Interesting spam/phish technique: Look for subdomains with CNAMEs or SPF records that point to abandoned domains that you can then register…and effectively take control of the subdomain or SPF.

They haven’t seen any cases where it’s been used to host a phishing site at, say, an msn.com subdomain, but they’ve seen thousands of cases where it’s been used to pass email verification checks.

The article describing “SubdoMailing” gives a detailed example of a spam that made use of an msn.com subdomain that was used for a sweepstakes way back in in 2001, with a CNAME pointing to the long-abandoned domain name for the contest, but the subdomain was never actually deleted.

Lesson: check your DNS for any dangling references to outside domains that might not exist anymore!

I’ve been meaning to write a post about email newsletters that still assume you’re reading on a desktop and send out layouts that rely on a wide screen size and end up with tiny 2-point type on a mobile phone — you know, where most people read their email these days.

Then I stumbled on this usability article by Jakob Nielsen.

From 2012.

It pretty much covers what I would have said, and more. But a decade on, I still get email I can’t read without moving to a bigger screen.

The Time Before Tables

The funny thing is that HTML, by design, already adjusts to different sized displays, windows and terminals. In the very early days, you couldn’t make it not be responsive unless you added a block of pre-formatted text.

Once HTML picked up a little more rendering capability (tables, images and image maps), you had people designing websites who were accustomed to fixed-size media, and the paradigm stuck.

— Build your layout in Photoshop at 800×600, then slice it up into clickable pieces and reassemble the whole thing on a page!
— Wait, now we can aim for 1024×168!
— Oh, hey, we have widescreen now!
— Huh? What do you mean the window isn’t always fullscreen?
— Phones now? Ugh, I’ve gotta make a totally different website!

And so on.

Responsive Styling

These days you can apply relative sizes to everything, and tweak the layout based on the logical screen size instead of physical pixels. (Shout-out to high-definition displays here!) Modern HTML+CSS is amazingly improved in flexibility, and if you plan it right, you can often just rearrange the same page for screens from small cell phone size up to those widescreen monitors. Obviously this depends on what kind of site or application you’re building.

But for email, especially for newsletters, where reading the text is the main point, it should be an obvious choice!

Expanded from this thread on Wandering.shop.

Phishers: Hi, we’re your bank, please click on this attachment for important information.

Security experts: Never click on an unexpected attachment in an email even if you think you know who it’s from. It’s likely to be malware or a scam to steal your login credentials.

Actual banks: Hi, we’re your bank, please click on this attachment for important information. 🤦‍♂️

Seriously, I HATE these systems. The way they keep phishing and malware techniques believable — and have for years! — is worse than any supposed security advantage in not just using email. Half the time the info isn’t any more sensitive than a receipt would be. Or heck, even just “There’s a new message in your account, please log in to see it and use your own bookmarks to get there.” That’s actually more secure!

:sigh:

It’s really too bad all the schemes to add end-to-end security to email over the years have been either too cumbersome to take off for general usage or vendor-specific.

At a tech training session, I wanted to get access to some of my class-related email on the training computer. But I didn’t want to log into my primary email on an open network, or on someone else’s computer at all. I have no idea what they’re logging, whether they’re doing SSL inspection, whether there’s a keylogger on it — probably not, but who knows?

Heck, I didn’t even want to use my own device on the hotel Wi-Fi without a VPN, and that was at least secured by WPA2! (then again…)

I ended up forwarding the extra class materials to a disposable email account and logging into that one. No risk to other accounts if it got sniffed, at any level.

But I remembered how we all used to get at email when traveling back in the early 2000s, before smartphones, and before every laptop and every Starbucks had Wi-Fi:

Internet Cafes.

We’d walk into a storefront and rent time on one of their computers. Then we’d go to our webmail site and type in our primary email login and password over plain, unsecured HTTP without TLS.

I’d never do that today. Admittedly, I wouldn’t need to in most cases — I can access my email wirelessly from a device I own that I carry in my pocket. (Whether that’s a good thing remains up for debate.)

But more importantly, we know how easy it is for someone to break into that sort of setup. Even if your own devices are clean, someone else’s computer might have malware or keyloggers or a bogus SSL cert authority on their browser to let them intercept HTTPS traffic. An HTTP website is wide open, no matter whose device you use. And an open network is easy to spoof.

So these days it’s defense in depth: If it needs a password, it had better be running on HTTPS. If I don’t trust the network, I use a VPN. And I really don’t want to enter my login info on somebody else’s device.

Here’s a fascinating look back at the spam wars by former Gmail spamfighter Mike Hearn.

I was involved for most of the previous decade as (among other things) the email admin for a small ISP. We used a mix of public blacklists, a private blacklist, virus filtering, SpamAssassin with both shared rules and local custom rules, and various other tools all tied together, some at the Sendmail level and the rest through MIMEDefang. It worked tolerably well, though of course it wasn’t perfect. I find it amusing that Gmail declared victory on spam in 2010, the same year that I changed jobs to a position that was more software developer and less sysadmin.

Privacy is a growing concern these days, so he also talks about the impact that widespread end-to-end email encryption would have on spam fighting. If you’re the mail handler, you can’t filter on, say, links found in the message, or characteristics of the writing or formatting, or anything else in the content. You can’t even run statistical analysis on all known spam and non-spam to see which the new message fits better. All you can do is look at where it came from and where it’s going.

Moving the spam filter to the client lets you do content filtering on your own mail, but you can’t take advantage of the larger volume of data that an ISP can, which means your filtering isn’t going to be as effective. And if your main email client is your phone, that’s really going to slow it down — and chew up battery.

Encrypting more of our communication is probably the way to go, but we’ll have to come up with new approaches to some previously-solved problems like this.

It got me thinking: Most of us not only accept that our email providers will look inside our mail to filter spam and viruses, we expect it. That’s weird. The idea of the post office looking inside our letters is so abhorrent that even tracking programs raise concerns. The idea of an actual person reading our email in transit creeps us out. Many people have problems with the idea of automated systems (like Gmail) reading our email for purposes of targeted advertising. But spam filtering? We get upset if it’s not happening!

That says something interesting about our priorities, and about how big an impact unfiltered spam has on our email.

Via ma.tt.