Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Browse by Tags

Tagged Content List
  • Blog Post: Supporting email over IPv6, part 1 – An introduction

    One of the important projects I have been working on for the past few months is supporting email over IPv6. Long time readers of this blog (all four of you) will remember that last year I wrote a series of posts on email over IPv6: Part 1 – Introduction Part 2 – Why we can’t use IP blocklists in IPv6...
  • Blog Post: How to setup your DMARC records if you are outsourcing some, or all, of your email – Part 2

    Continuing on in our series on authenticating outsourced email, how do we outsource our email such that we also pass a DMARC check? First , decide if you want DMARC to pass via an SPF check or a DKIM validation, or both. Second , delegate a subdomain for the 3rd party to send email “as your...
  • Blog Post: How to setup DMARC records if you are outsourcing some, or all, of your email – Part 1

    In my previous posts, I discussed how to set up your SPF, SenderID, and DKIM records if you are an organization that outsources some of its email to a 3rd party, such as advertising. For example, an airline might send out its flight confirmations from its own email servers and infrastructure, but contract...
  • Blog Post: How to set up your DKIM records if you are outsourcing some, or all, of your email and still build your reputation

    In my previous post, I described how you can set up DKIM records if you are outsourcing your advertising email to a 3rd party. In summary: You don’t have to do anything. However, this comes at the cost of not being able to generate your own domain-reputation. You may care about generating...
  • Blog Post: How to set up your DKIM records if you are outsourcing some, or all, of your email

    In my last two posts on outsourcing your email, I explained how to set up your SPF records if you are outsourcing your advertising email, and how to set up your SenderID records if you are outsourcing it. Next up is how to set up your DomainKeys Identified Mail, or DKIM, records if you are outsourcing...
  • Blog Post: How to set up your SenderID records if you are outsourcing some, or all, of your email

    In my previous post , I discussed how to structure email such that if it comes from a 3rd party on behalf of you, it will pass an SPF check. But what about passing a SenderID check? To solve this, we first have to remind ourselves what SenderID is. Let’s go back to the previous post where...
  • Blog Post: How to set up your SPF records if you are outsourcing some, or all, of your email

    I thought I would do a few posts on email authentication, specifically, how to ensure that you have good sending reputation and the proper way to set up your SPF records. In future posts, I plan to get into how to set up your DKIM records as well as your DMARC records in the case that you are an organization...
  • Blog Post: Statistics on spoofed mail

    The other day, I decided to investigate some potential efficacy rates of using DMARC.  Would using DMARC result in catching spoofed mail?  Are spoofers abusing certain brands en masse? To check this, I decided to take a look at how much mail we were getting from Paypal, Amazon, Bank of America...
  • Blog Post: New email authentication protocol – DMARC

    Today, a consortium of companies including Google, Microsoft, Facebook and Paypal announced that they were collaborating and coming up with a new protocol known as DMARC – the Domain-based Message Authentication, Reporting and Conformance. What is DMARC? This is very much a summary of DMARC in a nutshell...
  • Blog Post: Should trust be implicit or explicit?

    It sure seems like I am having a lot of debates with my co-worker lately about the nature of mail filtering.  Why do I say this?  Because I had one today.  This one is over the issue of trust. I can’t remember whatever it is we were discussing (I think it was something to do with product...
  • Blog Post: Yahoo now does SPF checks

    Well, what do you know? I don’t know if they have been doing them all along and have only finally decided to expose the result, but I logged into my Yahoo mail the other day and checked out the message headers of a mail in my inbox.  I was surprised to discover that Yahoo is now exposing the Received...
  • Blog Post: Why send spam over TLS?

