Email Security Concerns

I’ve talked to 4-5 SDR Leaders that have gotten their email domains TORCHED in the last 2 months. Here’s the thing all outbound teams need to understand about deliverability: Email deliverability is a “death by a thousands paper cuts” type of situation. Stop stacking paper cuts and do these 9 things: 1️⃣ Set up secondary domains If you are still cold emailing off your primary email domain you may be in big trouble. This is crucial. Using something like Maildoso makes getting these domains and the whole technical setup super fast... more on that below. The last thing you want, especially if you DONT have a reputable domain like Salesforce(.)com is to burn your orgs primary domain. This doesn’t just affect your sales team. You don’t need your CSMS and CEO landing in SPAM. 2️⃣ Set up your DNS (DMARC, SPF & DKIM) records for ALL of your domains To skip the manual DNS headache... Maildoso automates this setup. I just set up 2 new domains in literally 1 minute with them last week. Right now we can only set up 2 mailboxes per rep in Outreach. Going to be adding a Smartlead integration soon in Common Room to run higher volume experiments based on various intent signals and double down on the ones that work with human SDRs. 3️⃣ Secondary domains should link to your primary You want to make sure your prospects are being directed to your actual company domain if they are curious and click. 4️⃣ Email Warmup - Domains should be “warmed up” for ~14 days before cold emailing Send at least 20-30 warm up emails per day per email account, with a 40% reply rate. This builds your domain reputation. 5️⃣ Email Volume - Build this over time. Start with 5-10 emails a day per account and do NOT send more than 30 emails per day per email account 6️⃣ Keep your email signature plain text. No Links. No images. No calendar links…at all Add your address in your signature and make sure you put a picture in your Outlook or Gmail profile. 7️⃣ Vary your cold email copy (i.e. SPINTAX). Sending the same template to every prospect signals that you are a spammer. Customize your first step email. For emails further in your sequence, use Spintax. Use alternate phrases “Hi, Hey, Hello”. New age sequencers do this automatically. 8️⃣ Understand that your domain gets TORCHED when people mark your email as spam. Good and relevant copy matter. 9️⃣ Constantly monitor your email deliverability. Deliverability varies across Outlook and Google servers. Get a platform that helps you land in ALL inboxes. Again, Maildoso makes this super easy...  they have daily reputation monitoring built right in so you catch issues fast. They average 98%+ inbox placement - wild. Maintaining good deliverability over time is key in the success of outbound. What would the email deliverability experts add here? #outbound #coldemail #deliverability

⚡ SMTP Penetration Testing — High-Level Awareness & Defensive Guide (Lab Only) ✉️🔍 SMTP remains the backbone of email delivery and a frequent target in assessments. Ethical SMTP testing (in authorized scopes) helps teams find misconfigurations, insecure relays, and weak authentication that threat actors exploit for phishing, spoofing, or mail relay abuse. 🛡️📬 🔎 What testers look for (high level): 🔹Open relays & misconfigured servers that allow unauthenticated forwarding. 🔓↔️ 🔹Authentication weaknesses (plain-text auth, weak credentials, missing STARTTLS enforcement). 🔑⚠️ 🔹Encryption gaps — lack of STARTTLS, opportunistic TLS, or missing DANE/ MTA-STS validation. 🔐❌ 🔹Spoofing & spoof-relay vectors — missing SPF, DKIM, and DMARC records or incorrect policies. 🕵️♂️✉️ 🔹Abuse paths — email injection via web forms, exposed submission ports, or weak rate-limiting. 🧩🚨 🛠️ Safe assessment techniques & tooling (lab/authorized): Use non-destructive probes and verify results with server owners. Common tools and checks include: smtp-check, swaks for scripted exchanges, nmap SMTP scripts, MX/DNS lookups (dig mx), and SPF/DKIM/DMARC validators. Log review and controlled test mails help confirm real-world impact. 🧰📋 🛡️ Defensive checklist (quick wins): 🔹Enforce STARTTLS and prefer strict TLS policies (DANE / MTA-STS where possible). 🔒 🔹Publish and enforce SPF, DKIM, and DMARC with a proper quarantine/reject policy. 📜✅ 🔹Disable open relay behavior; require auth for submission and relay. 🚫↔️ 🔹Harden authentication: strong passwords, rate-limits, and suspicious login alerts; consider MFA for admin consoles. 🔑⛔️ 🔹Monitor mail queues, outbound volume, and bounce patterns; centralize email logs in SIEM for correlation. 📊👀 🔹Keep MTAs and mail-related libraries patched; limit exposed management interfaces and restrict by IP/network. 🔧🔁 ⚠️ Disclaimer: For educational & authorized use only. Perform SMTP testing only on systems you own or have explicit written permission to assess. Never send harmful or unsolicited emails during tests; unauthorized testing is illegal and unethical. 🚫📝 #SMTP #EmailSecurity #PenTesting #InfoSec #CyberSecurity #SPF #DKIM #DMARC #MTA #BlueTeam #EthicalHacking ✉️🛡️

