PSA: Protect Your Email with DMARC

In the last few months, I’ve seen an uptick in spoofed emails being sent with my own personal email domain. Not only is this extremely annoying, but more problematic is that recipients receive spam and phishing emails from what seems to be my personal mail account, simply by spoofing the from address. I don’t know why domain and email address has been “chosen” for this, but I guess this is fallout from the LinkedIn breach way back in 2012.

I didn’t think there was much I could do about this, but a recent tweet by my friend Per Thorsheim sent me down the rabbit hole.

So, obviously there are options available to me that I was completely unaware of. I haven’t managed any public facing email services for 6-7 years, so I’ve not kept up with whatever has been happening in that particular space. Also, my personal email domain has been hosted by Google since 2008, so I haven’t really managed that either. Set and forget, right? Well, not quite.

So, what is this DMARC thing? It stands for Domain-based Message Authentication, Reporting & Conformance, and is a way to try and validate that emails from a given domain is being sent using one of the valid mail servers configured for that domain. In order to be able to use DMARC, you first need to first have Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configured for you domain.

Here are the resources I used to get all of this configured for my domain:

  1. Configure SPF records to work with G Suite
  2. Authenticate email with DKIM
  3. Add a DMARC record

Less than 24 hours after configuring everything, I received my first DMARC Aggregate Report which is basically an XML file showing what has been going on.

Since this file is a bit hard to read on it’s own, I uploaded it to DMARC Analyzer, and even though I knew a lot of email was being send with my email address as the reply to address, I was quite surprised to see that in less then 24 hours after I set up the DMARC DNS records, a total of 295 emails had been rejected by mail servers all over the world, most of them sent from mail servers in Vietnam. I do not send 295 emails a day with my personal email account, and absolutely none of them from Vietnam. In fact, during the time-frame of this initial aggregate report, I sent zero emails – as seen in the screenshot from the report.

I have now configured my DMARC DNS txt records to send emails directly to  DMARC Analyzer, and I’m looking forward to seeing how these numbers add up over time. I’m currently on a free trial plan, and looking to evaluate which of the available DMARC Analyzers out there I want to use permanently.

At least now receiving email servers have a fighting chance of rejecting fake emails from my domain, since it’s now possible to verify that they are sent through a valid source.

Even if you don’t have problems with someone spoofing your email addresses, please spend 10 minutes configuring this for your domain as well. You never know when something like this might occur, and it’s better to build your defences before you get attacked. That way you stand a chance of stopping it before it gets as ugly as it did in my case.

And Per, you are a gentleman and a scholar. Even if I did manage to investigate and set this up on my own, cake and coffee is still on me!

Let's Be Blunt: It’s Time to End the Add on Insanity

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

This quote is from Brian Krebs, who very rightfully goes on to advise that everyone “please consider removing or at least hobbling this program.” Now, that is fine for the most part. I mean, who really needs Adobe Flash these days? Don’t most services we use have other methods of handing us the content we need want? The Apple iPhone doesn’t have Adobe Flash, so why do we need it on our laptops?

The fact is, that most end users probably don’t need to have Adobe Flash installed any more, but a lot of us sysadmins do. Why? Well, in my world one major culprit is the VMware vSphere Web Client. The Web Client has gotten it’s fair share of ill-repute over the last few years, but the latest edition in vSphere 6 is pretty responsive and quite pleasant to use. That’s until you contemplate that it still needs Adobe Flash installed on the client. The same goes for any other admin interface that requires Adobe Flash, or even Java for that matter.

Any administrative interface that requires a browser add on to work, should be bagged, kidnapped and flung in the back of a van and driven off somewhere never to be seen again. Sure, I understand that it’s no easy task to rework all of these interfaces, and it takes real effort by skilled people. But please, please make it happen as soon as possible, and retrofit it it into your existing systems – don’t keep those stuck on older releases hanging, and only provide a solution for the latest and greatest version.

While we as admins and consultants are used to having to patch our systems, and keep current, please help us limiting our own attack surface by removing requirements for add ons and “special juice” just to be able to administer the solutions we depend upon to keep our businesses running. That can’t be too much to ask, can it?

Installing and running VMware Compliance Checker for vSphere

The first version of the new VMware Compliance Checker for vSphere tool is now available for download.

VMware Compliance Checker for vSphere lets you scan your ESX and ESXi hosts for compliance with the VMware vSphere hardening guidelines to make sure your hosts are properly configured. It also lets you save and print your assessment results, so you can track your compliance level over time, or use them as documentation for internal audits.

Installing VMware Compliance Checker for vSphere

After downloading the VMwareComplianceCheckerForvSphere.msi installing is done in a matter of seconds, using the all to familiar click Next to continue Windows installation routine. The tool is Windows only at this point.


The tool is Java based, so the client machine you run it on needs to have it installed locally before you can use it.

Running a Compliance Scan

Running a compliance scan is very easy. Start up VMware Compliance Checker for vSphere and point it towards either a ESX/ESXi host, or towards your vCenter installation.

The tool runs for a while, and in the end you’ll be presented with a nice HTML based report highlighting all your compliance shortcomings!

Impressions/Conclusion

VMware Compliance Checker for vSphere looks like it can be a valuable tool to add to your vAdmin tool-belt. In it’s first version it does a good job of identifying potential issues with your environment. As far as I can see, William Lam’s Perl based vSphere Security Hardening Report Script does more extensive checks for now.

The vSphere Security Hardening Report Script also has a couple of other advantages, one being that it’s operating system agnostic (since it’s Perl based) another advantage is that since it’s written in a scripting language you can set up automated cron jobs that performs the scanning for you. As far as I can see the VMware tool is missing the ability to schedule scans, which is something I really hope VMware will add to it in the not to distant future.