3. An SPF Rant

An SPF Rant

Yeah, so, I may actually be the bane of your existence... as I've run a few tests at FIs and flagged the non-use of spf's as an issue... well, the issue was more that I could easily impersonate their internal staff, and get their employees to click/do pretty well anything I wanted on their systems. Hell, you could seriously f-up a FI's daily operations just by mass spamming their users with legit looking emails coming from internal sources -- so even barring the potential loss / compromise of your systems, the time-loss and reputational damage alone of that sort of thing is significant.

I understand that it's a PITA, but cmon.. many organisations have such crap filters that you can send an email to anyone of their employees, as the boss, saying "Click this link or else you're fired". At the very least, you should have that SPF record to stop people from impersonating your internal users... to your other internal users.

There are other ways to go about it, sure. But it basically all boils down to... "What approach you use to solve the problem is up to you. But if you stand up and say 'our setup is impervious to spoofed emails!', and someone comes along, tests your setup, and breaks it easily... then you need to find a new solution". Especially when you're talking about a FI, where staff potentially have access to enough information to steal the identity of literally thousands of people.

Besides, telling an IT professional to maintain an SPF record as part of ... you know.. being an IT professional in charge of email security... is an order of magnitude easier than trying to educate internal users enough to catch well crafted spear phishes. I mean, if you stumble across a site from one of your business partners, and they've let their ssl/tls cert lapse, you'd likely go "Oh man, you all kinda screwed the pooch there eh?", and that dept'd prolly get in some trouble. I reckon a similar line can apply to spfs.

/r/sysadmin Thread
Previous
Next

Recently removed from /r/sysadmin

I know of a crazy vulnerable Exchange server at my old work. What to do? Details inside. Intune Windows LAPS - Configuration Profile Applies Successfully, Yet Nothing Happens...Why? Woman starting in IT next month. Should I be worried or not? How to run a meaningful CyberSecurity Risk Workshop/Assesment Amazon Outage I don't know what I'm doing and I need help What's the point of using BitLocker with TPM instead of password when someone can always access your computer without entering a password on boot? How many of you despise IoT? Onboarding 1200 New Users - how to communicate passwords? Gen Z also doesn't understand desktops. after decades of boomers going "Y NO WORK U MAKE IT GO" it's really, really sad to think the new generation might do the same thing to all of us Modern SQL Express Backup Solution [GA] Employee claims she can't use Microsoft Windows for "Religious Reasons" So I got a "correctional talk" yesterday. Rant about new age "senior" IT "specialists" who don't know how to wipe their butt. Do you think remote work is slowly dying? Most companies seem to be pushing RTO, even big tech you folks think ?

More Random Comments

Anything interesting to do on campus on Fridays? Bullshit Autism Diagnoses bullshit disabilities Gender isn't a fucking spectrum and I'm tired of people stating it like a fact. Blursed kite Unpopular Opinions: Prepare to Downvote and yes, it's about ContraPoints The 2 of Cups is not always a positive card. Does Nicotine completely destroy anybody else’s high?? Sour Sunday I think I’ve inherited my mother’s constant fear of everything - that, or I am so afraid myself that I don’t deserve the life I have so I am bound to lose it. [TW - Death Anxiety] 17f, lets go boys 2 month-lasik post-op: Huge regret Why is Diablo 3 so popular? People of Reddit who have tried drugs of any kind, what is your craziest/funniest story or experience related to them? This is pretty bitchin' “Blacked out”: Today media companies from all over Australia unite in an unprecedented action to fight for press freedoms and the public’s right to know what’s going on in this country