Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/david_chisnall/statuses/114052519386532483">David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Sunday, 23-Feb-2025 18:38:27 JST</a><a href="https://infosec.exchange/@david_chisnall" title="david_chisnall@infosec.exchange"><img src="https://gnusocial.jp/avatar/241214-48-20240302204654.webp" width="48" height="48" alt="David Chisnall (*Now with 50% more sarcasm!*)" style="position: absolute; left: 0; top: 0;">David Chisnall (*Now with 50% more sarcasm!*)</a><div><a href="https://infosec.exchange/@nieldk/114052491705010851" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/106043" title="nieldk@infosec.exchange">PhreakByte</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@nieldk">@nieldk</a> <a href="https://cyberplace.social/@GossiTheDog" rel="nofollow">@GossiTheDog</a> That tells you that the sending domain has the correct entries, it doesn’t check that the receiver does the right thing for invalid emails.</p><p>For example, when I was at Microsoft, all of the right DNS entries were configured for the microsoft.com domain, but if I sent myself an email via my own mail server claiming to be from a MS email address (invalid sender according to SPF, invalid DKIM signature) it was still delivered (and Exchange helpfully stripped off all of the SMTP headers that would make it obvious that it came from an invalid sender).</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4614424#notice-9037013">In conversation</a><time datetime="2025-02-23T18:38:27+09:00" title="Sunday, 23-Feb-2025 18:38:27 JST">about 9 days ago</time> <span>from <span><a href="https://infosec.exchange/@david_chisnall/114052519386532483" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@david_chisnall/114052519386532483">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: cdn-dynmedia-1.microsoft.com</div><h5><a href="https://www.microsoft.com/">Microsoft – クラウド、コンピューター、アプリ &amp; ゲーム</a></h5><div></div></header><div>ご自宅やビジネスでご利用いただける Microsoft 製品とサービスをご覧ください。Surface、Microsoft 365、Xbox、Windows、Azure などをご購入いただけます。ダウンロードやサポートもご用意しています。</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Sunday, 23-Feb-2025 18:38:27 JSTDavid Chisnall (*Now with 50% more sarcasm!*)
in reply to
- Kevin Beaumont
- PhreakByte
@nieldk @GossiTheDog That tells you that the sending domain has the correct entries, it doesn’t check that the receiver does the right thing for invalid emails.
For example, when I was at Microsoft, all of the right DNS entries were configured for the microsoft.com domain, but if I sent myself an email via my own mail server claiming to be from a MS email address (invalid sender according to SPF, invalid DKIM signature) it was still delivered (and Exchange helpfully stripped off all of the SMTP headers that would make it obvious that it came from an invalid sender).
In conversationabout 9 days ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: cdn-dynmedia-1.microsoft.com
  Microsoft – クラウド、コンピューター、アプリ & ゲーム
  ご自宅やビジネスでご利用いただける Microsoft 製品とサービスをご覧ください。Surface、Microsoft 365、Xbox、Windows、Azure などをご購入いただけます。ダウンロードやサポートもご用意しています。

Public

Embed Notice

HTML Code

Corresponding Notice