Mastodawn

SwiftOnSecurity Dec 31, 2022

Worse, even if you get an email from your mastodon instance (or ANY web service), an authorized SMTP system could have been hijacked and the link directed to a phishing page, potentially even hosted on a hijacked subdomain.
Layers and layers of caution are required whenever you are prompted to take an unusual action.
https://mstdn.social/@stux/109603992325592066

sтυx🎄 (@[email protected])

Attached: 1 image ⚠️ WARNING! ⚠️ I just received this email in a catch-all that was addressed to a user. Mastodon does NOT such mails and this leads to a malicious login page! Please make sure you are on the correct instance URL before logging in! Also make sure the emails are send from the instance you are on! Often this email can be found on the /about page #Mastodon

Mastodon 🐘

Show thread

Dr. Jorge Caballero Dec 31, 2022

@SwiftOnSecurity Since we're on the topic: what's your take on DKIM and the other DNS-level anti-spoofing measures?

Show thread

SwiftOnSecurity

@DataDrivenMD not much to say they've reached maturity and work, minus some edge cases. DKIM and SPF should both be made to work redundantly.

Show thread

Dr. Jorge Caballero Dec 31, 2022

@SwiftOnSecurity Thank you. I didn't frame the question well, here, but the 3rd post in your thread hit on the topics that I was thinking about, but failed to explicitly convey. Very helpful post- thank you.