Great video! The description of the SPF qualifiers on the "all" mechanism isn't quite right though. Your description is a common misconception I encounter on security and admin forums frequently. The difference in handling of ~all and -all failures is entirely a matter of local policy on the side of the receiver. Senders should strive to get their records to -all but the difference in how imposter mail will be treated isn't as stark as one may think. The softfail description is somewhat correct in that the RFC specifies the receiver "SHOULD NOT" reject (note it doesn't say "MUST NOT".) However, accepted is not the same as delivered and the message may still be quarantined or otherwise prevented from ultimately ending up in the recipient's mailbox. The RFC on fail (-all) is almost the same but says >>>if>chooses
@13Cubed4 жыл бұрын
I appreciate the detailed insight, and will pin this comment.
@omniomi4 жыл бұрын
@@13Cubed just to reiterate: Your video is great. The content is accurate, useful, and easy to follow. Email security is just my entire job and before that I was basically a postmaster so I can depressingly quote all of the relevant RFCs from memory haha :D I think the misconception about how -all and ~all are handled is because in an ideal world the way you described it would be true. In practice though so many legitimate messages fail SPF for a myriad of reasons so filter vendors err on the side of accept but be suspicious unless there's a DMARC record with p=reject. Even then some still accept but quarantine (looking at you Office 365.)
@13Cubed4 жыл бұрын
@@omniomi Makes sense - thanks!
@jeffp15194 жыл бұрын
I've been doing some form of email forensics for years, and this is one of the best explanations that I've seen. Great job. I'd welcome much more of this, as well as Mac, Linux and database forensics. Cheers.
@krisshaa80794 жыл бұрын
This is a life saver. i learned more in 20 minutes then 3 hours reading documentation
@peterream65084 жыл бұрын
This a fantastic analysis and should be required watching for anyone that analyzes email for a living. Would recommend!
@jackbaylor67374 жыл бұрын
Superbly broken down and well narrated. Very engaging. Looking forward to more!
@TheAnurag694 жыл бұрын
Best teacher I have ever come across.
@zdog34whatnow5 жыл бұрын
Best forensics resource I’ve found! You are the man
@samjohn10985 жыл бұрын
Expecting some Mac Forensics from 13Cubed atleast a start
@abrahamissacjacob40184 жыл бұрын
SPF and DKIM sounded so simple. Great video Richard, as always!!
@gauravkaintura4 жыл бұрын
Just came across your channel, great technical article explanation ..... appreciate your work
@hasky98134 жыл бұрын
This a a great explanation, really helps with GCFE prep!
@sierratango694 жыл бұрын
I'm taking SANS FOR500 soon - great to know this is relevant to the exam :)
@SecureTheWorld4 жыл бұрын
this is the best video I have seen on Mail Headers, awesome!
@mindtropy5 жыл бұрын
thanks! can you share a "hard example" of it that we can practice on
@13Cubed5 жыл бұрын
Just send an email from one account to another and look at some of the header fields we've covered here. That's by far the easiest way to become familiar with how to read and interpret the data.
@mindtropy5 жыл бұрын
@@13Cubed thanks for the quick response, i'll try it
@vinaykumar-pn5le4 жыл бұрын
Nice Experience .Thanks For your kind information.
@tehpizzarollz Жыл бұрын
Awesome video. Also, you sound like the narrator on The Sandlot which is pretty cool.
@pedromatos84064 жыл бұрын
Thank you for this very clear explanation, indeed one of the best explanations out there. Please continue doing videos like this.
@saipraveen13824 жыл бұрын
Soo useful video for Email forensic and for common people to safeguard themself from phishing emails. Love the way presented and Thanks a lot :)
@gerardocaudillo19025 жыл бұрын
Great as always!
@annafan835 жыл бұрын
Good episode and nice office wall ^^
@mysketchbook96304 жыл бұрын
Simply great & thanks for sharing.
@jag8314 жыл бұрын
Priceless... thank you!
