logoalt Hacker News

jprjr_today at 2:40 PM1 replyview on HN

That was how I felt. "The Future of Email", from Fastmail - I immediately assumed some big announcement.

It's basically "you need to pass DMARC now" which has been true for 2 years.

It also goes into how authentication helps stop spoofed domains which yes, is true. But in my opinion the biggest problem isn't spoofed domains at all.

Attackers will figure out how to make your payment platform (PayPal, Stripe, etc) send out emails. They'll figure out what pieces of info make it into the generated emails, so they'll do things like set their company name to "there's a problem call this phone number." So next thing you know you're getting an email from PayPal that sounds urgent because they'll put that company name in the subject or body of the email.

These emails will be legit, from-the-actual-company, passes-all-authentication emails. DMARC can't catch that, and that's what I've been observing attackers do. They'll find a ticketing system or payment processor and get them to generate "authentic" emails.

I was sincerely hoping that Fastmail had something to deal with that problem.

Replies

sgctoday at 3:35 PM

I thought the most interesting part of the post was that they have an mcp endpoint for bring-your-own agents, and they won't be force feeding ai on anybody. In the security context of the post, they mean that you are responsible if your ai is duped into falling a victim, or tricked to send malicious mail.