Well this video ended up being way longer and way more work than I thought (I believe it’s the longest serious video I’ve ever made). Be sure to like it because if it flops I'm going to stick my head in the Large Hadron Collider
Wanna know what you do? Get a font that only has the a-z characters, and also a couple other important ones like 0-9 and some important symbols. Then set a fallback font to make the email address super obviously not latin characters. This is how you COULD do it.
sorry but I'm the speaker of a language that doesn't use a Latin script so that obviously wouldn't work for me so what do I do I copy the text, split it into characters using Node.JS and convert them into Unicode codes if any of the symbols is greater than 255 then that's obviously not an ASCII character
I use a programing font for normal viewing that makes all characters VERY clearly distinctly different. so Capital O and the number ZERO and Lower Case L and the number ONE can never be confused. When I get a weird email I switch to a special "hand writing / cursive font" that looks really nice (but the author of the font did not do every single font just the standard ASCII. Any non-ASCII jumps out like a sore thumb.
You mean a font that only allows the basic 128 ASCII characters then a fallback font that highlights everything else red or something? Seems like a good idea.
I have found my group of friends here I guess. You basically distilled the entire video in one sentence! Email is dinosaur technology. It's like governments making new currency designs when most people use digital payment systems. Pointless!! XD
Yes, last week. I kept getting a message saying they were from Netflix and they were going to cancel my account if I didn’t update my address. Funny thing is I don’t have an account with Netflix
I actually got one of these the day after I signed up for Netflix so I thought it was real. Bitwarden saved me though because I became suspicious when it didn't recognize the website that asked me to login.
Maybe it's a Nigerian price giving you a free Netflix account. I won the coca cola lottery and my money should be arriving in a few days. I paid them some legal tax fees or whatever for this, but who cares... Soon I'll be rich and a top G.
@@trixonx I am actually a very attractive female top model and I am so attracted to your lottery winnings but also true love. I also want to share my crypto earnings with you or something.
This video is extremely informative, extremely well done, and is the kind of video that can make a difference for a lot of people. Thanks Joe, well done.
I've been tracking spammers since the 1990s, and this video definitely covered the bases without getting too hairy for most folk. This can be an intimidating task, so simple straightforward examples are key and should cover most such threats. Good coverage of caveats, too. There are so so many angles, and limitations, so those this-but caveats are important. Something can look clean, but still fail the sniff test (BS Meter). Great job!
@@mikeowens6291 no, most email users do not get it. I work with reasonably technical people who have difficulty with some of the concepts. The engineers and senior sysadmins understand, of course, but lots of others can only grasp most of it. The lay people, on the other hand, don't even understand the idea of other typesets. They understand that Kanji is clearly different, but visually nearly identical characters mixed with English is a step too far to grasp. Many of these are older folk, often retired, all with degrees of various levels, one even a retired programmer for Wells Fargo. People come in all shapes and sizes, and their ability to grasp rises and falls with professional standing and life stage. It's just how things are.
One of the best defences against such scams is to have several email addresses - one that only your friends and family have, another for your bank, a third for well known suppliers and trusted companies and several throw away ones that you only give out to folk that you don't really trust. (You can make this easy by using forwarding on them, so that you don't have to log on to several servers.) Then when you get an email from "your bank" about an apparent problem with your account (already highly unlikely) and it arrives on one of your throw away addresses, you know immediately that it's fake because you don't use that email address for banking,
The sad part is that anyone who can follow your entire presentation without their eyes glazing over was already capable enough of avoiding scam email. It is simply too complex for average email users to keep in their heads.
Sadly and having been in IT since 1982 and taught security plus I admire what ThioJoe is doing - I could not agree with you more. Most people are handicapped by the complexity of a system that is so handicapped because due to its complexity and is getting worse.
The fact that there needs to be a 30 minute video explaining all of this tells me that these big tech companies have some interest in not protecting their users. Most, if not all of this, seems like checks that could be built into our email clients fairly easily.
Don't attribute to malice what can be easily explained by stupidity or incompetence. There's not enough (market) pressure on them to offer a good security UX, so they don't, because it costs development time, which is also money.
If end users have to know this stuff then 2 things: 1) we should have jobs with these companies doing development or security. & 2) it saves the company money so they dont have to hire developers, security, IT people, or more customer svc reps to handle these issues. We do it for them for free. And content creators get paid to talk about it all, see everybody's happy. 🎉😂😊😊😊
It is getting to the point that flying to the sender and visiting them in person might actually be easier than exercising this level of scrutiny for every one of the hundreds of emails that show up every morning.
The idea is to run these checks when you come across something fishy, not for every email you receive. Problem is that what's shown here is pretty much all specific to gmail. (Thunderbird is my client software, and it's not even mentioned.) I check the full header when in doubt; it's mostly gibberish but the domains do stick out, and in my experience you'll find the usual suspects (.in .ru .cn .bg etc.) if it's spam or a scam.
I have a Gmail account and the vast, vast majority of junk mail goes into the spam folder without me even seeing it. Perhaps you need a new email provider?
@@davidschofield5194 The hackers keep on top of the improvements and figure out ways to get around them. ( off topic, because it wasn't through email:) You can know computers inside out and still get scammed - Steve Wozniak got scammed of thousands of dollars in bitcoin a few years ago.
Wow man, You really did your homework on this one huh? 😁 I wanna say I am really thankful you are taking the time to make Videos like this, because there are SO MANY Tech people out there teaching people how to hack and scam, (I think just to they can Create the "Problem" so then THEY can become the "Solution") and no one is Teach people how to Defend themselves from these Hackers. I'm really glad you are fighting the good fight here man. Thanks!
Facinating - but so much information that at the end I just said “What’d he say?” It’s a difficult subject, and I think there’s a real opportunity for someone to incorporate these logic tree steps into mail clients.
