DEF CON 31 - SpamChannel - Spoofing Emails From 2M+ Domains & Virtually Becoming Satan - byt3bl33d3r

You should have wrote to the ceo from their own domain

lrhache

Love this mofo. Splendid and efficient, zero-hopium talk. 10/10.

eternalillusion

Endless stream of Bruh-moments from minute 9 on .. Nicely done!

claudiusraphael

I can believe that your E-mail to the CEO went to spam folder - because he marked you as nuisance after your second "offense". But I cannot believe that a CEO who was perhaps not very tech savvy didn't pass your concern about the Cloudflare API might change the calculus to CTO.

YuanLiuTheDoc

Great talk. I found his manner of speaking quite relaxing to listen to 😊

thefloorhasgone

This guy is a great speaker. So comfortable and fun to listen to. Very informative and I enjoyed the humor. Well done!!

juliacaesar

I’m both shocked this vulnerability is a thing but also not surprised so many companies don’t have SPF/DKIM set up. Email is a mess to secure, super complicated, and I don’t think most companies really have an expert managing their domains. But I do know that any company that would find out about this vulnerability would never be ok with this.

criticaloptimist

Awesome video. I have experience with SPF, DKIM and DMARC but have never looked into the ARC headers. Thanks for the thorough explanation!

TheCocoaDaddy

Still can't believe DKIM isn't widely setup and that most mail providers ignore it if SPF passes

rhysperry

35:36 I can tell you that this is indeed possible using certain security gateways.

theycallme_nightmaster

That is just incredible. Amazing talk.

adrianantoci

His demo vid didn't play because its synced to online only XD its not stored on his PC. lmaooo The cloud strikes again.

hangingwithvoid

It would have been so easy, even with their relay in SPF. Do the same like Microsoft or Google does. Do API authentication and tie this authentication to a verified list of domain you own. They all need you to authenticate your domain at initial setup with a unique txt record in dns for example.

drstefankrank

You can sometimes enforce DKIM alignment inside DMARC by setting your SPF record to -all. This isn't so uncommon because forwards and mailing lists break SPF anyways. You'll just need another SPF domain for the envelope from header, but this intentionally leaves only DKIM for domain alignment.

RandornCanis

Soooo it would be hypothetically very interesting if some people delivered to the CEOs mailbox AI generated invoices, “escalations”, etc just things that cant be ignored and see how fast it gets fixed

idiotwidowmaker

your emails were allegedly going to spam yet somehow he was responded to you earlier emails. I bet this company is just some old guy in his basement.

MrTweetyhack

MC's CEO is technically correct... SPF assumes one domain = one IP = one domain. That's not necessarily true. And it's never true on any email aggregation site like MC. Their API needs to authenticate who is attempting to send the message, then they can police what domains are used. The way they've integrated with CF eliminates all that - they just look for it to come from any CF IP, without CF disclosing anything about the CF user / account. (this would be rather simple for both of them to fix.)

jfbeam

This is hilarious and fantastic. Great speaker.

rpmk.

Can't follow but he's got it, I'd trust him with my email server 10 days out of 10.

MrMilarepa

If I remember correctly, there was a talk recently about fixing Dmarc to where dmarc would fail if either dkim or SPF failed. What's going on with that stuff?

I believe some email providers will throw an error if either DKIM or SPF fail but that really needs to become like a standard and they need to start throwing that error if DKIM is not set up because there is really no reason not to be running all of the above.

Its-Just-Zip