Replies

Paul T wrote:

Using Tilde (~) is a “softfail” and is used for debugging / initial testing. It should be replaced by a minus (-) when you have finished testing – all other sources should fail.

While that’s “suppose” to be how it’s used, in reality using the – fail option “can” cause legitimate e-mails to be rejected, especially if the receiving MTA doesn’t support DMARC verification, so it’s recommended to use ~ softfail instead to avoid that possibly.

• What is the difference between SPF ~all and -all?

Regardless, her tworg.com SPF shouldn’t be using the ? neutral option; which basically returns “unknown” to validation requests.

IreneLinda wrote:

Cloudflare email record is attached for tworg.com. mygoforthegreen.com’s is the same except DMARC is marked “None” and SPF is “Soft Fail”.

Ran a SPF record check on your mygoforthegreen.com domain and its SPF record isn’t close to being the same as tworg.com:

v=spf1 +mx +a +ip4:198.46.81.47 +include:smtp.servconfig.com ~all

Note how, in addition to mx, a and ip4, it includes the outgoing mail server domain where the tworg.com SPF record doesn’t include any of those.

FYI, I ran a MX record check on tworg.com and it’s mail server is mail.tworg.com

I also ran a DKIM record check for tworg.com and, despite what your attachment shows, the results were No DKIM Record found!

Finally, as pointed out by Paul T, the IP addresses in the SPF record for tworg.com do not match what a DNS record check shows:

104.21.60.216 and 172.67.201.204.

So it’s pretty clear the problem is the SPF record for tworg.org isn’t setup correctly which is what’s causing your problem.

BTW, I ran into the same issue where Gmail wouldn’t accept e-mail from my Uncle’s web site and the fix was to add a SPF record that included our mail server domain name.

That link you keep trying to use at Google is for domains “hosted” by Google which is why it’s not working (BTDT!)

Not true.

Take a look at this Krebs on Security article.

• Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

It was published 9 months ago in Sep 2022 which means hackers have probably created even more ways of adding readers to those “flat screen” type ATM slots.

Go back and read the article.

This wasn’t “surreptitiously” installed in their BIOS, it’s a “feature” Gigabyte deliberately built into their motherboards intended to “automatically” keep the drivers/firmware up-to-date.

The problem is it insecurely connects to the internet to download those updates so it’s susceptible to being hacked using a MITM (man-in-the-middle) attack that redirects those download attempts to a nefarious site.

BTW, Gigabyte isn’t the only motherboard manufacturer that does this.

Asus motherboards include a similar payload in their BIOS called “ASUSUpdateCheck.exe” that gets installed into the OS every time it boots to automatically update drivers/firmware.

1 user thanked author for this post.

Alex5723

I used https://mxtoolbox.com/spf.aspx to check the SPF record for tworg.com and it appears it’s setup improperly.

It’s currently using these IP addresses:

v=spf1 ip4:38.113.1.0/24 ip4:38.113.20.0/24 ip4:65.254.224.0/19 ?all

When it “should” use your domain name instead (which will work for all IP addresses assigned to that domain name):

v=spf1 include:tworg.com ~all

It’s also using ?all at the end when it should be ~all.

Actually, it will!

While it won’t prevent access to a “spoofed” .zip/.mov site, it will detect that something’s being downloaded which will kick off its scanning process.

It saves all downloads to a “temporary” location, scans them for possible threats, and; if none are found; then puts them in the real download location on my PC.

If it detects a threat, it deletes the “pending download” from the temp location and pops up a notification explaining why it was blocked with an option to add an exception if I choose to.

If I choose to add the exception, I have to restart the download as the original file is no longer located on my PC!

And yes, this procedure does mean it takes a bit longer for my downloads to complete, but that’s better than possibly getting infected!

Like many other suggestions here on AskWoody, it’s up to each individual to determine the “level of risk” entailed in using it.

Since my anti-virus S/W scans files as they’re downloaded before it allows me to access them and I only download stuff from “reputable” locations, I saw no reason to also have to deal with “Windows” blocking my access to them and implemented that particular GP.

Of course, YMMV.

All my PC’s are Win10 Pro and I never actually tried using Policy Plus, so I downloaded it and here’s what I discovered.

It shows the “Administrative Template” policies for Users or Computer but does not show the “Software Settings” or “Windows Settings” policies; which makes it useless for applying this particular policy!

As to why it doesn’t include those policy categories, only the developer could answer that question but I “suspect” they weren’t included because most users would never need them.

Unfortunately, this means Win10 & 11 Home users will need to modify their registry to apply this policy and, at this point, we don’t know if that actually works.

3 users thanked author for this post.

rc primak, Cybertooth, RetiredGeek

It’s located in the \Services\Dnscache section of the registry so, unless you have the Dnscache service (DNS Client) disabled, it should.

Just be aware, there must be a separate key {Rule GUID} for each Name Resolution Policy you want to apply and the key names are a “randomly generated” 36 character hex value.

