Is this just phishing?
August 15, 2022 10:51 AM Subscribe
Hello. Please explain these two spam-like emails I received, which did not get routed into my spam folder. Usually I ignore such stuff, but I know next to nothing about this sort of thing. Please explain it like I'm a toddler.
This is on my work email, which I have through my domain (via Weebly/Square) and which I manage via the Google Workspace admin console. I am a one-person operation.
The first email I received, at my work email:
Hello Team,
I am a security researcher and I founded this vulnerability.
I just sent a forged email to my email address that appears to originate from blah@blahlala.com
I was able to do this because of the following DMARC record:
DMARC record lookup and validation for: blahlala.com
" No DMARC Record found "
How To Reproduce(POC-ATTACHED IMAGE):-
1.Go To- mxtoolbox.com/DMARC.aspx
2.Enter the Website.CLICK GO.
3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)
Fix:
1)Publish DMARC Record.
2)Enable DMARC Quarantine/Reject policy
3)Your DMARC record should look like
"v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info@domain.com"
For more information you can use this blog
(https://sendgrid.com/blog/what-is-dmarc/).
<>
Reference : https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records
Let me know if you need me to send another forged email, or if have any other questions.
Hoping for the bounty for my ethical Disclosure.
Best Regards
Security Researcher
>
The second email I received:
Kindly update me regarding the issue and hoping for a bug bounty from you for sending this bug ethically to you.
Waiting for your response
Always Best Regards
Okay, so...do I need to do anything for my security? Do I need to respond to this person? Is this all bullshit or something I need to fix? Remember, talk at me like I'm a toddler past her nap time.
This is on my work email, which I have through my domain (via Weebly/Square) and which I manage via the Google Workspace admin console. I am a one-person operation.
The first email I received, at my work email:
Hello Team,
I am a security researcher and I founded this vulnerability.
I just sent a forged email to my email address that appears to originate from blah@blahlala.com
I was able to do this because of the following DMARC record:
DMARC record lookup and validation for: blahlala.com
" No DMARC Record found "
How To Reproduce(POC-ATTACHED IMAGE):-
1.Go To- mxtoolbox.com/DMARC.aspx
2.Enter the Website.CLICK GO.
3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)
Fix:
1)Publish DMARC Record.
2)Enable DMARC Quarantine/Reject policy
3)Your DMARC record should look like
"v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info@domain.com"
For more information you can use this blog
(https://sendgrid.com/blog/what-is-dmarc/).
<>
Reference : https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records
Let me know if you need me to send another forged email, or if have any other questions.
Hoping for the bounty for my ethical Disclosure.
Best Regards
Security Researcher
>
The second email I received:
Kindly update me regarding the issue and hoping for a bug bounty from you for sending this bug ethically to you.
Waiting for your response
Always Best Regards
Okay, so...do I need to do anything for my security? Do I need to respond to this person? Is this all bullshit or something I need to fix? Remember, talk at me like I'm a toddler past her nap time.
Response by poster: I realized the second part of my question is: Even if this person is a scammer, is this situation real and something I should take care of?
posted by BlahLaLa at 11:12 AM on August 15, 2022
posted by BlahLaLa at 11:12 AM on August 15, 2022
Best answer: Let's say I receive an email that claims to be from Alex@example.com. My email provider will look for a DMARC record on the example.com website. This record helps my provider decide whether the email is really from example.com, and, if not, what to do about it. (Don't deliver it? Put it in the spam folder? Deliver it anyhow?)
Some email providers (eg Gmail) will judge that email from websites that don't have a DMARC record is more likely to be spam.
However, DMARCs are completely optional and plenty of websites don't use them.
To sum up:
Do I need to do anything for my security? No.
Do I need to respond to this person? Definitely not.
Is this all bullshit Actually no! It's a nice way to help fight spam.
or something I need to fix? Not at all. Feel free to keep on keeping on.
posted by What is E. T. short for? at 11:31 AM on August 15, 2022
Some email providers (eg Gmail) will judge that email from websites that don't have a DMARC record is more likely to be spam.
However, DMARCs are completely optional and plenty of websites don't use them.
To sum up:
Do I need to do anything for my security? No.
Do I need to respond to this person? Definitely not.
Is this all bullshit Actually no! It's a nice way to help fight spam.
or something I need to fix? Not at all. Feel free to keep on keeping on.
posted by What is E. T. short for? at 11:31 AM on August 15, 2022
Best answer: "Scam" is a stretch IMHO. It's definitely not phishing in any sense.
There are lots of people who go around trying to find vulnerabilities in software in hopes of earning bug bounty payments. There are lots of companies that do pay bug bounties for vulnerabilities that are reported.
I would not call this a vulnerability in the traditional sense, but it is true that without DMARC it is easier for people to spoof email from your domain, and I do believe that using DMARC is best practice.