This is great , as a person who used to play with other companies open SMTP gateways for fun this is interesting, but they have tightened up the rules now with these SPF/DKIM and DMARC records. Thank you for this as it was fun to get a refresher for SMTP.
I try to pass this knowledge on to the users in my company. But in the end, I just end up telling them "don't click on links or attachments in email" Only if they were expecting something from someone they have personally spoken to.
Normal person: just checks if the email makes sense and doesn’t click on the link and goes to the website directly ThioJoe: Makes a 30 minute investigation and reports them to the FBI
In my country they don't give a damn except if they achieved to still from you ... Had even local scammer who came at my home for fake "meldew" detection and police didn't investigate. If I had give them money they would had start an investigation in the bottom of the criminal cases because it's not a violent crime ... so maybe 10 years laters tehy would had started the case.
Arrrr!! but sadly us 'normals' are on the decline, normality as checking the road three times before crossing was once a very normal and very sensible thing to do. So often I now see mainly young people with their nose in their mobile who just walk into a road with traffic and then screen and shot at a driver who has had to slam on their breaks and the pedestrians truly believes the driver is in the wrong. The same goes for people reading their emails who now instinctively as they do walking and looking at their mobiles click onto hypertext. Sadly, the day of 'normals, will soon be no more.e
Corporate Email Security Professional here. Possibly the best attempt at an explanation I've seen trying to bring the subject down to a general computer-user level, although I expect plenty of heads will still explode :-) Not perfect mind you, there's some nitpicking to be had in the weeds, but nothing of consequence for your viewers. I was impressed that generally when I heard something and went "ahhh, that's a problem/wrong because..." within a minute or two you had covered that case.
I remember the time in 7th grade where my language arts teacher got a typical phishing email, and he printed it out and made copies for us to pass around so we know what those emails look like generally and to never listen to them
I have long been annoyed that email software doesn't easily and prominently show the actual email address of the sender and reply-to. Some only show the alias and not even the email address! Shameful because they know full well that this aids scammers. Definitely learned a number of things from this video and am now even more annoyed that email software doesn't make this easier.
As mailserver admin, overall a solid video. I do think it's a bit...weird to show the "X% of domains use SPF" statistic when the absolute majority of domains have never and never will send mails. Most people outsource their mails to providers nowadays, because, as you've shown brilliantly in this video, email is a pain.
Honestly, you have to carefully look at the email. There are other ways to spot that the email is fake, such as who they are addressing to (sir/madam), grammar, punctuation, etc. You covered a lot about gmail pretty well!
Actually in outlook, if you just hover the mouse over each sender in the inbox, it will show you who the real sender is. So if the return email doesn't match the actual sender, then you know its a phishing email without ever having to open it.
Also, after you open the email, select File - Properties. Lots of interesting information. (Have to make sure you aren't automatically downloading images, before you open the email)
Also, in Outlook, I have found that using the "RULES" feature helps to keep the repeat offenders away. It's a pain to set up an exclusion rule for each of the dozens of bad players per day the first time around, but after a while you will notice that you don't get "re-visited". It IS useful. Also, for some reason, most spam (for me) originates from Gmail. I tried setting up a rule to exclude any mail from Gmail, but that backfired. I now create a rule for each jerk who sends their trap-laden tripe my way.
*Joe, I thank you for explaining the difference between cyrillic "a" and latin "a." in a comment below, and I am paraphrasing, most of us know not to get involved with spoof emails, although I do report spoofs, for instance, from my bank. I have no idea what they can do with the knowledge; I just feel like a good scout for doing it*
SPF and DKIM do authentication only, they don't provide any enforcement. That is what DMARC is for. Also, FYI, by default, O365 Enterprise tenants are configured to softfail regardless of what a domain's DMARC record is configured for. You have to enable full DMARC compliance if you want it configured that way. From the domain owners perspective, DMARC also provides a statistical and forensic mechanism so you can not only prevent unauthorized senders from using your domain, you can collect statistical information from email relays on the internet that lets you know how many emails "sent" from your domain are legitimate vs spoofed and which email servers are trying to spoof your domain. These statistics enable you to calculate a DMARC compliance rate which can tell you if someone is attempting to use your domain maliciously.
Man, this was a thoughtful and well put together presentation. I can't wait to get lazy, get scammed, and then go back to do these tests on the phishing email that got me and say "....yup, there it was, all along. 😑"
This was very in-depth. Thank you. My father, who is 72 years old, fell for a phishing email. Fortunately I noticed it just a few minutes later, and had him cancel his card, and change is email password. That could have been bad.
Nice video! I set up my own mail server domain with DKIM, DMARC and SPF (-all!). But I guess I'll watch this video every year now just as a refresher, it's so hard to remember what each of these are doing. Thanks!
A great tip for everyone is when you get a email that claims it's from Paypal or something they will always address you with the name you put in the account not your email address which is Another clear hint it's not from the actual company I noticed that from some Paypal emails when trying to sell something
Agreed, salutations like "dear customer" and "dear client" are basically code for "we have no idea who you are" That said, I recently received a fake email that addresses me by my actual name. I knew it to be fake as it purportedly came from a company that would have no reason to know either my email address ot my name. Lesson learned: don't assume I am. Skeptical enough.
Paypal emails several times in the kast couple of days. Only one had my real email but I don't use ir even like PayPal so I knew it wasn't from them .They said i had a money request from people not known to me but yhey are trying to say send $599.99 to be unsubcribed if you didn't sign up for their product. I wouldn't do what they are asking anyway .I watch Scammer channels such as Scammer Payback, Kitboga, Pappamonkey, etc. So I know wherethey are going!!!
I usually notice the scam content long before I notice the sender is off. I always check for what it is the mail wants me to do and that just removes 99% of mails from the list immediately. Also, my mail client shows me the link text if I hover over hyperlinks, so that's a huge thing. If anything points anywhere in a country I don't know, it most certainly is a scam.