The key for my MOV block is {54a5f496-186f-459a-8f70-35ddd056de0b}

The key for my XYZ block is {7b5ab7dd-082b-4f47-95bc-552906b3ab4a}
(note: I didn’t attach the reg file for this one)

The key for my ZIP block is {af9c213e-8011-4eb6-bac6-5e43da4bd456}

I scanned my registry and the \Services\Dnscache section was the only location using those values so you “should” be able to create your own key (as long as it follows that same format and is unique) and have it apply.

For more info about the Name Resolution Policy setting, see Microsoft’s Name Resolution Policy Table (NRPT) page.
(note: while that page indicates NRPT is for Windows Server 2012 & Windows Server 2012 R2, it also applies to the newer versions of Windows Server as well as Win10 & 11.)

2 users thanked author for this post.

rc primak, Cybertooth

Two problems with using UblockOrigin or other “browser” add-ins to do this:

1- It only blocks browser access; “other programs” on your PC can still connect to those domains.

2- It only works for the specific browser that has the add-in installed.

The Group Policy method works to block access by all programs installed on your system!

4 users thanked author for this post.

rc primak, steeviebops, NaNoNyMouse, geekdom

As for the assertion…

the operating system will sometimes just ignore some of those registry entries

It appears that’s only true for Group Policies intended to block “automatic” Windows updates. I know the “registry settings” made by the Group Policies that block “automatic Windows Updates” stopped working on my Aunt’s Windows Home version quite some time ago (had to switch her internet connection to “metered” to stop them!)

But I’ve applied registry settings for “other” Group Policies, and they’ve always worked as expected, and I’ve see posts here on Askwoody by various users who’ve done the same on their Windows Home versions and, so far, they all seem to still work.

Of course, unless you never apply any Windows updates, Microsoft has ultimate control over your Windows installation during the update process and can chose to ignore any settings you’ve changed/applied!

Note: I haven’t been able to apply this new one to my Aunt’s Windows Home setup yet; she’s a CPA and hasn’t been willing to allow me remote access to her PC due to her current work load. I “may” be able to test it this weekend… if another Askwoody user doesn’t beat me to it first.

BTW, attached are the appropriate registry settings to block the MOV and ZIP suffixes, taken directly from my own registry after applying the Name Resolution Policy, as well as versions that will remove the block if you decide you don’t need it.

3 users thanked author for this post.

rc primak, Steve S., geekdom

L95 wrote:

If so, can you provide a link to it?

The link provided by @alex5723 in the post immediately above yours provides detailed instructions on how to do this with one difference, it says to use IP address 127.0.0.1 instead of 0.0.0.0.

As @steeviebops points out in his below post, 0.0.0.0 is a “much better” option because 127.0.0.1 will “redirect” those domains to your local PC and, if it’s running a 3rd party DNS server (i.e. Anti-virus, VPN, etc., etc.) the block won’t work!

Using the 0.0.0.0 IP address will always work because it’s not a valid IP address for any software/hardware!

5 users thanked author for this post.

NaNoNyMouse, rc primak, Berserker79, L95, steeviebops

Open regedit and take a look at the entries, if any, in the following location:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

If there’s an entry for that particular program (i.e. C:\path to executable\??.exe) with a value of ~RUNASADMIN, it’ll cause it to always run as Admin. To stop that from happening, simply delete that entry.

FYI, that section of the registry is where the properties/compatibility settings for programs are saved, if you’ve set any, and clearing the flags for that particular exe “should” have removed it from this section. But maybe it either didn’t properly get cleared or something keeps adding it back in?

Just FYI, that location on my own system has 10 entries but only 7 are set to ~RUNASADMIN and they’re for programs I specifically set to “Run as Administrator” using the properties/compatibility options.

Don’t know if this will work with two monitors having different desktop backgrounds, but it prevented my preferred background from “automatically” changing.

Step 1.

Right-click on an empty section of the desktop, select “Personalize” and, in the right-hand section, set the background to “Picture” and choose the specific image you want to always be displayed.

From what you’ve posted, you’ve already did this step but I’ve included it so others will know about it.

Step 2.

On the same Personalize window, select Themes in the left-hand pane, scroll down until you see the Sync your settings option and select it.

Turn the “Sync settings” toggle OFF.

Step 3.

Press Win + R, enter powercfg.cpl and press enter to open the main “Power options” window.

Click the Change plan settings option for the “active” power plan and then select the Change advanced power settings option at the bottom to open the Power Options “Advanced settings” window.

Expand the Desktop Background Settings > Slide show item and disable it for both “On battery” and “Plugged in“.

Step 4.

Enable the Group Policy Computer Configuration > Administrative Templates > Control Panel > Personalization > Do not display the lock screen.

Not sure if this one is absolutely necessary but, until I set it, my desktop background would sometimes start “automatically changing” after performing a Windows update and, after I set it, that stopped.

Reboot for all the settings to take effect.

1 user thanked author for this post.

MauryS

MHCLV941 wrote:

Group policy is not available in the Home version.

A 3rd party option that does allow you to apply Group Policies for the Home version is Policy Plus.

• Policy Plus brings Group Policy to all Windows editions

It makes the same registry changes as Group Policy on the Windows Pro/Enterprise editions but requires you logoff and/or reboot for them to take effect.

3 users thanked author for this post.

SueW, jburk07, Cybertooth