I setup my own e-mail server a couple of years ago, it was a real pain in the behind to get the spif, dkim and dmarc stuff setup just right so that things didn't break. And before anyone asks, to setup an e-mail server you must have a static ip. dynamic IP's simply don't cut it. Not even with ddns services.
Setting up your own mail server with static IP is a great way to learn how the internals work. But it's an ongoing maintenance of keeping the mail server fully patched and checking the logs for any weird activities. And figure out why the e-mails aren't getting through. I own my domain so I let third party company to host the mail server and deal with those headaches.
Shannon, another GREAT video. Even after 25 years in IS/IT I still watch all these videos to see what the new email issues are. Probably 99% fall under the return email address are bogus group, so far anyway. Thanks again!
One thing I always look out for when someone asks me if an email they received is phishing or not is I tell them on their desktop to hover over any links in the email body and look at the url showing at the bottom of the email client. 90% of the time that is also a tell tale sign it's not legit.
This can sometimes help, but the address you see may sometimes seem legitimate (at least as far as you personally know) even when it isn't. You also run a small risk of accidentally clicking the link. Seeing as there's virtually always some other red flag to look out for, and there's plenty of different checks you can do, even that small risk is probably not worth it. There's also the notion that if you have to ask whether an email is a phishing attempt, it probably is.
Mahalo, Shannon. I definitely learned about a LOT of new terms; I had to go through your video more than once to absorb it. Your security-oriented videos leave me with a sense of empowerment against the maelstrom of email and other nonsense we all receive. Just KEEP pounding this email security into our brains. We ALL have to defend ourselves against it. Aloha!
I had read once that the bad spelling and grammar in spam are intentional. They weed out the smarter candidates, because no spammer wants to waste their time with someone who's going to be a hard-con.
Thanks for all the great content, Shannon. I'm taking your 30 Days to Security Challenge on your website, and doublechecking your channel here for updates. I know it's going to take me more than 30 days 😂, but I'm doing it. Are there any specific vids here I should check out while going thru that challenge? I see a lot are relevant, but being new to this info didn't know if there's a "Don't Miss This Video" update. 😊
I have a playlist on this channel for Security and Privacy - so I'd recommend starting there and picking the most interesting ones you'd want to watch. Also congrats on starting this journey! My 30 days to security challenge is so old now, I need to revamp the whole thing!
Hi! Sometime knew all my recovery emails for Facebook and tried to get me to click on a link to "recover my password" in every single email. My info is on the dark web including my social from working for the Air Force and then they had a breach in their payment system. I have security software that turns off my Bluetooth if an unauthorized device tries to pair/connect with my phone and my Bluetooth was turned off this morning while I slept in. And not long ago got a notice from Google that said someone tried to access my Google photos and they locked them out and to change my password. The email didn't ask me to click a link so I think it was legit. Your channel is very good and this video will come in handy if they try a more sophisticated attack next time. I appreciate it! Thank you!
Speaking from experiences, banks, gov and "enterprise" businesses setup 3rd party relays and mailing services and just "forget" to inform their clients, causing all sorts of "trust me" allow list entries when it comes to DMARC and legacy TLS encryption. And then, there are email security gateway services like ProofPoint and Mimecast, (rare, but does happens) "accidentally" blacklisting each other's SMTP IP address and causing emails to just poof... (dropped). Everything can go wrong, will go wrong when it comes to email :( ... Oh, and also, I have seen phishing emails using compromised SMTP relays with TLS 1.3 encryption, those are almost impossible to flag, any compromised link in the "business partner" list can be dire consequences, very problematic in financial institutions. Trust nothing, verify everything :(
Be suspicious by default! When assessing whether an email is legitimate, make sure you haven't already decided that you want to trust it. Otherwise, you'll look for reasons to justify that decision, and you'll probably find them. Don't fall into the trap of, "Well there could be an innocent explanation for that red flag..." This is probably one of the few times in life when "guilty until proven innocent" is the best approach.
I got a email claiming to be paypal communications and I had a message to read, i got suspicious and went directly to paypal without clicking on a link in the email. It turned out to be a legit message from PayPal so the email was good.