🔍Deep Dive into SMTP Port Penetration Testing: Advanced Techniques for Cybersecurity Professionals🔍 As cybersecurity professionals, we know that securing email communications is paramount. One of the critical protocols in this space is SMTP (Simple Mail Transfer Protocol). In this post, I want to share some advanced techniques for performing effective SMTP port penetration testing. Why Focus on SMTP? SMTP is the backbone of email communication, and vulnerabilities in this protocol can lead to significant security breaches, such as: - Email Spoofing: Attackers impersonating legitimate users. - Data Leakage: Unauthorized access to sensitive email content. - Denial of Service (DoS): Overloading mail servers to disrupt communication. Techniques for SMTP Port Penetration Testing 1. Port Scanning and Enumeration: - Use tools like **Nmap** to identify open SMTP ports (commonly 25, 587, 465). - Employ scripting to automate enumeration of service versions and supported commands. 2. Service Version Detection: - Utilize Nmap scripts or tools like SMTP-USER-ENUM to identify potential users and misconfigurations. - Check for outdated versions of SMTP servers which might be susceptible to known exploits. 3. Command Injection Testing: - Test for command injection vulnerabilities using carefully crafted payloads. For example, manipulating SMTP commands like `MAIL FROM`, `RCPT TO`, and `DATA` to perform actions such as revealing user information. 4. Exploiting Misconfigurations: - Look for open relays, which allow unauthorized users to send emails through the server. This can lead to spam and phishing attacks. - Check for improper authentication mechanisms that can be bypassed, leading to unauthorized access. 5. Utilizing Advanced Tools: - Metasploit: Use modules like `auxiliary/scanner/smtp/smtp_enum` for user enumeration and `auxiliary/scanner/smtp/smtp_login` for brute-forcing authentication. - Burp Suite: Analyze SMTP traffic in-depth, manipulate requests, and identify vulnerabilities in web applications that interface with email services. 6. Brute Force and Dictionary Attacks: - Test the robustness of SMTP authentication by performing dictionary attacks on login credentials. Ensure to have explicit permission to avoid legal repercussions. 7. Analyzing SMTP Traffic: - Use Wireshark or similar tools to capture and analyze SMTP traffic. Look for unencrypted sensitive information and ensure that STARTTLS is enforced where applicable. Best Practices Post-Testing - Always report findings in a clear, actionable format. - Collaborate with development and operations teams to remediate vulnerabilities. - Implement continuous monitoring and regular audits of SMTP configurations. Let’s share knowledge and best practices to strengthen our defenses against email-based threats! 💡 #Cybersecurity #PenetrationTesting #SMTP #EmailSecurity #NetworkSecurity #Infosec #CyberAwareness #RedTeam #BugBounty #Ports #Protocols

Due diligence is not just for banks. It’s for everyone. Good morning - and if it is not morning when you read it then at least it is a wake-up call. A recent phishing incident involving an event platform that provides bulk email services to planners has been a stark reminder of this. A fraudster exploited the platform’s free-tier offer, which surprisingly included the ability to send bulk emails with a "trusted" consignor sender domain — a gift-wrapped opportunity for criminal misuse. It’s mind blowing that a company would offer such a feature without stringent onboarding checks. Even more worrying: they reportedly also support payments and refunds for free-tier users. How is that even possible without knowing who you’re enabling to send, receive and refund money? I can almost hear the echo of the company explaining that "we require a danish bank account for the payout" That is not verifying or validating anything, that is feel good or tick-box compliance...have you ever heard about virtual IBANs or risk averse neo-banks? Apparently not. This is like a fully loaded digital gun handed over to criminals - in the real world people goes to jail for acts like this. Let’s be clear: This is not just a data security issue — it’s a due diligence failure. You failed and you need to get your sh*t together or find something else to do. Offering financial flows (payouts and refunds) without verifying the identity and legitimacy of users opens the door wide to abuse. Especially when refunds and fake transactions are widely known mechanisms in money laundering. In such a setup, the bulk email tool essentially becomes a low-barrier entry point for financial crime. This raises an even more serious question: Is this platform effectively operating as a Payment Facilitator (PayFac)? If so, does their acquirer or payment provider even realize this? And are they aware of the risks being passed on through their infrastructure? What happened here wasn’t just an unfortunate mistake. It was an accident waiting to happen — driven by a lack of basic safeguards. In 2025, we should be well past the point where “free” means “unverified.” If you’re enabling communications or financial transactions on behalf of users, you must know who your users are. Due diligence is not optional. It’s a duty - duty-diligence ...

