that would've been funny but probably not worth risking criminal charges 😭

Is it really criminal if the CEO says it's a feature of the product? It's being used as intended at that point imo

lol... just lol waw..... I can see it now scam as a service on darkweb 😂😂😂😂😂

​@@easternplatypus The CEO themselves said it was a feature of the service and if domains didn't like it, they could secure themselves via DMARC/DKIM. The CEO essentially gave free reign to spoof their own domain using the service.

Well now the world knows about cloud flare

This

What I truly don't understand is why DMARC passes if SPF "OR" DKIM is passed. So with an AND you would verify that : 1. The correct IP sent you the email (SPF) 2. The correct server signed the mail and that its headers are not tampered with DKIM But no, you can just set it to an OR. But on the other hand, some providers trust ARC as some kind of guarantee that an email is what it pretends to be. Email security is shite. I kind of hope we will one day drop SMTP alltogether and move on to completely different tech.

@@Tetsuo6995 it's fkn dumb💯 I need to re-check what the RFCs say here, but agree 100% about email security. This is what we get when we continue bolting shit onto a protocol from the 1970s whilst shackling ourselves to backwards compatibility. On the other hand, as a pen tester "by design" flaws are the gift that keeps on giving. The only thing which will move the needle on this, sadly, will be an attack which is a) trivial to implement and b) has staggering adverse *financial* impact. Add this to the already-huge pile of "why market forces don't solve everything".

DKIM is hard to get right. SPF is easy.

@@thewhitefalcon8539 I find it's the reverse, but it does vary by mail service/platform. With DKIM you're just creating a keypair, ensuring the mail service uses it when sending, and publishing the DNS record for it. With SPF, you have to ensure there are no more than 10 entries or it becomes useless - so it's a good to a) never use a mail service that can't handle DKIM and b) always use DKIM rather than SPF to authorise third-party mail services to use the domain

The only problem is receivers who don't support DKIM an solely rely on SPF, but I consider this their problem.

(Mail) security is everybody's problem. Breach of a recipient can negatively impact the sender, not to say a million other entities that the breached party has connections with.

At SMTP2GO we had a simmilar issue authenticating email sourced from Salesforce, but fortunately they exposed their customer id in an email header so we used that in combination the the source IP address, Salesforce now support full SASL SMTP authentication.

They really should have done that, but I can also understand the perspective. Since their target market is hosts that don't control the domains and probably use standard control panels like cpanel or directadmin, there's no way to verify the domains with mailchannels out of the box in those panels. Now their customers need to do some kind of custom integration instead of just using them as an SMTP relay with any off the shelf setup they want. Before these authentication protocols email had been spoofable for decades, and for many organizations today it still is. For them, it's simply a tradeoff between ease of customer acquisition, and protection against spoofing between customers. So while I agree with you, I can understand why this wasn't done. Email is insecure in a variety of ways. Hopefully one day we'll get to the point that it's not.

Additional note: I do not have an email server. But if I had, I know who I wanted to be in charge of it.😊

​@@MrMilarepa108 To be completely fair, if whoever is hosting your email isn't aware of this issue, they're not that competent or specialized. I found myself nodding along with almost the whole talk, none of it was really news to me. Email is layers upon layers of stuff, all meant to be backwards compatible. Mailchannels should just really have their customers upload a list of domains they intend to send from, but they're far from the only one that this issue applies to. Email just isn't great for secure messaging in many ways, maybe we'll get there one day :)

You are the One.

the chosen one 😢

You can still just sign up via their website and spoof all domains via their normal SMTP relay. The domain lockdown record addressed a symptom not the root cause (lack of sender identity verification)

domain lockdown?

@@user-ni1fl5dp5v yea i spent like 30min to an hour setting everything up, went to use some of the domains provided in that list and they are all locked down lol.

@@user-ni1fl5dp5v He talked about it at the end, Cloudflare added Domain Lockdown to make sure other Cloudflare Worker users can't send emails from your domain. From what I understand, this issue still affects MailChannel, and with $80 you can spoof every single MC user.

yupp

actually NO@@thegu5 just deploy your own worker and use a different domain ill drop some updated code later to make it 10 times easier

i think they patched it cuz i tried my domain which hasnt any email record and it didnt work@@deancrypto5939

He won't

@@deancrypto5939Where’s the updated code sir ?

Does it work anymore?

you can't put a DNS record on a DNS domain that doesn't exist...

​@@mini_bomba 💯 - or one you don't own/have zone file access

@@mini_bomba Nothing prevents you from putting anything in your public DNS server. It's simply that nobody will contact your server for these records since the associated domain is not registered anywhere. At least that's my understanding. I say that because I think you can prepare in advance some records for a domain you are about to obtain. And when you become the Authority for this domain, your MX, SPF records will start to get hits.

The DNS is controlled by IANA root servers and provisioned by providers like cloud flare and Google, so unless you have access to them or to the end-points’ DNS configuration to point it to you, you’re non-existent domain does in fact not exist within DNS.

7:37

you won't be missed o/ bye

Where can you point me? I tried this and you get domain lockdown if you try to use any of these domains

@@Michael_Jackson187 hey did you find any solution ??? or do you pay 80$ for spoofing other domains ?