For some reason we should create database for check for fake email and real email using browser ext checker like spam adverting malware that block them by list. As well link checker as I normal check for news from official site email and daily stuff.
I'm getting emails in my regular box not my spam box so it's like a person sending it to a person through my email and sometimes it has my email but most of time it's one to one it's just weird
If I did not initiate the communication it is a scam. If it takes place outside of the physical office or the website that I know to be correct, it is a scam. Everything is a scam until proven otherwise. Remember this if you don't want to be scammed
HI Shannon, like i mentioned in another video using your code i got $10 off because i brought 2 yubikeys!! but i brought these because i thought since this can unlock cell from camera scan vs usb plug into macbook air2 finger print. i dont want to set up through macbook with finger print to open my wallet and if i die my daughter knows my wallet password but doesnt have my finger print!! cant i set up yubikey through macbook air2 camera scan?? if so do you know safe QR code app that wont steal or store my code to steal my wallet?
There's good content here. But just to be safe I tell everyone never click on the link in an email. If you think it's real message from your bank or a company you do business with just go to that company or Bank using your normal process and look for messages there
When I started watching, I was thinking "this will be a great video to send to my mom," but in the end this is too complicated of a subject. I can't expect her to check all the possoble fields. In the end I think it would just make her more upset and paranoid. Your audience is very tech savvy, so not trying to say this is a problem with the video. Just a very daunting problem.
This video definitely has a specific audience in mind. It's very technical and advanced. But making a simpler email safety video is on my list for y'all!
Very good explainer! For me the strategy is simple, because my usage of e-mail is limited - if it's not something I'm expecting, specially if it's a file for download or link to click, it's an automatic delete. I don't even need to check the header, it's an insta delete. :P But that's because my personal e-mail usage is super basic... I don't regularly get contacted by people I don't already know, or companies I don't already know. So if you want to get an e-mail through, you are going to have to contact me multiple ways so that I know it's legit. :P Even if it is coming from some service or portal I use, I just avoid clicking on links or downloading stuff via e-mail anyways... if it's a service I have an account in, I go directly to it instead. I don't even trust what an e-mail has to say until I double check it on an official website. In any case, there is something in Shannon's explainer that I'm always a bit curious about... shouldn't there be better indicators for e-mails that seems suspect? It's like, you shouldn't have to open up headers and look things up like that, the e-mail client itself should use design and coding to show these things up more prominently. Oh well... unrelated or perhaps semi-related, I'm waiting to see the new Thunderbird redesign. xD
I get hacker emails (from my own domain) with Received -SPF saying PASS so that is not a good method. Sorry but it's true. Same deal with DMARC. Gmail still puts in spam folder though.
@@ShannonMorse Yes, I watch all your great videos. Your example of the product review email was an email flagged as fail when it was legitimate. My case is the opposite, I have emails showing as pass when they are spoofed.
@@BrianGlaze She said the tests would pass if the hacker used their own domain but in my case, the hacker used MY domain (no via). All SPF and DMARC were both PASS and it's on Google Workspace. The jist of the email is "I have hacked your domain and this email proves it". I am 100% they haven't hacked my gmail but I'm just saying we need something better than SPF and DMARC.
I agree we need something better. That's why I said in the video that it's not a 100% foolproof way to tell and gave other examples of red flags that you can use to determine a fake email on a case by case basis.
I setup my own e-mail server a couple of years ago, it was a real pain in the behind to get the spif, dkim and dmarc stuff setup just right so that things didn't break. And before anyone asks, to setup an e-mail server you must have a static ip. dynamic IP's simply don't cut it. Not even with ddns services.
Setting up your own mail server with static IP is a great way to learn how the internals work. But it's an ongoing maintenance of keeping the mail server fully patched and checking the logs for any weird activities. And figure out why the e-mails aren't getting through. I own my domain so I let third party company to host the mail server and deal with those headaches.
I just paid $10 a month for a server and setup the email part through cpanel
Shannon, another GREAT video. Even after 25 years in IS/IT I still watch all these videos to see what the new email issues are. Probably 99% fall under the return email address are bogus group, so far anyway. Thanks again!
