Proton Mail launches “Newsletters” view — a built-in tool to manage email subscriptions without giving up privacy. 
No third-party access, no tracking, no ads. Just a cleaner inbox, on your terms. A welcome upgrade from one of the most privacy-respecting email providers. 
1. Hacker News, a #CyberSecurity newsletter, is sent from a domain where DMARC policy is p=none, which tells email providers, like gmail, to deliver all email that is screaming, "I am a Hacker News spoof email sent by a POS scammer" to the intended recipient anyway. p=none means take no action, even if you know it's a scam. Spam folder optional. Email services and clients will oblige. WTF Hacker News?
2. Hacker News is also using an insecure signature algorithm for signing their newsletter.
3. An extremely well-known Cybersecurity expert is sending the newsletter from a domain that has no DMARC record at all, so all spoof emails claiming to be from them will be delivered. And likely this is being constantly exploited. A DMARC policy of p="reject" would have those spoof emails trashed and not delivered. But no DMARC policy means "whatever, and I don't want to know". So, spoof emails go through unstopped and no reports of abuse are being sent to this person either. And it's their job to tell us how to stay secure and not be fooled by spoof emails. WTF?
Sometimes I don't understand how things work in the world.
Any thoughts or feedback on Material.security and/or Abnornal.ai with regards to at least email security? Broader functionality they both provide?
Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send millions of emails with your FROM: address and you will get a million bounce messages.
Can you stop this or prevent this? No
Why would a mail provider send you a bounce message, knowing you're innocent? Because that's how someone wrote the protocol back then, and nobody changes it or does it differently because ... reasons.
Does the spammer get a bounce message? Nope, not one.
Does the SMTP sending account owner whose credentials were stolen be notified about bounces so they can stop the spam? Nope.
Just millions of emails sent every day to poor schlameels who have no idea why they are getting them and who can't do anything about them.
The more I learn about the email protocols, the more I realize how terrible the design is.
OpenSMTPD and Maildrop working in concert
http://blog.whenhen.com/posts/opensmtpd-and-maildrop-working-in-concert.html
Some of the reasons I chose @Tutanota and Coolify.
https://haris.razis.com/posts/my-struggles-with-selfhosting/
Extremely happy with both of them! Props to the devs.
From @bert_hubert
Microsoft's email security scanners now execute JavaScript and POST requests from links in scanned emails, breaking single-use sign-on workflows. Developers must adapt by supporting multiple link confirmations. The rise of "gatekeeper" behavior raises concerns about transparency and accountability.
https://berthub.eu/articles/posts/shifting-cyber-norms-microsoft-post/
Important reminder, if you own a domain name and don't use it for sending email.
There is nothing to stop scammers from sending email claiming to be coming from your domain. And the older it gets, the more valuable it is for spoofing. It could eventually damage your domain's reputation and maybe get it blacklisted, unless you take the steps to notify email servers that any email received claiming to come from your domain should be trashed.
Just add these two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;
The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed.
If you do use your domain for sending email, be sure to add 3 records:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.
You cannot stop scammers from sending email claiming to be from your domain, any more than you can prevent people from using your home address as a return address on a mailed letter. But, you can protect both your domain and intended scam victims by adding appropriate DNS records.
UPDATE: The spf and the dmarc records need to be appropriately named. The spf record should be named "@", and the dmarc record name should be "_dmarc".
Here's what I have for one domain.
One difference that I have is that I'm requesting that email providers email me a weekly aggregated report when they encounter a spoof. gmail and Microsoft send them, but most providers won't, but since most email goes to Gmail, it's enlightening when they come.
Threat actors are stepping up their tactics to bypass email protections https://www.helpnetsecurity.com/2024/11/01/cybercriminals-emails-protections-video/ #AbnormalSecurity #cybersecurity #emailsecurity #Cofense #Video #email #video #News
Exchange Online starts public test of inbound SMTP DANE with DNSSEC
https://stackdiary.com/exchange-online-starts-public-test-of-inbound-smtp-dane-with-dnssec/
SlashNext describes "conversation overflow" attacks designed to trick machine learning security controls into allowing phishing emails through. Hidden text in the email is intended to read like a legitimate, benign message, tricking ML into marking the email as "good." 
https://slashnext.com/blog/new-attack-techniques-to-bypass-machine-learning-security-controls/
Advanced #EmailSecurity keeps imposters and malware out of your inbox. We’re proud to be named a Product Leader, Market Leader and Market Champion in KuppingerCole Analysts AG’s recent email security report.
This is the first time we’ve achieved leadership in an email security evaluation — a reflection of our ongoing commitment to
#cybersecurity innovation. Learn more: https://bit.ly/3w2EZ0a
Performed Email security standards tests with
@internet_nl .
http://Internet.nl - test to check if the service supports modern internet standards like IPv6, DNSSEC, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI.
Scores:
@protonmail - 75%
@skiff - 85%
@Tutanota - 87%
If you're an email admin or email security person, this looks interesting! #SMTPSmuggling #EmailSecurity https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Email Security: Top 5 Threats and How to Protect Your Business - With the explosion of digital communication, businesses must prioritize email secu... - https://readwrite.com/email-security/ #emailsecurity #security
My #Email #security is finally configured for detection and is in learning mode now. I will be setting remediation up in the coming weeks after some education on my #Avanan platform. It's covering my Teams, OneDrive, and Outlook email with the idea I can even make sure the meetings I have with vendors and such are secured more. This also works for #Google #Slack, #Dropbox #Box and #Citrix link
I'll have more to cover in the review in the coming weeks
#Cybersecurity #InfoSec #IT #Emailsecurity
7 guidelines for identifying and mitigating AI-enabled phishing campaigns
https://www.csoonline.com/article/3690418/7-guidelines-for-identifying-and-mitigating-ai-enabled-phishing-campaigns.html#tk.rss_all
#DataandInformationSecurity #ArtificialIntelligence #EmailSecurity #Phishing
Besides protecting your real email address when receiving spam, #SimpleLogin also protects you when sending emails to recipients you don’t fully trust. We call this functionality reverse-alias, and this is how it works: https://youtu.be/VsypF-DBaow
Is it me, or is email security getting ridiculous? SPF, DKIM, DMARC, MTASMS, TLS, TLS-RPT, DANE.
Any more?
what is your favorite resource for diving into mysteries of DMARC, SPF & DKIM? I am looking for a resource that will explain how these things work and meaning of config options etc to an old rusty dummy like me.
