Posts by allan wallace

TheRegister:

Feel free to hide this post until you have resolved the issues with your DNS records.

On the subject of SPF:

tescobank.com doesn't have SPF,

tescobank.com DOES have DMARC.(nothing about strictness of aspf or adkim...)

tescobank.com DOES NOT have PCI DSS compliant MX

- thought this was a requirement for a bank?...

theregister.co.uk DOES have SPF - but it's broken: "too many DNS lookups" and two a: mechanisms that point to FQDNs that don't have any A records....

theregister.co.uk DOES NOT have PCI DSS compliant MX

theregister.co.uk DOES NOT have DMARC

forums.theregister.co.uk DOES NOT have DMARC or SPF

openspf.org has a good guide about the 10 dns lookup limit

- near the bit about reducing the risk of DOS attacks.

To fix TheRegister's SPF record, remove the following:

mx

(you don't need this! - your mx are google and you include:_spf.google.com .......)

a:news.theregister.co.uk

(no a record published in DNS)

a:post.theregister.co.uk

(no a record published in DNS)

You could simply use "a" if you wanted to allow future domains without having to publish each individual one, but please remember:

EACH SUBDOMAIN REQUIRES IT'S OWN SPF RECORD.

KEEP -all on the end, it's a good bit.

Have you considered DMARC, DKIM, DNSSEC and DANE?

Would you like a quote?....

- one of my favourites is "lobbest thou thy Holy Hand Grenade"

p.s.

TheRegister's password reset page allows the enumeration of registered email addresses (different message given if email address is not registered....)

- you might want to take a closer look at this too, I think it was a DPA issue, and I'm pretty sure GDPR could say similar.

Re: How times have changed.

Re: "It's still legal to go through rubbish I think."

- it's not been legal for a very long time - have a quote:

"One precedent-setting example from 1877 was the case of a diseased buried pig. According to legal text Archbold's Pleading, Evidence, and Practice in Criminal Cases, even if someone discards something and does not intend to use it again, they can retain ownership of it."

Source:

http://www.bbc.co.uk/news/magazine-13037808

Re: The ideal location

"Not sure what the buckfast could be used for."

Not sure?

- it's rocketfuel!

Re: WTF? / "But if people encrypt their emails then how will GCHQ be able to read them"

DKIM is NOT "encrypting emails" it is simply DIGITALLY SIGNING THEM using a public key.

SPF is (can) say "these servers are allowed to send my emails, everthing else cannot ( -all )

DMARC says "if an email passes SPF and DKIM checks, it's genuine, otherwise do x,y, or z.

The issue with uptake of SPF, DKIM and DMARC is primarily that I.T. people that understand it seem to have difficult explaining it to a layman, or implementing it....

e.g.

www.microsoft.com

not only does your www. lack an SPF record but your DMARC policy at microsoft.com does not contain an "sp=" value, so DOES NOT apply to ANY subdomains of www.microsoft.com

- so you (or a malicious third party) could send emails from any address ending @www.microsoft.com addresses - because they cannot be validated as genuine....

If microsoft added "sp=reject;" to their DMARC record it would fix this. (sp is subdomain policy!)

e.g.2

www.apple.com

is no better - in fact their DMARC record is worse. "p=none;"

(p is "policy - i.e. the primary domain policy - is no policy at all)

e.g.3

www.ubuntu.com is worst.

Letting the side down guys.

With DKIM the emails remain in plain text and the sending server uses a private key to digitally sign the email in such a way that the receiving server can mathematically compare the digital signature against a public key that the sender's domain has published as a TXT record in that domains public DNS records.

If the sending domain also has a strict(ish) SPF record and publishes a DMARC record then those emails can (in some cases) Automatically be validated as genuine.

(DMARC is essentially a policy - published as another TXT record in the sending domain's DNS - that can* provide instructions to the receiving server on how to AUTOMATICALLY handle emails that pass or fail SPF, or DKIM or SPF & DKIM checks. The DMARC policy can also enable a (DMARC compliant) receiving server to report back email successes and failures - i.e. you can find out AUTOMATICALLY if people are spoofing your emails.)

Unlike SPF, DMARC can also apply to a subdomain of the domain at which the DMARC record is stored - as long as the "sp=" modifier is set.

SPF is another matter. If you have a www.something.com A record but DO NOT have an SPF record that matches the name of that subdomain, then there is NO SPF applying to that subdomain and people can spoof your emails..

This is the tip of the iceberg.

Re: Scammed Again

but increased carbon emissions (at least in the form of co2) could lead to global greening - where plant life can grow more efficiently as a result - so surely reducing carbon emissions would have the opposite effect?...

As an example, the carbonatite emissions of the Volcano of Ol Doinyo Lengai in Africa have an interesting effect:

"The carbonatite ash spread over the surrounding grasslands leads to a uniquely succulent, enriched pasture. This makes the area a vital stage on the annual wildebeast beast migration, where it becomes the nursery for the birth of several thousand calves."

http://en.wikipedia.org/wiki/Ol_Doinyo_Lengai

(and whilst I don't always treat wikipedia without a pinch of salt, in this case there is the science to back it up)

Re: Just as well...

"BTI Survival Skills"

- I call them "Books"

Re: A truly amazing device

How very true - some civilisations burnt their libraries, other's merely closed them due to austerity...

Re: Skynet already alive?

yes.

http://en.wikipedia.org/wiki/Skynet_(satellite)