    In my previous post, I noted that rustock had started sending us a whole pile of spam over the TLS protocol.  The question now is why do it at all?  I mentioned in my post that this is clever behavior and one of my readers posted in a comment “What makes this so clever?” The issue of authentication...
  • Blog Post: Some stats and figures on DKIM and SPF

    Did you ever wonder how many organizations out there are signing their mail with DKIM?  Or how many organizations rely on SPF as a tool to validate their inbound mail? Well, I’ve wondered as well.  DKIM supposedly is getting more popular, but how widespread is it?  Are lots of people using...
  • Blog Post: Yahoo now signs with DKIM

    This went unnoticed by me for a very long time, but I was going through some of my personal mail and I discovered that Yahoo is now signing its outbound mail with DKIM in addition to DomainKeys. Long time readers may remember that about two years ago, I started a series on Sender Authentication and covered...
  • Blog Post: The concept of Safe Senders

    Sometimes an end user wants to flag a specific sender as a safe sender, that is, they always want messages from that user to go to their inbox.  You've probably seen this in some newsletters where they say at the top or bottom of the message to please add them to your address book which will prevent...
  • Blog Post: Response to Trust-based messages

    In my other post in a Q&A excerpt with Dave Crocker by Investor's Business Daily, I'd like to now respond to some of my selected quotes. Crocker: You have to create what I call a trust overlay to the existing e-mail system. Existing senders and receivers can continue to use e-mail as before... All...
  • Blog Post: Some early stats on TMA

    We finally got around to deploying all of our new features from our latest release.  As I explained a couple of months ago, I created a hybrid of SPF and SenderID in response to customer demand.  I called it TMA, or Terry's Message Authentication.  It was an SPF check on the From or Sender...
  • Blog Post: Spam's new nemesis: Trust-based messages

    The other day I was reading Investors Business Daily and came across an article whose title you see in the subject line of this blog post.  The article is a Q&A Dave Crocker of BrandenBurg InternetWorking.  If you're like me and too lazy to click the link and read the article, allow me...
  • Blog Post: Sender authentication part 32: TMA Explained

    As I said earlier, I needed to come up with an authentication mechanism that protected the From: or Sender: address in the message headers. But, I did not want to replace SPF with SenderID. So, I came up with another solution which I call TMA. I would implement a "lite" version of SenderID. At first...
  • Blog Post: Sender authentication part 31: TMA

    I'd now like to post something about the inspiration for this whole series on authentication.  I'm not done with DomainKeys, I still have to post a little bit on DKIM and one other authentication mechanism, and then this series will be done.  But I need to boast about one of my achievements...
  • Blog Post: Sender authentication part 30: The canonicalization process

    Canonicalization is the process of preparing a message for signing. This process is necessary because of the way email is handled in transit by various mail servers. For example, some mail relayers handle white space and line wraps just fine, others do not and strip them or insert them. All email was...
  • Blog Post: Sender authentication part 29: Some DomainKeys examples

    Let's plow through a few real life examples. Here's an actual DomainKey Signature: Example 1 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=Nin4jVEsnqKpfH6nKyRwaSxJzzaH5tX0hDJeJgNCx9af7VbBiV7kwEGn4z44Dtg...
  • Blog Post: Sender authentication part 28: DomainKey headers in the message

    This post will again be a paraphrase of that which is found in RFC 4870 . Now that we have seen how public keys are stored in DNS, we will next look at how a signing server generates the message signature. The signature of the email is stored in the "DomainKey-Signature:" header which contains all of...
  • Blog Post: Sender authentication part 27: Public key notation in DNS

    Now that we have an overview of how DomainKeys works, we're going to look at how a service using DomainKeys generates a DomainKeys signature. When a receiving email server gets the message and sees that there is a DomainKeys header, it has to retrieve the key from DNS. The DomainsKey header is "DomainKey...
  • Blog Post: Sender authentication part 26: DomainKeys in a nutshell

    Now that we understand how digital signatures work, let's take a look at DomainKeys. Like SPF and SenderID, DomainKeys is a mechanism of sender authentication. DomainKeys uses public key encryption to authenticate messages. It works in the following way (much of this is based upon Yahoo's description...
Page 1 of 3 (52 items) 123