Great video! The description of the SPF qualifiers on the "all" mechanism isn't quite right though. Your description is a common misconception I encounter on security and admin forums frequently. The difference in handling of ~all and -all failures is entirely a matter of local policy on the side of the receiver. Senders should strive to get their records to -all but the difference in how imposter mail will be treated isn't as stark as one may think. The softfail description is somewhat correct in that the RFC specifies the receiver "SHOULD NOT" reject (note it doesn't say "MUST NOT".) However, accepted is not the same as delivered and the message may still be quarantined or otherwise prevented from ultimately ending up in the recipient's mailbox. The RFC on fail (-all) is almost the same but says >>>if>chooses
@@13Cubed just to reiterate: Your video is great. The content is accurate, useful, and easy to follow. Email security is just my entire job and before that I was basically a postmaster so I can depressingly quote all of the relevant RFCs from memory haha :D I think the misconception about how -all and ~all are handled is because in an ideal world the way you described it would be true. In practice though so many legitimate messages fail SPF for a myriad of reasons so filter vendors err on the side of accept but be suspicious unless there's a DMARC record with p=reject. Even then some still accept but quarantine (looking at you Office 365.)
I've been doing some form of email forensics for years, and this is one of the best explanations that I've seen. Great job. I'd welcome much more of this, as well as Mac, Linux and database forensics. Cheers.
Just send an email from one account to another and look at some of the header fields we've covered here. That's by far the easiest way to become familiar with how to read and interpret the data.
Nice Experience .Thanks For your kind information.
4 роки тому+2
Again, great video Can you explain how reconnaissance email (not email reconnaissance) the one some APTs use to put an url to verify if the email exists or not without clicking the link? thank you
Hidden tracking pixels and things of that nature are pretty common and can show whether or not someone opened a message without clicking a link. Is that what you’re referring to?
Using your mail client, view the mail headers. Then, just copy/paste those headers into Sublime Text, and choose the "Email Header" plugin in the bottom right.
Hey, Thanks for the great video. Lot of cool and needed information. I had a quick question though. How does the MX record and SPF authorised sender differ? I mean can they both be the same too?
@@13Cubed This information was helpful in understanding but I am still unable to decipher the original sender location of an email from a gmail account. I have emails both sent and received, and determining if the sender is in my state or not would really help me in knowing who is behind the account. Can you help?
MSG files are usually associated with Microsoft Outlook, and aren’t going to be readable in plain text. You’ll need to view the headers within that application and copy and paste them into a separate file for analysis (or otherwise convert the MSG to EML via a third-party application).
Great video!
The description of the SPF qualifiers on the "all" mechanism isn't quite right though. Your description is a common misconception I encounter on security and admin forums frequently. The difference in handling of ~all and -all failures is entirely a matter of local policy on the side of the receiver. Senders should strive to get their records to -all but the difference in how imposter mail will be treated isn't as stark as one may think.
The softfail description is somewhat correct in that the RFC specifies the receiver "SHOULD NOT" reject (note it doesn't say "MUST NOT".) However, accepted is not the same as delivered and the message may still be quarantined or otherwise prevented from ultimately ending up in the recipient's mailbox. The RFC on fail (-all) is almost the same but says >>>if>chooses
I appreciate the detailed insight, and will pin this comment.
@@13Cubed just to reiterate: Your video is great. The content is accurate, useful, and easy to follow. Email security is just my entire job and before that I was basically a postmaster so I can depressingly quote all of the relevant RFCs from memory haha :D I think the misconception about how -all and ~all are handled is because in an ideal world the way you described it would be true. In practice though so many legitimate messages fail SPF for a myriad of reasons so filter vendors err on the side of accept but be suspicious unless there's a DMARC record with p=reject. Even then some still accept but quarantine (looking at you Office 365.)
@@omniomi Makes sense - thanks!
I've been doing some form of email forensics for years, and this is one of the best explanations that I've seen. Great job. I'd welcome much more of this, as well as Mac, Linux and database forensics. Cheers.
This a fantastic analysis and should be required watching for anyone that analyzes email for a living. Would recommend!