I'm sending this to my mom and dad since they might fall for something like this. It's good to keep them informed! My dad once got one but it was for something he didn't have so luckily he asked my brother about it and he could tell it was a scam. Thanks for making this video!
Thanks for this amazing video! I really like this longer and more in-depth style. Also realized that when I configured my email I just took the recommendation to use "~all" in the spf entry. I really didn't understand the meaning of all those things back then and was glad that I could just copy stuff per tutorial. Thanks to you, I know can confidently know what those entries mean and also changed the "~all" to "-all"!
Yep just make sure to test the emails to make sure they go through and pass. ~all is ideally just used during a testing phase so you can see if the emails pass or not without outright blocking them
Extremely helpful. The biggest thing I needed to hear was your domain could be spoofed - I didn't know that and it scared tf out of me when I saw it - I thought our account was hacked.
Quite useful information-- you have matured well beyond your original "How to make your internet connection faster" gag video, which-- for a while, at least-- did no favors for your reputation.
I used to work for a big organisation and colleagues did get hacked and have their emails used for scam purposes. It does happen. Always do more checks because sometimes companies are filled with technophobes who get hacked easily lol.
Often the people in charge of moving large sums of money fast. Lol. I'm amazed at what we got told in our internet safety tutorial. "If Bob tells you to urgently wire 15.000€, don't immediately do it. First, go through the protocols and..." Like that's an actual thing? People can just wire thousands of moneys without any safety in place and they do so at the behest of someone mailing them to do so? I am on the wrong side of this. Send me all the money via Western Union immediately; it is I, your supervisor boss! P.S.: Don't call me on my phone because I'll be angry if you do.
E-mail security expert here! Great video! There are some things you have incorrect, those are just nuances your overall message you are trying to get out is good.
@@oxybrightdark8765 SPF acts as a firewall (ish) it states what SMTP servers IP addresses are allowed to send on behalf of a domain. DKIM adds a header to every email. A TXT record is added to the domain with the public key for that signature. It validates that the email was not modified in transit. DMARC, does tie the two together with policy but it also adds a reporting feature. Anyone who also uses DMARC will send reports on who they have seen sending on behalf of your domain and if they failed what checks they failed on if your record is configured to do so. Been a bit since I watched this video i’ll need to go over it again. The best way to determine if a sender is who they say they are is to read through the email header. The header is a log of every SMTP server that touched the email. As well as where it originated from. There is a unique message ID with every email to help with tracking in logs.
Damn it! I was in that 65.6% of muppets in the [DMARC] p=none category. That'll teach me to not blindly copy/paste settings. DNS updated. Outstanding video!
"major email clients" **ignores Thunderbird** But still a good video. Paying attention to the sender address and if other header fields match can already filter out most spam/scam mails.
@@subhanjawad4666 I really hope you're kidding/trolling. If not, try searching for Thunderbird and be amazed by an open source mail client that's made by the same company as Firefox.
Excellent video! I had not realized possible fraud using extended ASCII in email addresses. In my former job, I had implemented SPF in our mail server, as per request from a major financial services client, whose spam-blocking server kept flagging our app-generated emails as fraudulent.
I just call on the phone for someone who wanted me to take a number down for delivery Morrow! I hung up. The person was saying I was supposed to take down a number for a delivery tomorrow. Hung up. Thanks for your videos.
Interesting stuff, Joe . I managed to follow the encryption part much thanks to that I used PGP in the nineties. An encryption program built on the same principle.
Oh boy. Thumbs up BUT despite your hard work and detailed explanations it's all beyond my understanding. I did learn a few things though, some of them that I actually have the capacity to absorb. I know that people who really know their subject want to pass the information to their audience which results in going into overtime. It's what happens when you know your stuff. It's obvious that you know it. I have screwed up my computer in so many ways and so often (I'm in the middle of screwing up my outlook) that I don't even know how to reverse it or how to fix it, or how I got there in the first place. Although, from videos like yours I've learned to do a couple of things with questionable email. I don't open anything and I block the sender. Mine is just for home use though, and I can imagine that business computers and their email have to be scrutinized. See, I went further than I intended to as well.
I think the most important thing you can do is be skeptical. Ask twice. If you don't know how to verify something, get someone tech savvy to do it for you. It's what I do when people write really scammy-looking mails but it isn't clear whether they're real: I just ring them on the channels I know, asking if the thing is from them. Mails are never urgent. If someone writes a scammy-looking mail, they will have to live with you not responding to it.
I know of a 100% way to avoid all of these fake/spoof emails .... DELETE! In the event, it is something that warrants further investigating; I go to the original website that I enter into my browser for further information. Thank you for sharing your experience!
I just LOVE the way every single content creator on RUclips, bar none, always uses the image of a white male wearing a hoodie as the "visual definition" of a scammer.
I don't even know why those who disliked it even did it like the only reason I can think of is the length of the video and he even talked about it in the beginning. Love your videos btw.
Good information. I've caught a lot of spoofing by looking at the email headers. Ones that I still have a question about, I'll call the company's customer service or tech support and ask if it is legitimate. One thing I found is Outlook will reveal the URL a control (like a button) is linked to by hovering over the control. Outlook will then print the URL on the status line.
Speaking of similar looking unicode characters. It would be cool if they color coded or used bold/italics for any character outside the ascii range. For example: Standard ascii characters would just be black like it usually is and other character would have a color, like red for example. Also, it would give you a warning to let you know what it means like "NOTICE: Colored/bolded character(s) detected. Phishers may use this to their advantage.". It would help alot since I have bad vision and the examples you've shown look pretty much the same (The fake 'a' and real one).
Look up BotNets. A cyber criminal can basically turn your computer into a Zombie that will download malware, log your passwords, use your connection to attack other websites, and many other malicious things without you even knowing it. One of the signs is a very slow or overloaded CPU even though you are not running many programs. I got them on my PC once when I shared an open wifi connection and it was hell trying to get rid of it.