You could say it's borderline scammy to ask for a bug bounty from someone who never advertised one, and you could also say it's borderline scammy to ask for a bug bounty for something that's more of a best practice than a true vulnerability. But I don't think this is blatant. They sent you valid information about a real problem and asked about (didn't demand) a bug bounty, which is a legitimate thing in the industry.
posted by primethyme at 11:47 AM on August 15, 2022 [5 favorites]
There are lots of people who go around trying to find vulnerabilities in software in hopes of earning bug bounty payments. There are lots of companies that do pay bug bounties for vulnerabilities that are reported.
I would not call this a vulnerability in the traditional sense, but it is true that without DMARC it is easier for people to spoof email from your domain, and I do believe that using DMARC is best practice.
You could say it's borderline scammy to ask for a bug bounty from someone who never advertised one, and you could also say it's borderline scammy to ask for a bug bounty for something that's more of a best practice than a true vulnerability. But I don't think this is blatant. They sent you valid information about a real problem and asked about (didn't demand) a bug bounty, which is a legitimate thing in the industry.
posted by primethyme at 11:47 AM on August 15, 2022 [5 favorites]
Best answer: I do think that What is E. T. short for? undersells the importance of DMARC a little bit — not having it set up does allow people to spoof emails as being from you (it's sort of more complicated than this, but not really), which is I think pretty bad, although exactly how bad depends a lot on the nature of your business, and also makes it more likely that emails you send will land in spam.
Here are the instructions for how to set it up on Google Workspace, if you are interested.
posted by wesleyac at 2:38 PM on August 15, 2022 [2 favorites]
Here are the instructions for how to set it up on Google Workspace, if you are interested.
posted by wesleyac at 2:38 PM on August 15, 2022 [2 favorites]
Response by poster: Okay, so to be perfectly honest, my brain does not work with those DMARC instructions. It just...doesn't. There are so many words that I don't understand as to make it literally incomprehensible. I wouldn't know where to even begin.
Is it okay to just...not do it? I actually send and receive very few emails via this address. The ones that come in and go out are important, however. They're mostly addressed to one person at a time, and are never form letter type stuff. Sometimes they have large attchments -- client files. I don't want them to land in spam, however.
posted by BlahLaLa at 4:39 PM on August 15, 2022
Is it okay to just...not do it? I actually send and receive very few emails via this address. The ones that come in and go out are important, however. They're mostly addressed to one person at a time, and are never form letter type stuff. Sometimes they have large attchments -- client files. I don't want them to land in spam, however.
posted by BlahLaLa at 4:39 PM on August 15, 2022
It's fine. Ignore it and enjoy your life. Just like many things we know we "should" do, lots and lots of people don't and the result is not catastrophic by any means.
posted by primethyme at 4:52 PM on August 15, 2022 [2 favorites]
posted by primethyme at 4:52 PM on August 15, 2022 [2 favorites]
If you opt to not set up DMARC, if there is a lingering concern that your important e-mails could end up going to a client's spam folder by accident, you could always enable read receipts. This way you have the piece of mind of knowing that your e-mail was received and read (or, at the very least, opened). But with established clients you're probably fine as-is.
posted by SquidLips at 5:25 PM on August 15, 2022
posted by SquidLips at 5:25 PM on August 15, 2022
I think the risk, if any, begins here
1.Go To- mxtoolbox.com/DMARC.aspx
2.Enter the Website.CLICK GO.
aspx = Active Server Pages eXtended which is a Microsoft server technology which can include scripts at the website
So, "entering the Website" and clicking "GO" probably means you'll be running some sort of script. Running code you don't know _can_ be risky. I can't say if it is or it isn't in this case
posted by TimHare at 9:43 PM on August 15, 2022
1.Go To- mxtoolbox.com/DMARC.aspx
2.Enter the Website.CLICK GO.
aspx = Active Server Pages eXtended which is a Microsoft server technology which can include scripts at the website
So, "entering the Website" and clicking "GO" probably means you'll be running some sort of script. Running code you don't know _can_ be risky. I can't say if it is or it isn't in this case
posted by TimHare at 9:43 PM on August 15, 2022
In this case, assuming you typed the address into your browser rather than clicking on the link, there's zero risk whatsoever. (Or as close as you can get using any website). MXToolbox is a legitimate site.
For the record, your email provider should have instructions for adding SPF and DKIM records to your DNS provider (assuming they are separate, if not most will handle it automatically)
posted by wierdo at 8:15 AM on August 16, 2022
For the record, your email provider should have instructions for adding SPF and DKIM records to your DNS provider (assuming they are separate, if not most will handle it automatically)
posted by wierdo at 8:15 AM on August 16, 2022
« Older Vote for the Metafilter Steering Committee! | Documentary on the tenor change of the GOP? Newer »
This thread is closed to new comments.
posted by Lyn Never at 10:54 AM on August 15, 2022 [6 favorites]