5 жыл бұрын
Again, great video Can you explain how reconnaissance email (not email reconnaissance) the one some APTs use to put an url to verify if the email exists or not without clicking the link? thank you
@13Cubed5 жыл бұрын
Hidden tracking pixels and things of that nature are pretty common and can show whether or not someone opened a message without clicking a link. Is that what you’re referring to?
5 жыл бұрын
@@13Cubed Yes Thank you
@SuperChelseaSW64 жыл бұрын
Let's hit 20k . Ur vlogs are awesome
@ahmedelhabashi93415 жыл бұрын
Great new video and your explain is awesome... keep going , Thanks
@sulthansk64445 жыл бұрын
Thanks for the video...
@abhijitshetty73384 жыл бұрын
very informative indeed. Loved it.
@lautarob4 жыл бұрын
Excellent! (as usual). Thank you very much
@ciaobello12615 жыл бұрын
great video.. very good explain👍👍
@dhustla154 жыл бұрын
I am sure this is a simple step I am missing but how do you migrate the email to sublime text for analysis?
@13Cubed4 жыл бұрын
Using your mail client, view the mail headers. Then, just copy/paste those headers into Sublime Text, and choose the "Email Header" plugin in the bottom right.
@beastface51235 жыл бұрын
Where do I get that 13 cubed polo? :)
@13Cubed5 жыл бұрын
I'm going to be ordering some for giveaway in the next couple of months.
@brink6685 жыл бұрын
Nice shirt and yes nice wall.
@Cubear994 жыл бұрын
Does all e-mails should have DKIM?
@13Cubed4 жыл бұрын
No, not everyone has configured DKIM, though messages sent from any major email service or company should include DKIM signatures.
@Deezeone5 жыл бұрын
how to get the ip from a google email??
@ericksonpogs4 жыл бұрын
Watching this video led me to subscribe to your channel. Thanks for sharing this and keep up the good work.
@nitricdx4 жыл бұрын
What does a localhost ip mean for the first Received field?
@13Cubed4 жыл бұрын
This might help explain: serverfault.com/questions/522066/what-does-this-received-email-header-line-mean
@samjohn10985 жыл бұрын
Good one
@SuperChelseaSW64 жыл бұрын
Hello sir. make demo how fmem works for capturing linux memory . Thanks
@sijsu5 жыл бұрын
Great, thanks!
@justingtq134 жыл бұрын
Hey, Thanks for the great video. Lot of cool and needed information. I had a quick question though. How does the MX record and SPF authorised sender differ? I mean can they both be the same too?
@hangmalim65494 жыл бұрын
i installed packet control but it dont show up in sublime, why? i am stock in the beginning phase. help me out
@13Cubed4 жыл бұрын
Go to Tools > Command Palette, then look for Package Control, Install Package. Search for "email header" and you should find it.
@ab8664 жыл бұрын
Can you please suggest some good book to understand Email Security in detail.
@13Cubed4 жыл бұрын
Not sure of any books, but plenty of online resources.
@Drusher103 жыл бұрын
Sir, amazing video :D
@rafaeltrindade18674 жыл бұрын
Hey, i tried it with a .msg extension i get the encryption message, am i doing something wrong or missing something. Tks in advance great video!
@13Cubed4 жыл бұрын
MSG files are usually associated with Microsoft Outlook, and aren’t going to be readable in plain text. You’ll need to view the headers within that application and copy and paste them into a separate file for analysis (or otherwise convert the MSG to EML via a third-party application).
@rafaeltrindade18674 жыл бұрын
@@13Cubed Yeah copy pasting works out, thanks!! :)
@D_Tech_And_Trek4 жыл бұрын
how do criminals spoof email header? Thanks.
@DonVTOL4 жыл бұрын
I tried this on an email and I don't get anywhere near as much information as you have. Any help would be greatly appreciated. Thanks
@13Cubed4 жыл бұрын
What do you see? How are you viewing the headers (e.g. what mail client are you using)?
@courtneylyle14544 жыл бұрын
@@13Cubed This information was helpful in understanding but I am still unable to decipher the original sender location of an email from a gmail account. I have emails both sent and received, and determining if the sender is in my state or not would really help me in knowing who is behind the account. Can you help?