Great video. Your channel is awesome. The videos are informative and educational. As an IT professional and Cybersecurity student. I believe that education is key. All users should be educated on how to spot scams/phishing/spoofing with emails.
Wow, this is very thorough, I honestly love it. Although maybe a tiny bit too much for the biggest target audience (those who easily fall for spoofed emails), but then again I don't know how else to teach avarage email users all the important safety measure.
Great video!! I am just starting learning mail service and this is really good explained. One thing BTW, at minute 26 you explain the hash verification, and I am pretty sure is: sender signs hash with sender private key, and receiver verifies with sender public key. That is usually how software binaries are verified by people who download them from open source sites. You can only verify or encrypt with the public key.
If you're a Thunderbird user, the add-on "DKIM Verifier" can run DKIM checker for you, and make it obvious if it fails or is signed by a different domain than the envelope's from address. It also has an option (disabled by default) to read Authentication-Results headers if they're available to check SPF and DMARC checks. (Apologies if this is a duplicate comment. I can't seem to find my first one, so it may have been filtered out.)
As we can clearly see, you can always tell the scammers/spammers by the hoodies they, and only they, always wear. And they always have their backs to the camera. Fred
@@ballsofplastic Yes, but that is math and not spoken language. If I say that I'll arrive in 10+ minutes and actually arrive in 8 hours, I'm obviously too late to whatever meeting I was attending.
Fun fact, many Greek letters look really alike with Latin ones. The Greek i (ι) when capital is the same with capital i and almost the same with lowercase L. The lowercase v looks like the Greek lowercase N (ν). Uppercase K, Z, P (in Greek that character is used for R), B, A, E, T, Y, H and X. So if someone wants to scam you in Greek, they can but only in a handful of letters and mostly capital.
@@AijeAstralos The US could force airplanes use English for communication all around the world because the US was the one that come up with it. The same story with the internet. Why don't e-mail use ASCII characters for its addresses?
Well this video ended up being way longer and way more work than I thought (I believe it’s the longest serious video I’ve ever made). Be sure to like it because if it flops I'm going to stick my head in the Large Hadron Collider
Ye long
Man i love that emoji.
i hate life
@@Skoopyy. nobody asked.
@ThioJoe There is a bitcoin bot in the comments
Wanna know what you do? Get a font that only has the a-z characters, and also a couple other important ones like 0-9 and some important symbols. Then set a fallback font to make the email address super obviously not latin characters. This is how you COULD do it.
ah yes... I use Windows 7 and it makes up weird looking boxes for emojis and characters which aren't from English transcript.
sorry but I'm the speaker of a language that doesn't use a Latin script so that obviously wouldn't work for me
so what do I do
I copy the text, split it into characters using Node.JS and convert them into Unicode codes
if any of the symbols is greater than 255 then that's obviously not an ASCII character
I use a programing font for normal viewing that makes all characters VERY clearly distinctly different. so Capital O and the number ZERO and Lower Case L and the number ONE can never be confused. When I get a weird email I switch to a special "hand writing / cursive font" that looks really nice (but the author of the font did not do every single font just the standard ASCII. Any non-ASCII jumps out like a sore thumb.
@@DeactivatedCharcoal Which font?
You mean a font that only allows the basic 128 ASCII characters then a fallback font that highlights everything else red or something? Seems like a good idea.
I did not know non-ASCII characters were allowed in email addresses. Thank you for such a detailed informative video.
Congrats to got a scammer replying to your comment lol
@@MatthewDeveloper Reported
@@MatthewDeveloper what comment?
@@MatthewDeveloper ah ok thanks
That was a recent change, as ICAAN caved in to pressure from Russia, India and China.
Best policy: Never click on a hypertext link in an email.
And never reply to an email you are suspicious about
Best policy, just delete all emails automatically. Don't even read them.
@@BarrySwords when you have a very important invite email
I have found my group of friends here I guess. You basically distilled the entire video in one sentence!
Email is dinosaur technology. It's like governments making new currency designs when most people use digital payment systems. Pointless!! XD
Precisely.
Yes, last week. I kept getting a message saying they were from Netflix and they were going to cancel my account if I didn’t update my address. Funny thing is I don’t have an account with Netflix
I actually got one of these the day after I signed up for Netflix so I thought it was real. Bitwarden saved me though because I became suspicious when it didn't recognize the website that asked me to login.
Maybe it's a Nigerian price giving you a free Netflix account. I won the coca cola lottery and my money should be arriving in a few days. I paid them some legal tax fees or whatever for this, but who cares... Soon I'll be rich and a top G.
@@trixonx I am actually a very attractive female top model and I am so attracted to your lottery winnings but also true love. I also want to share my crypto earnings with you or something.
I got received email too.@@Dave-um7mw
Same here....
This video is extremely informative, extremely well done, and is the kind of video that can make a difference for a lot of people. Thanks Joe, well done.
I've been tracking spammers since the 1990s, and this video definitely covered the bases without getting too hairy for most folk. This can be an intimidating task, so simple straightforward examples are key and should cover most such threats.
Good coverage of caveats, too. There are so so many angles, and limitations, so those this-but caveats are important. Something can look clean, but still fail the sniff test (BS Meter).
Great job!
"without getting too hairy for most folk"? Certainly "too hairy" for me, and I would imagine MOST email users!😆
@@mikeowens6291 no, most email users do not get it. I work with reasonably technical people who have difficulty with some of the concepts. The engineers and senior sysadmins understand, of course, but lots of others can only grasp most of it.
The lay people, on the other hand, don't even understand the idea of other typesets. They understand that Kanji is clearly different, but visually nearly identical characters mixed with English is a step too far to grasp. Many of these are older folk, often retired, all with degrees of various levels, one even a retired programmer for Wells Fargo.