Expecting some Mac Forensics from 13Cubed atleast a start
Best forensics resource I’ve found! You are the man
Superbly broken down and well narrated. Very engaging. Looking forward to more!
Awesome video. Also, you sound like the narrator on The Sandlot which is pretty cool.
This is a life saver. i learned more in 20 minutes then 3 hours reading documentation
Great new video and your explain is awesome... keep going , Thanks
Just came across your channel, great technical article explanation ..... appreciate your work
Thank you for this very clear explanation, indeed one of the best explanations out there. Please continue doing videos like this.
Watching this video led me to subscribe to your channel. Thanks for sharing this and keep up the good work.
Hello sir. make demo how fmem works for capturing linux memory . Thanks
Soo useful video for Email forensic and for common people to safeguard themself from phishing emails. Love the way presented and Thanks a lot :)
thanks! can you share a "hard example" of it that we can practice on
Just send an email from one account to another and look at some of the header fields we've covered here. That's by far the easiest way to become familiar with how to read and interpret the data.
@@13Cubed thanks for the quick response, i'll try it
Nice Experience .Thanks For your kind information.
Again, great video
Can you explain how reconnaissance email (not email reconnaissance) the one some APTs use to put an url to verify if the email exists or not without clicking the link?
thank you
Hidden tracking pixels and things of that nature are pretty common and can show whether or not someone opened a message without clicking a link. Is that what you’re referring to?
@@13Cubed Yes Thank you
how to get the ip from a google email??
great video.. very good explain👍👍
Great as always!
Excellent! (as usual). Thank you very much
Nice shirt and yes nice wall.
I am sure this is a simple step I am missing but how do you migrate the email to sublime text for analysis?
Using your mail client, view the mail headers. Then, just copy/paste those headers into Sublime Text, and choose the "Email Header" plugin in the bottom right.
Thanks for the video...
Does all e-mails should have DKIM?
No, not everyone has configured DKIM, though messages sent from any major email service or company should include DKIM signatures.
Let's hit 20k . Ur vlogs are awesome
Simply great & thanks for sharing.
SPF and DKIM sounded so simple. Great video Richard, as always!!
Good episode and nice office wall ^^
Where do I get that 13 cubed polo? :)
I'm going to be ordering some for giveaway in the next couple of months.
This a a great explanation, really helps with GCFE prep!
I'm taking SANS FOR500 soon - great to know this is relevant to the exam :)
What does a localhost ip mean for the first Received field?
This might help explain: serverfault.com/questions/522066/what-does-this-received-email-header-line-mean
Sir, amazing video :D
this is the best video I have seen on Mail Headers, awesome!
Great, thanks!
Priceless... thank you!
Good one
Hey, Thanks for the great video. Lot of cool and needed information. I had a quick question though. How does the MX record and SPF authorised sender differ? I mean can they both be the same too?
very informative indeed. Loved it.
Thanks
how do criminals spoof email header? Thanks.
Best teacher I have ever come across.
i installed packet control but it dont show up in sublime, why?
i am stock in the beginning phase. help me out
Go to Tools > Command Palette, then look for Package Control, Install Package. Search for "email header" and you should find it.
Can you please suggest some good book to understand Email Security in detail.
Not sure of any books, but plenty of online resources.
I tried this on an email and I don't get anywhere near as much information as you have. Any help would be greatly appreciated. Thanks
What do you see? How are you viewing the headers (e.g. what mail client are you using)?
@@13Cubed This information was helpful in understanding but I am still unable to decipher the original sender location of an email from a gmail account. I have emails both sent and received, and determining if the sender is in my state or not would really help me in knowing who is behind the account. Can you help?
Hey, i tried it with a .msg extension i get the encryption message, am i doing something wrong or missing something.
Tks in advance great video!
MSG files are usually associated with Microsoft Outlook, and aren’t going to be readable in plain text. You’ll need to view the headers within that application and copy and paste them into a separate file for analysis (or otherwise convert the MSG to EML via a third-party application).
@@13Cubed Yeah copy pasting works out, thanks!! :)