STOP. SENDING. SURVEYS. FROM.

Reply to STOP. SENDING. SURVEYS. FROM. on Thu, 30 Apr 2026 00:46:18 GMT

mikebabcock@floss.social — Thu, 30 Apr 2026 00:46:18 GMT

@babe disagree. I would rather pay a payments company than your own website I can't audit and I'd rather do surveys at a known survey site than through your domain.
Trust within a domain matters.
#sysadmin #cybersecurity

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 20:27:37 GMT

cazabon@mindly.social — Wed, 29 Apr 2026 20:27:37 GMT

@babe

I've tried to get this through to companies like, for instance, my bank, with little success.

Before I finally managed to "opt out" of the last of their marketing / promotional email, I would get two kinds of messages from them:

1) Regular reminders of secure practice, and how you can't trust who an email comes from, and you should therefore never, ever click a link in an email claiming to be from them.

2) Constant spam for their products and services, all replete with links to follow to get them. These mails all came through outside agencies, from Mailchimp or similar, and with all the links going through a click tracker in some random advertising company's domain.

I couldn't even get their two departments to talk to each other about this.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 18:37:32 GMT

agreeable_landfall@mastodon.social — Wed, 29 Apr 2026 18:37:32 GMT

@babe My own company sends out internal emails that are more like phish than any real one. Sender: not in our global address book. Subject line: You are overdue for training. Body: Click on this PDF file for details.

I sent it to our security folks (it's a big company), and they said, "If it isn't marked "External" it's safe. Uh, where were you in 2010 when our email servers were being run by the Chinese MSS?

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 17:05:37 GMT

missnfranchised@glitterkitten.co.uk — Wed, 29 Apr 2026 17:05:37 GMT

@lesbianhacker @babe Training worked then.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 14:10:35 GMT

dakkar@s.thenautilus.net — Wed, 29 Apr 2026 14:10:35 GMT

@Nonya_Bidniss@infosec.exchange at a previous job, we had a database table called renumeration, it confused everyone
it didn't even track salaries! (I think it tracked money we owed to clients)
@babe@glitterkitten.co.uk

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 14:06:45 GMT

babe@glitterkitten.co.uk — Wed, 29 Apr 2026 14:06:45 GMT

@Nonya_Bidniss One of the common cornerstones of an autodidact's education is being a wordsy bitch. I'd kick myself if I got it wrong!

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 13:33:04 GMT

timmy@goblin.camp — Wed, 29 Apr 2026 13:33:04 GMT

@babe i bought a car and the dealership pre-scheduled maintenance appointments for me, without telling me about this at all. They sent a link to my phone from an unfamiliar 5 digit number, not affiliated with the dealership or manufacturer. i fully ignored it thinking it was a scam text. In Ohio, registration is public record so scammers love to buy the reg records so they know your exact car down to the full VIN

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 13:07:11 GMT

nonya_bidniss@infosec.exchange — Wed, 29 Apr 2026 13:07:11 GMT

@babe Thank you for "remuneration." I hear people say "renumeration" all the time and it drives me nuts. Like, well known people, commentators and such, who should know better.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 13:01:50 GMT

mikaeleiman@mastodon.sdf.org — Wed, 29 Apr 2026 13:01:50 GMT

@babe but… that would be RUDE!?

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 12:57:35 GMT

ocdtrekkie@mastodon.social — Wed, 29 Apr 2026 12:57:35 GMT

@babe Every cloud platform makes me rage for this. yourorganization.whoeverythisis.com being the pattern everyone should just trust and use SSO with?

Or Microsoft which thinks a single Teams workflow should have a user connect to teams.microsoft.com, my.sharepoint.com, planner.cloud.microsoft, and login.microsoftonline.com and hope users will still notice a lookalike phishing domain.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 12:37:51 GMT

[[global:guest]] — Wed, 29 Apr 2026 12:37:51 GMT

@babe I got one of these today from my bank

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 12:27:51 GMT

babe@glitterkitten.co.uk — Wed, 29 Apr 2026 12:27:51 GMT

There is another element to this that companies don't seem to consider:

If you use third party services for surveys, marketing etc, and you tell customers that yes, they are legitimate, not to worry. What's stopping a scammer from copying these emails and sending them from servicenames similar to the legitimate third party vendor?