People come in all shapes and sizes, and their ability to grasp rises and falls with professional standing and life stage. It's just how things are.
One of the best defences against such scams is to have several email addresses - one that only your friends and family have, another for your bank, a third for well known suppliers and trusted companies and several throw away ones that you only give out to folk that you don't really trust. (You can make this easy by using forwarding on them, so that you don't have to log on to several servers.) Then when you get an email from "your bank" about an apparent problem with your account (already highly unlikely) and it arrives on one of your throw away addresses, you know immediately that it's fake because you don't use that email address for banking,
The sad part is that anyone who can follow your entire presentation without their eyes glazing over was already capable enough of avoiding scam email. It is simply too complex for average email users to keep in their heads.
i just assume that every email is a scam. nice try mom, i'm not falling for christmas dinner
Is that because most people are just dumb?
@@marioluigi9599 - yes but also they prey on people with brain damage. From age usually.
@@Dragon-Believer So most people have brain damage too?
Sadly and having been in IT since 1982 and taught security plus I admire what ThioJoe is doing - I could not agree with you more. Most people are handicapped by the complexity of a system that is so handicapped because due to its complexity and is getting worse.
The fact that there needs to be a 30 minute video explaining all of this tells me that these big tech companies have some interest in not protecting their users. Most, if not all of this, seems like checks that could be built into our email clients fairly easily.
Don't attribute to malice what can be easily explained by stupidity or incompetence. There's not enough (market) pressure on them to offer a good security UX, so they don't, because it costs development time, which is also money.
Whats the old adage for companies and scientists, "publish or parish." They have to keep cranking out stuff all the time.
If end users have to know this stuff then 2 things: 1) we should have jobs with these companies doing development or security.
& 2) it saves the company money so they dont have to hire developers, security, IT people, or more customer svc reps to handle these issues. We do it for them for free. And content creators get paid to talk about it all, see everybody's happy. 🎉😂😊😊😊
It is getting to the point that flying to the sender and visiting them in person might actually be easier than exercising this level of scrutiny for every one of the hundreds of emails that show up every morning.
Best comment! Couldn't the email client do some of this work?
The idea is to run these checks when you come across something fishy, not for every email you receive.
Problem is that what's shown here is pretty much all specific to gmail. (Thunderbird is my client software, and it's not even mentioned.) I check the full header when in doubt; it's mostly gibberish but the domains do stick out, and in my experience you'll find the usual suspects (.in .ru .cn .bg etc.) if it's spam or a scam.
I have a Gmail account and the vast, vast majority of junk mail goes into the spam folder without me even seeing it. Perhaps you need a new email provider?
@@davidschofield5194 The hackers keep on top of the improvements and figure out ways to get around them. ( off topic, because it wasn't through email:) You can know computers inside out and still get scammed - Steve Wozniak got scammed of thousands of dollars in bitcoin a few years ago.
Wow man, You really did your homework on this one huh? 😁 I wanna say I am really thankful you are taking the time to make Videos like this, because there are SO MANY Tech people out there teaching people how to hack and scam, (I think just to they can Create the "Problem" so then THEY can become the "Solution") and no one is Teach people how to Defend themselves from these Hackers. I'm really glad you are fighting the good fight here man. Thanks!
Facinating - but so much information that at the end I just said “What’d he say?” It’s a difficult subject, and I think there’s a real opportunity for someone to incorporate these logic tree steps into mail clients.
Nah its simple. Just remember where to look for and what must match.
Ignore any explanations as of why and you good to go.
as he said in the video you don't really need to know what they stand for or how it actually works, just keep an eye on it and check if it does pass.
In the first 7min its already information overload... 👌👌👌
Not if you didn't already know about it.
nice video! im gonna show this to my grandma
LOL!
Great
Gammie always needs to know!
Good
@@theovermind7435 you mean grammie?
This is great , as a person who used to play with other companies open SMTP gateways for fun this is interesting, but they have tightened up the rules now with these SPF/DKIM and DMARC records.
Thank you for this as it was fun to get a refresher for SMTP.
I try to pass this knowledge on to the users in my company. But in the end, I just end up telling them "don't click on links or attachments in email" Only if they were expecting something from someone they have personally spoken to.
Normal person: just checks if the email makes sense and doesn’t click on the link and goes to the website directly
ThioJoe: Makes a 30 minute investigation and reports them to the FBI
In my country they don't give a damn except if they achieved to still from you ... Had even local scammer who came at my home for fake "meldew" detection and police didn't investigate. If I had give them money they would had start an investigation in the bottom of the criminal cases because it's not a violent crime ... so maybe 10 years laters tehy would had started the case.
@Thɑт Spοk so you think you need to call every country that you think who try to scam ??? Maybe call the men in black ...
u mean CBI?
Arrrr!! but sadly us 'normals' are on the decline, normality as checking the road three times before crossing was once a very normal and very sensible thing to do. So often I now see mainly young people with their nose in their mobile who just walk into a road with traffic and then screen and shot at a driver who has had to slam on their breaks and the pedestrians truly believes the driver is in the wrong. The same goes for people reading their emails who now instinctively as they do walking and looking at their mobiles click onto hypertext. Sadly, the day of 'normals, will soon be no more.e
Thanks Joe. I just finished upgrading our agency email system yesterday. You're video timing is impeccable!
Corporate Email Security Professional here.
Possibly the best attempt at an explanation I've seen trying to bring the subject down to a general computer-user level, although I expect plenty of heads will still explode :-)
Not perfect mind you, there's some nitpicking to be had in the weeds, but nothing of consequence for your viewers.
I was impressed that generally when I heard something and went "ahhh, that's a problem/wrong because..." within a minute or two you had covered that case.
