreds of weird addresses. What is happening I can't figure it out, I've changed my password, logged out of every device, except my phone, and I'm using passkeys now and also I found my account logged into a mac(unknown device) and I've never used a mac in my whole life.
