101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

482
active users

#emailsecurity

0 posts0 participants0 posts today

Proton Mail launches “Newsletters” view — a built-in tool to manage email subscriptions without giving up privacy. 📬

No third-party access, no tracking, no ads. Just a cleaner inbox, on your terms. A welcome upgrade from one of the most privacy-respecting email providers. 🔒✉️

@protonprivacy

proton.me/blog/proton-mail-new

Proton · Take charge of your inbox with Newsletters view | ProtonProton Mail's Newsletters view helps you manage email subscriptions, organize your inbox faster, and stay in control privately.

No more spam in your inbox! Disposable email addresses are the insider tip for anyone wanting to protect their privacy.

✅ Register anonymously with unknown services
✅ Enter competitions without spam risk
✅ Online shopping without marketing harassment

At mailbox.org, disposable addresses are part of the complete package in standard and premium tariffs.

How it works and why you need it: mailbox.org/en/post/how-dispos

Okay friends, so I’m in the middle of creating a new brand, you may have guessed it, CybersecKyle. I’m going to be building this into Cybersecurity resources, tips, and overall online safety for people.

This will include; videos, articles, etc. Still coming up with ideas. Videos will be short form at first. Insta reels, TikTok, YT shorts, etc.

I’m open to suggestions!

Be on the lookout for more news. I’ll be posting the social accts once I have them ready.

⚠️ Phishing threat: Attackers exploit Google Sites + DKIM to bypass trust filters 🕵️‍♂️🔗

This new phishing campaign is dangerously convincing:
📧 Spoofed emails come from no-reply@google.com
🔗 Links lead to fake support pages hosted on Google Sites
🔐 DKIM passes — making them look authentic
🎯 Goal: steal user credentials in a Google-like login flow

🛡️ Security teams should:
🔍 Train users to inspect links & headers
🔐 Enforce MFA
🚫 Flag suspicious messages — even if they appear “from Google”

#CyberSecurity #Phishing #EmailSecurity #DKIM #GoogleSites #security #privacy #cloud #infosec
thehackernews.com/2025/04/phis

The Hacker NewsPhishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal CredentialsPhishers abused Google Sites and DKIM replay to send valid-signed emails, bypassing filters and stealing credentials.

⚠️ Phishers have found a clever way to spoof Google — and their emails pass all security checks.

A new DKIM replay phishing attack abuses Google’s own OAuth infrastructure to send fake messages that look 100% legitimate, including passing DKIM authentication.

What happened:
- A phishing email was sent from “no-reply@google.com”
- It appeared in the user’s inbox alongside real Google security alerts
- The message linked to a fake support portal hosted on sites[dot]google[dot]com — a Google-owned domain
- The attacker used Google OAuth to trigger a real security alert to their inbox, then forwarded it to victims

Why this matters:
- DKIM only verifies the headers, not the envelope — allowing this spoof to work
- The phishing site was nearly indistinguishable from Google’s actual login portal
- Because the message was signed by Google and hosted on a Google domain, it bypassed most users’ suspicions
- Similar tricks have been used with PayPal and other platforms, raising broader concerns

Google has since acknowledged the issue and is working on a fix. But this attack is a reminder:

Even the most secure-looking emails can be fraudulent.
Even Google-signed emails can be weaponized.

🛡️ At @Efani, we advocate for layered defense — because no one layer is ever enough.

Scammers set up domains with instructions to ignore email security failures on their emails via a DMARC record and Google et al. deliver their obvious dangerous spam to you. I thought, "how stupid" to create a security system so easily disabled.

But, I realize it was NEVER designed to protect YOU from spam. It has ONE purpose. Protect corporations from being spoofed. Period. They set their DMARC to reject or quarantine emails from their domains that fail security. It works perfectly for this and ONLY this. They are protected. You, not so much, but you are not their concern.

It could have been easily expanded to kill spam by not allowing the checks to be ignored, but why should they? They are protected. Common attitude today by too many people.

Am I wrong?
#CyberSecurity #EmailSecurity

📚 Mehr Sicherheit für digitale Bildung: Wie oncampus mit @mailbox_org zuverlässige E-Mail-Kommunikation sicherstellt

Als oncampus 2021 mit E-Mail-Zustellproblemen kämpfte, wurde klar: Es braucht eine sichere, zuverlässige Lösung.