Also you should watch out for if the domain has zero-with spaces because those have no width so they are invisible
width*
😱
I remember the time in 7th grade where my language arts teacher got a typical phishing email, and he printed it out and made copies for us to pass around so we know what those emails look like generally and to never listen to them
I thought the story was going to be how the teacher got scammed, the fact that he instead used it to educate students about this is awesome
Hope your teacher told this to the scammer lol
Thanks You made this topic easy to understand. Very informative.
👍
👎
@@NicolasA346 tf?
👎
nah it good
You think????
I have long been annoyed that email software doesn't easily and prominently show the actual email address of the sender and reply-to. Some only show the alias and not even the email address! Shameful because they know full well that this aids scammers.
Definitely learned a number of things from this video and am now even more annoyed that email software doesn't make this easier.
As mailserver admin, overall a solid video.
I do think it's a bit...weird to show the "X% of domains use SPF" statistic when the absolute majority of domains have never and never will send mails. Most people outsource their mails to providers nowadays, because, as you've shown brilliantly in this video, email is a pain.
Honestly, you have to carefully look at the email. There are other ways to spot that the email is fake, such as who they are addressing to (sir/madam), grammar, punctuation, etc. You covered a lot about gmail pretty well!
Actually in outlook, if you just hover the mouse over each sender in the inbox, it will show you who the real sender is. So if the return email doesn't match the actual sender, then you know its a phishing email without ever having to open it.
Also, after you open the email, select File - Properties. Lots of interesting information. (Have to make sure you aren't automatically downloading images, before you open the email)
Also, in Outlook, I have found that using the "RULES" feature helps to keep the repeat offenders away. It's a pain to set up an exclusion rule for each of the dozens of bad players per day the first time around, but after a while you will notice that you don't get "re-visited". It IS useful.
Also, for some reason, most spam (for me) originates from Gmail. I tried setting up a rule to exclude any mail from Gmail, but that backfired. I now create a rule for each jerk who sends their trap-laden tripe my way.
*Joe, I thank you for explaining the difference between cyrillic "a" and latin "a." in a comment below, and I am paraphrasing, most of us know not to get involved with spoof emails, although I do report spoofs, for instance, from my bank. I have no idea what they can do with the knowledge; I just feel like a good scout for doing it*
Thanks for informing us about these scams! Your a lifesaver! Love from SA
cj?
SPF and DKIM do authentication only, they don't provide any enforcement.
That is what DMARC is for.
Also, FYI, by default, O365 Enterprise tenants are configured to softfail regardless of what a domain's DMARC record is configured for. You have to enable full DMARC compliance if you want it configured that way.
From the domain owners perspective, DMARC also provides a statistical and forensic mechanism so you can not only prevent unauthorized senders from using your domain, you can collect statistical information from email relays on the internet that lets you know how many emails "sent" from your domain are legitimate vs spoofed and which email servers are trying to spoof your domain. These statistics enable you to calculate a DMARC compliance rate which can tell you if someone is attempting to use your domain maliciously.
This is giving me a headache, but thank you.
Man, this was a thoughtful and well put together presentation.
I can't wait to get lazy, get scammed, and then go back to do these tests on the phishing email that got me and say "....yup, there it was, all along. 😑"
1:10 wow I laughed so hard over this part, I literally almost died from suffocation.
did you die from suffocation
@@user-eb6vc2gs9e yes
@@its_jasonBSF man dead people don't comment 🤫
@@doxyf how do you know that
@@doxyf how would you know? i also saw a man who commented that he died once, i believe him
This was very in-depth. Thank you. My father, who is 72 years old, fell for a phishing email. Fortunately I noticed it just a few minutes later, and had him cancel his card, and change is email password. That could have been bad.
Thanks for having actual captions for the Deaf - makes video much easier to follow - thank you for your good work!
Nice video! I set up my own mail server domain with DKIM, DMARC and SPF (-all!). But I guess I'll watch this video every year now just as a refresher, it's so hard to remember what each of these are doing. Thanks!
A great tip for everyone is when you get a email that claims it's from Paypal or something they will always address you with the name you put in the account not your email address which is Another clear hint it's not from the actual company I noticed that from some Paypal emails when trying to sell something
Agreed, salutations like "dear customer" and "dear client" are basically code for "we have no idea who you are"
That said, I recently received a fake email that addresses me by my actual name. I knew it to be fake as it purportedly came from a company that would have no reason to know either my email address ot my name.
Lesson learned: don't assume I am. Skeptical enough.
Paypal emails several times in the kast couple of days. Only one had my real email but I don't use ir even like PayPal so I knew it wasn't from them .They said i had a money request from people not known to me but yhey are trying to say send $599.99 to be unsubcribed if you didn't sign up for their product. I wouldn't do what they are asking anyway .I watch Scammer channels such as Scammer Payback, Kitboga, Pappamonkey, etc. So I know wherethey are going!!!
I usually notice the scam content long before I notice the sender is off. I always check for what it is the mail wants me to do and that just removes 99% of mails from the list immediately.
Also, my mail client shows me the link text if I hover over hyperlinks, so that's a huge thing. If anything points anywhere in a country I don't know, it most certainly is a scam.
30min of intensive knowledge explains why spoofs and scams will easily continue to make victims.
This one is very important ❤️
I'm sending this to my mom and dad since they might fall for something like this. It's good to keep them informed! My dad once got one but it was for something he didn't have so luckily he asked my brother about it and he could tell it was a scam. Thanks for making this video!
Thanks for this amazing video! I really like this longer and more in-depth style.
Also realized that when I configured my email I just took the recommendation to use "~all" in the spf entry. I really didn't understand the meaning of all those things back then and was glad that I could just copy stuff per tutorial. Thanks to you, I know can confidently know what those entries mean and also changed the "~all" to "-all"!
Yep just make sure to test the emails to make sure they go through and pass. ~all is ideally just used during a testing phase so you can see if the emails pass or not without outright blocking them
Thanks, just finished setting up DKIM, Spf and DMARK for my email domain.