Glad it was helpful!
One thing I always look out for when someone asks me if an email they received is phishing or not is I tell them on their desktop to hover over any links in the email body and look at the url showing at the bottom of the email client. 90% of the time that is also a tell tale sign it's not legit.
Thanks for the info Sailor Moon Shannon 😊
This can sometimes help, but the address you see may sometimes seem legitimate (at least as far as you personally know) even when it isn't. You also run a small risk of accidentally clicking the link. Seeing as there's virtually always some other red flag to look out for, and there's plenty of different checks you can do, even that small risk is probably not worth it.
There's also the notion that if you have to ask whether an email is a phishing attempt, it probably is.
Mahalo, Shannon. I definitely learned about a LOT of new terms; I had to go through your video more than once to absorb it. Your security-oriented videos leave me with a sense of empowerment against the maelstrom of email and other nonsense we all receive. Just KEEP pounding this email security into our brains. We ALL have to defend ourselves against it. Aloha!
I had read once that the bad spelling and grammar in spam are intentional. They weed out the smarter candidates, because no spammer wants to waste their time with someone who's going to be a hard-con.
Thanks for all the great content, Shannon. I'm taking your 30 Days to Security Challenge on your website, and doublechecking your channel here for updates.
I know it's going to take me more than 30 days 😂, but I'm doing it. Are there any specific vids here I should check out while going thru that challenge? I see a lot are relevant, but being new to this info didn't know if there's a "Don't Miss This Video" update. 😊
I have a playlist on this channel for Security and Privacy - so I'd recommend starting there and picking the most interesting ones you'd want to watch. Also congrats on starting this journey! My 30 days to security challenge is so old now, I need to revamp the whole thing!
@@ShannonMorse Course idea 💡 Thanks again! 😃
Hi! Sometime knew all my recovery emails for Facebook and tried to get me to click on a link to "recover my password" in every single email. My info is on the dark web including my social from working for the Air Force and then they had a breach in their payment system. I have security software that turns off my Bluetooth if an unauthorized device tries to pair/connect with my phone and my Bluetooth was turned off this morning while I slept in. And not long ago got a notice from Google that said someone tried to access my Google photos and they locked them out and to change my password. The email didn't ask me to click a link so I think it was legit. Your channel is very good and this video will come in handy if they try a more sophisticated attack next time. I appreciate it! Thank you!
Speaking from experiences, banks, gov and "enterprise" businesses setup 3rd party relays and mailing services and just "forget" to inform their clients, causing all sorts of "trust me" allow list entries when it comes to DMARC and legacy TLS encryption.
And then, there are email security gateway services like ProofPoint and Mimecast, (rare, but does happens) "accidentally" blacklisting each other's SMTP IP address and causing emails to just poof... (dropped).
Everything can go wrong, will go wrong when it comes to email :(
... Oh, and also, I have seen phishing emails using compromised SMTP relays with TLS 1.3 encryption, those are almost impossible to flag, any compromised link in the "business partner" list can be dire consequences, very problematic in financial institutions.
Trust nothing, verify everything :(
Your content is priceless. You are amazing Shannon! Thank you so much for making the world a safer place with all you are doing!!!!
Thank you so much!
Be suspicious by default! When assessing whether an email is legitimate, make sure you haven't already decided that you want to trust it. Otherwise, you'll look for reasons to justify that decision, and you'll probably find them. Don't fall into the trap of, "Well there could be an innocent explanation for that red flag..." This is probably one of the few times in life when "guilty until proven innocent" is the best approach.
Thanks for sharing. I learned a lot. I look forward to future security topics. Blessings on your day!
I got a email claiming to be paypal communications and I had a message to read, i got suspicious and went directly to paypal without clicking on a link in the email.
It turned out to be a legit message from PayPal so the email was good.
Fantastic video Shannon. I learned of some resources that Ive never heard of before.
For some reason we should create database for check for fake email and real email using browser ext checker like spam adverting malware that block them by list. As well link checker as I normal check for news from official site email and daily stuff.