Domain IP gone bad? Who’s REALLY to blame? (Its important to understand this if your cold emailing) You set up a new domain, start sending emails… and suddenly, your deliverability tanks. Your emails hit spam. Your domain reputation is in free fall. Who’s at fault? Let’s break it down 1) The Real Culprit? YOU (Mostly) Harsh truth: Most reputation issues come from how emails are sent. ❌ Sending too many emails too fast → Spam filters flag sudden spikes. ❌ Poor personalization & high spam complaints → Kills engagement, kills reputation. ❌ No warm-up → Cold-starting a domain without warming up is a disaster. Fix it: ✅ Start slow. Build gradually (no more than 50/day initially). ✅ Get replies. Low engagement = bad reputation. ✅ Use warm-up tools (SmartReach.io automates this for you). 2) Email Service Providers (ESP): The Enforcers 👀 Your Google Workspace, Outlook, Zoho, etc. own the sending infrastructure. They: ✔ Assign sending IPs. ✔ Monitor spam complaints. ✔ Decide if you land in inbox, spam, or promotions. 🚨 Too many complaints? They’ll throttle your sending or flag your domain. Fix it: ✅ Authenticate your domain (SPF, DKIM, DMARC—non-negotiable). ✅ Avoid spammy content (no “FREE MONEY” subject lines). ✅ Monitor engagement—if open/reply rates drop, pause & adjust. 3) Cold Email Software: Can Help (or Hurt) Cold email tools don’t own your sending IPs, but they impact your reputation: ✔ If they force good sending practices → Your domain stays safe. ❌ If they let you blast 1,000s of emails instantly → You’re at risk. Fix it: ✅ Use tools that enforce limits & warm-up (like SmartReach.io). ✅ Rotate multiple domains & inboxes for safer scaling. 4) Domain Providers: Not Guilty… Except When They Are 👀 They just sell domains—they don’t affect reputation. 🚨 But beware: Some resell bulk domains that already have a bad history. ❌ If you buy a flagged domain, you start with zero trust. Fix it: ✅ Buy from reputable providers (Google Domains, Namecheap, Cloudflare). ✅ Check domain history before purchasing (MxToolBox, Talos Intelligence). So, Who’s to Blame? ☑ Mostly the sender. ☑ Sometimes the ESP. ☑ Rarely the cold email software. ☑ Almost never the domain provider (unless they sold you a bad one). Ever had your domain reputation take a hit? What was the reason? Drop your experience in the comments. Lets learn from each other

Here’s a streamlined guide for an efficient SMTP penetration test: 1. Information Gathering Objective: Identify the SMTP server’s version and configuration. Tools: Use telnet, nc, or Nmap to perform banner grabbing. MX Records: Check these with dig or nslookup to confirm email routing. 2. Authentication Testing Objective: Verify the strength of authentication mechanisms. Tools: Use Hydra or Medusa to test for weak credentials, default logins, or misconfigurations. Focus on common username-password combinations. 3. Vulnerability Scanning Objective: Detect known vulnerabilities. Tools: Perform automated scans with Nessus or OpenVAS for comprehensive vulnerability assessment. 4. Open Relay Testing Objective: Check if the server is an open relay (which could be exploited for spam). Tools: Use smtp-user-enum to see if the server relays unauthenticated emails. Ensure that no unauthorized external messages can pass through. 5. Exploitation & Privilege Escalation Objective: Identify any further steps an attacker could take post-exploitation. Approach: Test methods to escalate privileges if any vulnerabilities are identified. Only proceed with ethical intent. Each of these condensed steps helps you cover the core aspects of SMTP security with maximum efficiency, enabling a proactive approach to safeguard email communications.

#Phishing campaigns stemming from legitimate services like gmail.com and outlook.com have gone too far. Big tech is inadvertently lending credibility to phishers who are using their free services to scam innocent people but is looking the other way. Regulators should step in to enforce rules to allow for easy identification of false and malicious accounts from free services, and the providers should be held accountable if they fail to comply. Age, utilisation, health and reputation indicators on a per account basis should be made public as they could help threat intelligence services easily pinpoint suspect accounts. A brand new account sending an email could be flagged as suspicious. An older but very seldom used account could also be deemed suspicious. A spam sending account could be flagged with bad reputation and a malware sending account could be automatically blocked. We need free services providers to do more to help protect the public. #cybersecurity #regulation #phishing

Sending 10,000 automated emails a week is not conducive to a healthy domain. Email providers pick up on this activity, assume your domain is guilty of spamming, and treat it accordingly. I’ve personally spoken with CEOs whose investor update emails have landed in SPAM and senior salespeople whose proposals don’t make it to potential buyers because their email health is in the toilet. This doesn’t stop at email, either. These penalties apply to your entire domain. That means all the careful work your marketing team does to build up domain reputation—which is critical for SEO—is put at risk by SDRs engaging in irresponsible sending practices trying to hit their target. Here are a few pointers that can help: 1. Prospect from a new domain, not a corporate domain 2. Warm up your mailboxes 3. Do not send more than 75 messages per day per mailbox 4. Personalize some of the emails 5. Don't send sequences that are longer than four emails Less activity, higher quality.