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 12:25:36 GMT

troed@masto.sangberg.se — Wed, 29 Apr 2026 12:25:36 GMT

@imsop @babe

I choose to read this as we need to have more courses in how to _send_ phishing mails and I just want to say that I'm a professional ethical hacker and I support this message

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:54:40 GMT

penguin42@mastodon.org.uk — Wed, 29 Apr 2026 11:54:40 GMT

@babe Especially when that means they've leaked the separate email address I gave to their org via the survey company.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:31:42 GMT

srazkvt@tech.lgbt — Wed, 29 Apr 2026 11:31:42 GMT

@babe and if they don't want to host the actual surveys themselves, redirects exist

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:23:13 GMT

pitrh@mastodon.social — Wed, 29 Apr 2026 11:23:13 GMT

@imsop @babe I would say that at a bare minimum, mail sent on your domain's behalf needs to come from a host in that domain's SPF info.

I've seen even *password reset* mail come from the great elsewhere, and of course arriving long after any timeout.

But apparently even those deliveries succeed often enough that the misconfigurations persist.

At the cost, in most cases, of me not continuing to be their customer or member.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:22:37 GMT

babe@glitterkitten.co.uk — Wed, 29 Apr 2026 11:22:37 GMT

@Fettlaus And this kind of goes in with part of the risk involved in these practices.

Right now I'm confident the survey from a partner of Uber (which triggered this rant) is legit. But given nothing links to uber, what's to stop a scammer from copying it wholesale? It's the kind of thing that is ripe for scammers to use

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:20:28 GMT

babe@glitterkitten.co.uk — Wed, 29 Apr 2026 11:20:28 GMT

@Fettlaus dhl are one who scammers claim to be, with messages about unpaid charges on packages!

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:12:29 GMT

fettlaus@social.tchncs.de — Wed, 29 Apr 2026 11:12:29 GMT

@babe Or DHL messaging me over WhatsApp(!) about paying some kind of import taxes and fees for a package from the UK. "Just click on this link to pay the fees before the delivery of your package".

Like... what? That's exactly the way any scammer would do it. And it's exactly what I told my parents to be aware of.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:11:59 GMT

imsop@tech.lgbt — Wed, 29 Apr 2026 11:11:59 GMT

@babe So much effort is spent training people about *spotting* phishing attempts, but I have never once seen a single piece of training on how to *send* email, and what minimum standards procurement teams should be *demanding* from third parties.

It's like holding a masked ball, and then complaining that people didn't watch each others faces.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:04:45 GMT

pare@kamu.social — Wed, 29 Apr 2026 11:04:45 GMT

@babe Of course it was reported multiple times as phising. The next day the management was annoyed if not angry why we did report obviously non-malicious emails and we should register using these links!

They were explained that this looked very much like phishing and please could they tell how we should know.

After that there was usually an email from the mgmt which said that yes, the next phising email is not phishing.

But I still think that was a bad solution.

2/2

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 11:01:40 GMT

pare@kamu.social — Wed, 29 Apr 2026 11:01:40 GMT

@babe Once upon a time I was working in a cybersecurity company. Of course we got phising reminders, trainings, and could report emails,

So, after a strict reminder not to click on suspicious links in emails, check domains &c, we got this email for registering for a company party. It was from a third party company, the email came from their domain. The registration link was an another domain. Of course our company was only mentioned in the text.

1/2

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 10:52:41 GMT

pmb00cs@mastodon.online — Wed, 29 Apr 2026 10:52:41 GMT

@jernej__s @babe in my last job one of the dead giveaway signs of a phishing test (not actual phishing, just the internal testing) was that links went to bare domains, and not the internal link filtering domain. It was comical how stupid it was.

Reply to STOP. SENDING. SURVEYS. FROM. on Wed, 29 Apr 2026 09:41:49 GMT

leeloo@c.im — Wed, 29 Apr 2026 09:41:49 GMT

@WiteWulf @horsedreamer @babe
While not wrong, this misses the point.

No, having the correct company domain does not show that an email isn't a scam.

But sending from a domain clearly not related to the company IS an obvious sign of a scam.

Positive vs negative verification.

Unfortunately, "make it look like a scam" is on page one of every book on corporate "best practices".