TIL DKIM Replay Attacks Are A Thing

ProtonMail goes in-depth about how Gmail blocked emails coming from its services after an attacker used a DKIM replay attack to target Proton.

On 1 December 2021, we began receiving sporadic reports of delivery failures from protonmail.com addresses to Gmail. This corresponded with a dramatic decline in protonmail.com’s domain reputation as seen via Gmail Postmaster Tools and an increase in sending from known bad IP addresses.

. . .

We suspected a DKIM replay attack, where a single spam email originally sent from ProtonMail was being resent to many Gmail users in an attempt to exploit our deliverability and reputation to get around Google’s anti-spam measures. At one point, roughly 98% of the emails Gmail received that claimed to be from ProtonMail were actually spam, meaning the spammers were sending an amount of emails that was equivalent to 50 times our normal outgoing traffic to Google.

The ProtonMail blog post discusses what DKIM replay attacks are, what allows them, and what can be done to mitigate them.

Boomerang: Email Myself App for Android

Boomerang: Email Myself is a single-purpose Android that does one thing and does it well–it lets users easily send emails to themselves.

I end up doing this quite a lot, and I previously would just open up the Gmail client or share content to Gmail.

But I dislike doing so as I have to enter the email address I want to send to and constantly worry about inadvertently sending a provocative link or message to someone other than myself by accident.

I also have to populate the subject field, which Boomerang takes care of.

Not an app that everyone will need, but an excellent solution for those of us who do need it.

Boomerang: Email Myself Screenshot
Boomerang: Email Myself Screenshot
Continue reading “Boomerang: Email Myself App for Android”

An Ingenious Phishing Technique

Craig Hays wrote a fascinating article describing a phishing campaign his company had to deal with that had an ingenious method of propagating itself.

As we dug deeper and compared sign-in timestamps with email timestamps, it became clear what was happening. The phishing emails were being sent as replies to genuine emails. Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.

A typical phishing email comes from an email address you’ve never seen before. Granted, it might be similar to a real address you’d expect to see such as rnicrosoft.com instead of microsoft.com, but it’s rare for an address you trust to send you anything suspicious. When someone you know does send you something suspicious it’s usually rather obvious. When it happens we contact them directly to let them know there’s a problem. ‘Looks like you’ve been hacked, mate.’ We don’t fall for the scam.

In this attack, however, all of the phishing links were sent as replies to emails in the compromised account’s mailbox. This gave every email an inherited sense of trust. ‘You asked for this thing, here it is: link to phishing page’. When I realised what was happening, I was in awe. Whether done by deliberate design or not, the outcome was incredible. The conversion rates one these emails would make even the greatest of email marketers envious!

EFF’s STARTTLS Everywhere Project

As a sort of sequel to its highly successful HTTPS Everywhere campaign, the Electronic Frontier Foundation has initiated a STARTTLS Everywhere project to improve email security.

Unfortunately, this is likely to prove a bit more challenging than HTTPS Everywhere because of issues with STARTTLS,

Although many mailservers enable STARTTLS, most still do not validate certificates. Without certificate validation, an active attacker on the network can read and even modify emails sent through your supposedly “secure” connection. Since it’s not common practice to validate certificates, there’s often little incentive to present valid certificates in the first place. A brief experiment on Censys shows that about half of the mailservers that support STARTTLS use self-signed certificates.

. . .

When two mailservers support STARTTLS, their insecure connection is opportunistically upgraded to a secure one. In order to make that upgrade, the two mailservers ask each other if they support STARTTLS. Since this initial negotiation is unencrypted, network attackers can alter these messages to make it seem like neither server supports STARTTLS, causing any emails to be sent unencrypted. ISPs in the U.S. and abroad have been caught doing exactly this, and in 2014, several researchers found that encryption on outbound email from several countries were being regularly stripped.

But you have to start somewhere, and the EFF should be commended for going beyond simply issuing policy prescriptions and recommendations, and doing a lot of the heavy lifting to improve end user security.

InboxIt App for Android

InboxIt – Share to Mail is an app for Android designed to improve how Android handles sharing links via email, primarily for emailing links to yourself that you want to read later.

There is no need to type your email address, email title or body. InboxIt with a ‘single click’.

In addition, InboxIt grabs website’s image and description for nicer and more readable emails, no more clicking on emails to figure what article this is, images & videos are also supported (up to 25mb).

The premium 99 cent version will also automatically add a +keyword label for sharing to Gmail addresses, which makes it easier to sort these “read later” emails from other emails.

I have a variety of ways to track stuff I want to read later, and tend to email myself links that I need to follow-up on in the near future. InboxIt just makes those emails all the more useful.