I liked this, watched it entirely. Although I already knew most of what's it about, it was very informative.
Extremely helpful. The biggest thing I needed to hear was your domain could be spoofed - I didn't know that and it scared tf out of me when I saw it - I thought our account was hacked.
Quite useful information-- you have matured well beyond your original "How to make your internet connection faster" gag video, which-- for a while, at least-- did no favors for your reputation.
Several years from now, the fact that this video was necessary will be a source of amusement.
I used to work for a big organisation and colleagues did get hacked and have their emails used for scam purposes. It does happen. Always do more checks because sometimes companies are filled with technophobes who get hacked easily lol.
Often the people in charge of moving large sums of money fast. Lol. I'm amazed at what we got told in our internet safety tutorial. "If Bob tells you to urgently wire 15.000€, don't immediately do it. First, go through the protocols and..." Like that's an actual thing? People can just wire thousands of moneys without any safety in place and they do so at the behest of someone mailing them to do so? I am on the wrong side of this.
Send me all the money via Western Union immediately; it is I, your supervisor boss! P.S.: Don't call me on my phone because I'll be angry if you do.
E-mail security expert here! Great video! There are some things you have incorrect, those are just nuances your overall message you are trying to get out is good.
Could I know the corrections please?
@@oxybrightdark8765 SPF acts as a firewall (ish) it states what SMTP servers IP addresses are allowed to send on behalf of a domain. DKIM adds a header to every email. A TXT record is added to the domain with the public key for that signature. It validates that the email was not modified in transit. DMARC, does tie the two together with policy but it also adds a reporting feature. Anyone who also uses DMARC will send reports on who they have seen sending on behalf of your domain and if they failed what checks they failed on if your record is configured to do so.
Been a bit since I watched this video i’ll need to go over it again. The best way to determine if a sender is who they say they are is to read through the email header. The header is a log of every SMTP server that touched the email. As well as where it originated from. There is a unique message ID with every email to help with tracking in logs.
This video is a real eye-opener
Damn it! I was in that 65.6% of muppets in the [DMARC] p=none category. That'll teach me to not blindly copy/paste settings. DNS updated. Outstanding video!
I need this guy to be my teacher, never could I pay attention for a whole half hour
Very important basic video for everyone using modern devices. Well, except for the lengthy end part filled with details about server signing.
"major email clients"
**ignores Thunderbird**
But still a good video. Paying attention to the sender address and if other header fields match can already filter out most spam/scam mails.
thunderbird is not very popular but ever since I use mozilla firefox, I kinda am in their entire ecosystem
wtf is thunderbird?
i use springmail. it's open source, it's cute and it shows the original message of hotmail better than microsoft app.
@@subhanjawad4666 I really hope you're kidding/trolling. If not, try searching for Thunderbird and be amazed by an open source mail client that's made by the same company as Firefox.
@@subhanjawad4666 do you know how to use google? It goes Futher than comments
I used to have a website for a very small business. Thanks to this, if I do again I'll ensure standard email security is applied.
Hey Joe: You should consider starting a security consulting business targeting corporations as clients. Robert
Excellent video! I had not realized possible fraud using extended ASCII in email addresses. In my former job, I had implemented SPF in our mail server, as per request from a major financial services client, whose spam-blocking server kept flagging our app-generated emails as fraudulent.
I use a open source spamfilter, I get like 97% less spam now.
Like 97% is more like 60%. When somebody says 'like" there exaggerating.
I've found Gmail has almost perfect spam filtering
@@ThioJoe yea gmail's filter is pretty good tbh shit it be flagging sum non spam ones jus to be safe lmao
ThioJoe thanks very much for this most informative video!
@@moneybilla wow smart
I just call on the phone for someone who wanted me to take a number down for delivery Morrow! I hung up. The person was saying I was supposed to take down a number for a delivery tomorrow. Hung up. Thanks for your videos.
"Nike" has bee BLOWING me up lately on my RUclips channel email 🤣
lol
Looks like there aren’t anyone saying Hello verified youtuber
Guess it’s me then to be stupid noob
Hello verified youtuber
Lol
Same goes for your mom
Wow finally somebody who explained SPF DKIM and DMARC in an understandable way
Interesting stuff, Joe . I managed to follow the encryption part much thanks to that I used PGP in the nineties. An encryption program built on the same principle.
I think it's so wild that PGP is still a thing, albeit mostly on the dark web
This guy put no ads in 30 minutes wow
Oh boy. Thumbs up BUT despite your hard work and detailed explanations it's all beyond my understanding. I did learn a few things though, some of them that I actually have the capacity to absorb. I know that people who really know their subject want to pass the information to their audience which results in going into overtime. It's what happens when you know your stuff. It's obvious that you know it. I have screwed up my computer in so many ways and so often (I'm in the middle of screwing up my outlook) that I don't even know how to reverse it or how to fix it, or how I got there in the first place. Although, from videos like yours I've learned to do a couple of things with questionable email. I don't open anything and I block the sender. Mine is just for home use though, and I can imagine that business computers and their email have to be scrutinized. See, I went further than I intended to as well.
I think the most important thing you can do is be skeptical. Ask twice. If you don't know how to verify something, get someone tech savvy to do it for you.
It's what I do when people write really scammy-looking mails but it isn't clear whether they're real: I just ring them on the channels I know, asking if the thing is from them. Mails are never urgent. If someone writes a scammy-looking mail, they will have to live with you not responding to it.
I know of a 100% way to avoid all of these fake/spoof emails .... DELETE! In the event, it is something that warrants further investigating; I go to the original website that I enter into my browser for further information. Thank you for sharing your experience!
Man this is seriously needed nowadays and an absolute incredible job.
Glad to be a subscriber
I just LOVE the way every single content creator on RUclips, bar none, always uses the image of a white male wearing a hoodie as the "visual definition" of a scammer.
