Set up MTA-STS on a GSuite hosted GitHub pages

To further protect my email communication, I have enabled MTA-STS on my GSuite domain. My site is hosted on GitHub pages, so I’ll walk you through my setup.

It starts with creating a new GitHub repository that will hold the files for the MTA-STS subdomain. For some reason, the config for the MTA-STS is read from an mta-sts.txt file, located in the .well-known folder, but it has to be loaded from the mta-sts subdomain. Why it can’t be done from the main domain is beyond me, but here we are.

Now that I have a repository, I create the .well-known folder and I place the mta-sts.txt file inside that folder. The content of the file can be found in my GSuite Admin section. It is the middle value: MTA-STS Policy Diagnostic. I’ll come back to the other values shortly.

Unfortunately, this is where I bumped into the problem with hosting on GitHub pages. By default, it does not expose folders starting with a . (dot). Probably because the servers are Linux based and any Linux folder starting with a dot, is automatically a hidden folder. So Stack Overflow to the rescue!

The fix is as easy as adding a _config.yml file to the base repository with the single line:

include: [".well-known"]

Important detail: do not end with an empty line! Just add that single line to the file to expose the .well-known folder.

The last step in GitHub is to set up the custom domain for this repository. It’s pretty easy to set up a GitHub pages domain, just be sure to include the subdomain before your domain.

Don’t worry if GitHub displays an error, I have not set up the subdomain DNS yet, so it can’t find the setup for the domain just yet.

I’ll fix that right now. I let Cloudflare handle my DNS settings. In the DNS settings of the dashboard, I add 4 A records with the name of mta-sts, one for each IP-address that GitHub pages can handle. For more information about the specific setup of GitHub pages, I refer to their good documentation. Now that the IP redirects are set up, the subdomain should be ready and available.

Two more steps and I’m done. Luckily for me, they are both in my DNS setup. I add a TXT record with the name _mta-sts and the value found in my GSuite Dashboard after “MTA-STS TXT Record Diagnostic”. I add another TXT record with the name _smtp._tls and the value found in my GSuite Dashboard after “Reporting Policy Diagnostic”.

Do not forget to change the rua=mailto: value of the “Reporting Policy Diagnostic” text to an email address which you can receive. That is where reports will be sent to. In the near future, Report URI should get support to process the values.

Now I enjoy more secure email communication. If anybody wants to learn more about SMTP MTA Strict Transport Security, I recommend reading Scott Helme’s very good blog post or URI Ports expanded blog post. That’s where I learned about it.

Edit: Thanks Faisal from emailsecuritygeek.com for pointing out a typo. Cheers mate!

Scammers used my email as a spam address

On the 7th of November 2019, I received an email from AliExpress that told me that I created an account with them. Seeing as I didn’t do this, at first I thought it was a scam. My email address contains a dot between my first and last name and that was missing. So I did what I do with all spam, I ignored it.

A few weeks later, on November 25th, I received a notification that I had a shopping cart with items in it. I decided to go to the AliExpress website and do a password reset on “my” account. Surprisingly, I had not received spam and a few moments later, I was the proud owner of an AliExpress account.

The first thing I did was check out my shopping cart. I did not take a precise inventory at the time, I just deleted the few items that were in it. It did prompt me to look into my already purchased items. There was a range of strange choices from plastic apples for table decoration to knockoff Disney dolls. The one thing they all had in common was that they cost under 20 euros, thus skipping most customs controls. So the buyers evade sales tax, limit checks on the knockoff goods and get a higher chance the goods will get delivered.

When I looked at the account details, I saw a fake name with Bonny as the first name and a bogus shipping address in France. It was entered half a dozen times, so I concluded I was dealing with a master criminal that knew how to efficiently navigate the site.

I looked the address up on Google Maps and it turned out to be a corn field. I’ve always wondered how they deliver to such places. The delivery guy shows up in a truck with the stuff in the back and then what? Is there a shady guy with a nondescript white van ready to take the goods? I guess I’ll never know.

Back to the order history. All in all, there were 28 items bought on “my” account. When I saw that, I blamed AliExpress for not verifying the account before accepting orders. I received a welcome mail, but I never had to verify that my account is controlled by me. So there are probably countless unverified accounts that are used by scammers to buy counterfeit goods. That means that AliExpress is profiting from, what are in my opinion, fraudsters.

Until I checked the orders more closely. Apparently 20 out of the 28 orders haven’t been paid yet. That means that over 70% of the orders haven’t been paid 18 days after they were shipped. Somehow, I doubt that they will ever be paid, even if I did not take back the account. Which means that both AliExpress and the third party sellers are missing out on revenue.

All this scammer needs to do is create another fake account and buy as much goods as he can before the account is suspended. They can keep doing this as long as accounts are not verified as there is a treasure trove of emails out there for anybody who knows where to look. And it’s not exactly hard to find even if you don’t know where to look.

So I don’t know why AliExpress is not verifying accounts. It’s costing them money. It’s costing their subcontractors money. It’s costing European countries taxes. They are basically enabling scammers. The only thing they’d need to do to stop these thieves, is verify an account before that account can be used to buy goods.

At no point was my email compromised. They just used my email address to sign up. Thanks to a combination of a password manager (shameless plug for 1Password) and a strong second factor (shameless plug for YubiKey security keys), scammers will be hard pressed to get into my most valuable accounts. For full transparancy, I’m not sponsored by either vendor, I bought these products myself. I’m a big fan of them.

And as a last item, just to be thorough: I did not report this to the police. I do not feel that the information I have to share will make a compelling case against anybody. So instead of adding more white noise to the pile of noise the police already has to deal with, I’m going to ignore this.

What I do want to shine a light on, is that we cannot let scammers just use our emails for their fake accounts. So if I receive an email that I created an account somewhere, especially online shops, will get a closer look to see if it’s an actual welcome mail or a scam in itself.

Two Factor Authentication via 1Password

Seems like I’m talking a lot about 1Password (and password managers in general) these past few weeks. Well, it’s because I think they are awesome and an invaluable tool if you want to secure yourself on the internet these days. In this article, I’m going to explain why you should use two factor authentication (2FA) and how you can set it up with 1Password, so you only need to do it once.

Continue reading “Two Factor Authentication via 1Password”