Mit mailbox.org fand der E-Learning-Anbieter einen DSGVO-konformen Partner, der Spam-Probleme löste und Datenschutz in deutschen Rechenzentren garantiert. Die ganze Erfolgsgeschichte hier: mailbox.org/de/post/e-mail-sic

📩 Your emails are leaking your IP—and you might not even know it.

Most email clients embed your real IP address when sending messages. That means:
❌ Your location is exposed
❌ Recipients (or attackers) can track you

✅ Fix it:
✔ Use ProtonMail, Tutanota, or Skiff (no IP leaks)
✔ Send emails via Tor or VPN
✔ Disable remote content loading

📌 Your email shouldn’t be a tracking tool. Lock it down.

My latest "Bringing PGP to the 21st Century" update:
I’ve set up WKD for all my "public-facing" identities, with both direct and advanced methods working across the relevant domains. I’ve also uploaded all my keys to Keybase, OpenPGP, and Ubuntu keyservers. I even even generated a QR code with the openPGP4FPR URI scheme: openpgpkey.accioly.social/

PGP experts, am I missing anything?

openpgpkey.accioly.socialAnthony Accioly PGP KeysAnthony Accioly's PGP key and QR code for secure communication.
#WKD#PGP#OpenPGP

Important reminder, if you own a domain name and don't use it for sending email.

There is nothing to stop scammers from sending email claiming to be coming from your domain. And the older it gets, the more valuable it is for spoofing. It could eventually damage your domain's reputation and maybe get it blacklisted, unless you take the steps to notify email servers that any email received claiming to come from your domain should be trashed.

Just add these two TXT records to the DNS for your domain:
TXT v=spf1 -all
TXT v=DMARC1; p=reject;

The first says there is not a single SMTP server on earth authorized to send email on behalf of your domain. The second says that any email that says otherwise should be trashed.

If you do use your domain for sending email, be sure to add 3 records:
SPF record to indicate which SMTP server(s) are allowed to send your email.
DKIM records to add a digital signature to emails, allowing the receiving server to verify the sender and ensure message integrity.
DMARC record that tells the receiving email server how to handle email that fails either check.

You cannot stop scammers from sending email claiming to be from your domain, any more than you can prevent people from using your home address as a return address on a mailed letter. But, you can protect both your domain and intended scam victims by adding appropriate DNS records.

UPDATE: The spf and the dmarc records need to be appropriately named. The spf record should be named "@", and the dmarc record name should be "_dmarc".

Here's what I have for one domain.

One difference that I have is that I'm requesting that email providers email me a weekly aggregated report when they encounter a spoof. gmail and Microsoft send them, but most providers won't, but since most email goes to Gmail, it's enlightening when they come.

Sharing some technical details about how I'm setting up the hosted email service. It will not be a service of BSD Cafe but tied to my own business. It will run entirely on BSD systems and on bare metal, NOT on "cloud" VPS. It will use FreeBSD jails or OpenBSD or NetBSD VMs (but on bhyve, on a leased server - I do not want user data to be stored on disks managed by others). The services (opensmtpd and rspamd, dovecot, redis, mysql, etc.) will run on separate jails/VMs, so compromising one service will NOT put the others at risk. Emails will be stored on encrypted ZFS datasets - so all emails are encrypted at rest - and only dovecot will have access to the mail datasets. I'm also considering the possibility of encrypting individual emails with the user's login password - but I still have to thoroughly test this. The setup will be fully redundant (double mx for SMTP, a domain for external IMAP access that will be managed through smart DNS - which will distribute the connections on the DNS side and, in case of a server down, will stop resolving its IP, sending all the connections to the other. Obviously, everything will be accessible in both ipv4 and ipv6 and in two different European countries, on two different providers. Synchronization will occur through dovecot's native sync (extremely stable and tested). All technical choices will be clearly explained - the goal of this service is to provide maximum transparency to users on how things will be handled.

#BSD#FreeBSD#OpenBSD

"🚨 #RoundCubeUnderSiege - CISA Alerts on Roundcube as a frequent attack vector. 🚨"

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about active exploitation of a vulnerability in the RoundCube webmail software. Attackers are leveraging this flaw to execute arbitrary code on vulnerable servers. This Medium vulnerability, identified as CVE-2023-43770 (CVSS score: 6.1), allows attackers XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior on Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 .🔐💻

Tags: #CyberSecurity #CISA #RoundCube #EmailSecurity #VulnerabilityManagement #PatchManagement #ThreatIntelligence #InfoSec

Source: Cisa.gov