Thanks for this. Nothing I didn't already know, but this is a great resource for my technically challenged friends and family.
I use pgp keys whenever I can to secure the e-mails in transit. Facebook can utilize those keys which is pretty cool. Wish more companies do that.
Are you going to review Proton Pass?
I'm getting emails in my regular box not my spam box so it's like a person sending it to a person through my email and sometimes it has my email but most of time it's one to one it's just weird
If I did not initiate the communication it is a scam. If it takes place outside of the physical office or the website that I know to be correct, it is a scam. Everything is a scam until proven otherwise. Remember this if you don't want to be scammed
Nice video Shanon 👍
I have someone trying to scam me and they want me to send $350 to cashapp and they have the fbi emailing me how should I go about this ?
HI Shannon, like i mentioned in another video using your code i got $10 off because i brought 2 yubikeys!! but i brought these because i thought since this can unlock cell from camera scan vs usb plug into macbook air2 finger print. i dont want to set up through macbook with finger print to open my wallet and if i die my daughter knows my wallet password but doesnt have my finger print!! cant i set up yubikey through macbook air2 camera scan?? if so do you know safe QR code app that wont steal or store my code to steal my wallet?
How i can create such these messages
A very informative video. Thank you.
Beautiful hair style colours ❤
I got a Google scam about some virus but it was fishy like it had a link.
There's good content here. But just to be safe I tell everyone never click on the link in an email. If you think it's real message from your bank or a company you do business with just go to that company or Bank using your normal process and look for messages there
Chatgpt will allow these people to improve their spelling and grammar.
When I started watching, I was thinking "this will be a great video to send to my mom," but in the end this is too complicated of a subject. I can't expect her to check all the possoble fields. In the end I think it would just make her more upset and paranoid. Your audience is very tech savvy, so not trying to say this is a problem with the video. Just a very daunting problem.
This video definitely has a specific audience in mind. It's very technical and advanced. But making a simpler email safety video is on my list for y'all!
@@ShannonMorse Thank you! Very kind!
Very good explainer!
For me the strategy is simple, because my usage of e-mail is limited - if it's not something I'm expecting, specially if it's a file for download or link to click, it's an automatic delete.
I don't even need to check the header, it's an insta delete. :P
But that's because my personal e-mail usage is super basic... I don't regularly get contacted by people I don't already know, or companies I don't already know. So if you want to get an e-mail through, you are going to have to contact me multiple ways so that I know it's legit. :P
Even if it is coming from some service or portal I use, I just avoid clicking on links or downloading stuff via e-mail anyways... if it's a service I have an account in, I go directly to it instead. I don't even trust what an e-mail has to say until I double check it on an official website.
In any case, there is something in Shannon's explainer that I'm always a bit curious about... shouldn't there be better indicators for e-mails that seems suspect? It's like, you shouldn't have to open up headers and look things up like that, the e-mail client itself should use design and coding to show these things up more prominently.
Oh well... unrelated or perhaps semi-related, I'm waiting to see the new Thunderbird redesign. xD
I get hacker emails (from my own domain) with Received -SPF saying PASS so that is not a good method. Sorry but it's true. Same deal with DMARC.
Gmail still puts in spam folder though.
Hey did you watch the video? Because I covered this! I even gave my own examples and explained that it's not a surefire absolute way to tell.
She went over that in the video
@@ShannonMorse Yes, I watch all your great videos. Your example of the product review email was an email flagged as fail when it was legitimate. My case is the opposite, I have emails showing as pass when they are spoofed.
@@BrianGlaze She said the tests would pass if the hacker used their own domain but in my case, the hacker used MY domain (no via). All SPF and DMARC were both PASS and it's on Google Workspace.
The jist of the email is "I have hacked your domain and this email proves it". I am 100% they haven't hacked my gmail but I'm just saying we need something better than SPF and DMARC.
I agree we need something better. That's why I said in the video that it's not a 100% foolproof way to tell and gave other examples of red flags that you can use to determine a fake email on a case by case basis.