Thanks for getting rid of that bot in the previous video it was really annoying to see.
Yea i delete them as soon as i see them
Which bot?
There a bitcoin bot i see
I got a sponsorship email from Nike a couple days ago so this is super useful!
My approach is to treat each email that I receive as suspicious. This prompts me to do the security checks.
I don't even know why those who disliked it even did it like the only reason I can think of is the length of the video and he even talked about it in the beginning. Love your videos btw.
You should include Thunderbird email client app in your testing.
Good information. I've caught a lot of spoofing by looking at the email headers. Ones that I still have a question about, I'll call the company's customer service or tech support and ask if it is legitimate.
One thing I found is Outlook will reveal the URL a control (like a button) is linked to by hovering over the control. Outlook will then print the URL on the status line.
Speaking of similar looking unicode characters. It would be cool if they color coded or used bold/italics for any character outside the ascii range.
For example: Standard ascii characters would just be black like it usually is and other character would have a color, like red for example.
Also, it would give you a warning to let you know what it means like "NOTICE: Colored/bolded character(s) detected. Phishers may use this to their advantage.". It would help alot since I have bad vision and the examples you've shown look pretty much the same (The fake 'a' and real one).
Now I have to explain all of this to my parents.
Good luck
Thunderbird shows "reply to" in it's headers. In fact it shows everything you noted that the top popular mails apps don't. Open source wins again.
Gonna defend a paper which contains Phishing info next week, great timing for video haha
Thank you. I don’t get most of this. The steps you take us through is something I can do even if I don’t understand it. Again thank you
I have an idea for a video: you should explain different types of viruses, worms, Trojans and what they are
Look up BotNets. A cyber criminal can basically turn your computer into a Zombie that will download malware, log your passwords, use your connection to attack other websites, and many other malicious things without you even knowing it. One of the signs is a very slow or overloaded CPU even though you are not running many programs. I got them on my PC once when I shared an open wifi connection and it was hell trying to get rid of it.
Great video. Your channel is awesome. The videos are informative and educational. As an IT professional and Cybersecurity student. I believe that education is key. All users should be educated on how to spot scams/phishing/spoofing with emails.
"It's a fake!"
Or just use inbox filters...
Wow, this is very thorough, I honestly love it. Although maybe a tiny bit too much for the biggest target audience (those who easily fall for spoofed emails), but then again I don't know how else to teach avarage email users all the important safety measure.
"Dear friend" in the subject line is a red flag
Great video!! I am just starting learning mail service and this is really good explained. One thing BTW, at minute 26 you explain the hash verification, and I am pretty sure is: sender signs hash with sender private key, and receiver verifies with sender public key. That is usually how software binaries are verified by people who download them from open source sites. You can only verify or encrypt with the public key.
Hello Thio Joe!
What do you prefer:
Cats or dogs
iPhone or Android
Spotify or Apple Music.
Too many questions
@@ThioJoe 😅
If you're a Thunderbird user, the add-on "DKIM Verifier" can run DKIM checker for you, and make it obvious if it fails or is signed by a different domain than the envelope's from address. It also has an option (disabled by default) to read Authentication-Results headers if they're available to check SPF and DMARC checks.
(Apologies if this is a duplicate comment. I can't seem to find my first one, so it may have been filtered out.)
Nightmare - just treat ALL emails ase a scam lol.
Thanks man!! you just saved me from a job scam! I was almost lost in finding if its legit, until I saw ur video. great work🙌
It’s definitely possible for mail apps to do just do all this checking themselves, surprised they don’t by now
I worked in IT for 25 years. the average person is not going to do this stuff. email is broken and needs to be completely redone.
"yes this is a 20+ minute video"
the video: *30:32*
r/technicallythetruth
This is the first time I seen a time stamp in the Bold font
@@norb3695 _99:59:59_
As we can clearly see, you can always tell the scammers/spammers by the hoodies they, and only they, always wear.
And they always have their backs to the camera.
Fred
Thio: this video is 20+ minutes
Video: 30 minutes
He said 20+...
20 and above
@@ballsofplastic but then why not say 30+?
While 20+ is technically correct, generally, when people say 20+, they mean 20-29 minutes
@@markusTegelane That doesn't change that 20+ is correct, It's basically like ≤20 in math.
@@ballsofplastic Yes, but that is math and not spoken language. If I say that I'll arrive in 10+ minutes and actually arrive in 8 hours, I'm obviously too late to whatever meeting I was attending.
I really, _really,_ REALLY, wish that the international symbol for "Hacker" would STOP being "Guy In A Hoodie"
Fun fact: this "g" is not a g.
Fun fact this ”Α” is not an A
fun fact: this "Y" is not a y
Fun fact: This “М” is not an M
Fun fact, many Greek letters look really alike with Latin ones. The Greek i (ι) when capital is the same with capital i and almost the same with lowercase L. The lowercase v looks like the Greek lowercase N (ν). Uppercase K, Z, P (in Greek that character is used for R), B, A, E, T, Y, H and X. So if someone wants to scam you in Greek, they can but only in a handful of letters and mostly capital.
This Α is not an A
SPF - Sender Policy Framework
DKIM - DomainKeys Identified Mail
DMARC - Domain-based Message Authentication, Reporting & Conformance
Thx yo.
YO YO YO
YO MR WHITE YO
Been waiting for this video for so long , going to pass it to my 5 old niece , Thanks Joe
Why would they allowed to use non-ASCII characters in email address?
Because email addresses aren't country-locked, so if they want to support emails from, say, Russia, they need to support the Cyrillic alphabet.
@@AijeAstralos The US could force airplanes use English for communication all around the world because the US was the one that come up with it. The same story with the internet.
Why don't e-mail use ASCII characters for its addresses?
Why wasn't Mozilla Thunderbird reviewed?
The best trick to avoid scammers : Don't open your inbox 🤣