Your emails are landing in spam, and you have no idea. (I wish someone told me this sooner) Maildoso introduced a game-changing feature. It lets you check the overall health of your domains and email accounts. Before this, there was no automatic way to monitor this. Why does this matter? Cold emailing can decrease your domain's health. When your domain is burned, emails land in spam. Meaning your prospects never even see your emails. Here's how to fix it: - Log in to your Maildoso account. - Go to the Email Accounts section. - Check the Google and Microsoft Scores. If you see the score declining: - Reduce the number of emails sent from that account. - Increase the warm-up emails. - Let burned accounts rest for 2 weeks. This simple step ensures your emails land in the inbox. Not the spam folder. P.S. How are you tracking deliverability?

I keep meeting ppl who use Hubspot / Mailchimp for Cold Email. Here's why this is a VERY bad idea: They buy a list Upload it to Hubspot / Mailchimp / Activecampaign And then send out a mass mailing like they're sending a newsletter. 𝟏) 𝐘𝐨𝐮'𝐥𝐥 𝐝𝐞𝐬𝐭𝐫𝐨𝐲 𝐲𝐨𝐮𝐫 𝐜𝐨𝐦𝐩𝐚𝐧𝐲 𝐝𝐨𝐦𝐚𝐢𝐧.  Cold email is unsolicited So some recipients will hit the SPAM button Guess what that does to your company domain over time It'll get blacklisted as a domain that sends Spam. Which means the domain you've been using for years is now toast. And your real emails will start going to Spam as well. 𝟐) 𝐘𝐨𝐮'𝐥𝐥 𝐥𝐚𝐧𝐝 𝐢𝐧 𝐒𝐩𝐚𝐦. Cold email needs to be SEQUENCED. i.e. one email sent at 11:38 another email at 12:54 and so on. If you blast 600 people at once from one email address all the spam guardians will think "Whoa! Someone's spamming!" ...and send those emails right into the Spam folder. 𝟑) 𝐓𝐡𝐞𝐬𝐞 𝐭𝐨𝐨𝐥𝐬 𝐭𝐫𝐚𝐜𝐤 𝐬𝐭𝐮𝐟𝐟 Hubspot and Mailchimp (and all other such tools) track open rates. They send a tiny HTML code snippet with the email that will inform HS/MS that the email has been opened. And this code snippet serves as an alert to the spam guardians. Because normal emails don't send such code snippets. And so you'll land in Spam, yet again. 𝐓𝐡𝐞 𝐬𝐞𝐜𝐫𝐞𝐭 𝐨𝐟 𝐂𝐨𝐥𝐝 𝐄𝐦𝐚𝐢𝐥 𝐢𝐬 𝐭𝐡𝐢𝐬:  To the software guarding the recipient's inbox, it needs to appear like a legit email. And all the tools out there try to mimic normal behavior ...at scale. 𝐓𝐨𝐨𝐥𝐬 𝐭𝐨 𝐮𝐬𝐞 𝐟𝐨𝐫 𝐜𝐨𝐥𝐝 𝐞𝐦𝐚𝐢𝐥 1) Use 𝐏𝐨𝐫𝐤𝐛𝐮𝐧 to buy cheap domains that are variations of your actual domain: If your real domain is BobsConsulting dot com Buy BobTheConsultant, ConsultingByBob, RobsConsulting dot com etc. 2) Use 𝐂𝐡𝐞𝐚𝐩𝐢𝐧𝐛𝐨𝐱𝐞𝐬 to put 2 email addresses on each domain. 3) Use 𝐄𝐦𝐚𝐢𝐥𝐁𝐢𝐬𝐨𝐧. Big benefit vs Instantly / Smartlead: You get your own dedicated IP address. Lower chances to land in spam. (yep, it costs $499/mo. Cold email is cheap but not free) 4) Send max 10 emails to new leads each day (+ 20 follow ups to previously contacted leads) That way, you will A) land in the recipient's inbox and B) not mess up your own, real domain. Hubspot or Mailchimp are meant to NURTURE people who already know you. Only use purpose-built tools for Cold Email.