SH Consulting

SH Consulting Email Security
Email Deliverability
Regulatory Compliance
https://sh.consulting/

An email security & deliverability consultant, operating a seven-figure, one-person consultancy. The primary focus is on providing email technology solutions for real estate agents and teams.

A few Microsoft subdomains have been hijacked, and now porn-related content is being hosted under Microsoft.com.This hap...
09/03/2025

A few Microsoft subdomains have been hijacked, and now porn-related content is being hosted under Microsoft.com.

This happened through a CNAME dangling attack, where scammers connect to a DNS zone via expired domains and begin showing malicious content directly on a website.

Moreover, these pages are being indexed by Google. If reported often enough, a website can lose trust and authority.

CNAME dangling can also compromise your emails, because the scammer’s server is effectively whitelisted within your email infrastructure.

And this tanks your domain reputation.

While cybersecurity might be the last thing real estate agents want to think about, they are being scammed 24/7, and AI makes them even more vulnerable to those threats.

I was lucky enough to get access to both the DMARC data and inbox of a 3-character .com domain that closely resembles th...
08/31/2025

I was lucky enough to get access to both the DMARC data and inbox of a 3-character .com domain that closely resembles the well-known brand YKK.

The domain, yyk.com, belongs to a friend of mine and was registered back in 1996. It’s barely used - just a few emails are sent each week through their Google Workspace account.

However, the volume of incoming email is staggering. Dozens of emails arrive daily from people who mistakenly type the wrong domain when trying to reach YKK. As a result, legitimate messages meant for YKK regularly end up in this inbox.

In less than a month, DMARC data revealed over 900 spoofed emails sent from the domain. Some of these spoofed messages were blocked by recipient security gateways, and the actual .com account received the bounce-back notifications - including the full contents of the rejected emails.

One spoofed email described a medical emergency and pitched a nationwide volunteer rescue network: https://shconsult.ing/R5bm0g6n

Another included a phishing link: https://shconsult.ing/dlSvrJDd

There were even spoofed emails sent to Wells Fargo that appeared to come from the real .com address (the "To" field is blurred for privacy). Fortunately, their SEG rejected the messages: https://shconsult.ing/J5NPLh7M

The contents of those emails remain unknown.

Between March 21 and 24, we received 5 bounce-back notifications from external systems, reporting delivery failures from spoofed messages. In addition, I saw:

- Several PayPal money requests sent to unrelated recipients
- A wide range of scams
- Numerous messages from actual YKK customers - which will sadly never reach their intended recipients.

It’s wild to see how people who own these domains - often far removed from the tech world, just living their lives and holding onto short domains they registered in the ’90s - can be impersonated by threat actors. Their ownership can be silently exploited to harm others, many of whom are equally unaware of how email and spoofing attacks work.

A good name can be damaged without the owner even knowing it.

And that’s the reality of email security today - it affects everyone, even those who think they’re not part of it.

I'm incredibly proud to be part of such an amazing real estate community - where people are not only friendly and open-m...
10/26/2024

I'm incredibly proud to be part of such an amazing real estate community - where people are not only friendly and open-minded but also eager to learn new technologies to tackle challenges along the way.

Email security and deliverability might seem far from real estate, but thanks to industry leaders and influencers who emphasize the importance of secure, well-configured email systems, it’s becoming a vital part of our industry's reality.

A huge thank you to Preston Guyton and Jon Cheplak for the opportunity to contribute at the conference, sharing knowledge that helps make the industry better - more compliant with email standards and regulations and more secure than ever before.

It was so exciting to finally meet our partners, clients, and friends - many of whom had only existed online until now.

Elena Kee, Jennifer Staats, Travis J. Halverson, Janelle Quick, Jessica E. Boswell, Buddy Blake

You’re true rockstars! Should we meet up at a Metallica concert sometime? :)

More good stuff to come!

We currently have a client who is under a targeted spoofing attack. Although the client had never reported issues with f...
10/03/2024

We currently have a client who is under a targeted spoofing attack. Although the client had never reported issues with fraudulent emails originating from their domain, after implementing the DMARC security protocol we identified 1,224 and 5,166 phishing emails being distributed to Yahoo users through the Google infrastructure.

While the incident was reported the day after the first attack occurred and appropriate recommendations were provided, our insights were not taken seriously and were subsequently ignored.

Following the second incident, the client received several angry responses from victims, which provided further evidence of the problem. It has now been nearly a week since the incident, and the client still isn't convinced that DMARC enforcement and additional security measures are necessary.

For those reading this post, keep in mind that your email deliverability is a derivative of your email security. While our services have improved deliverability and got the emails out of spam, these two attacks have dropped the domain reputation back to the minimum, once again leading to emails being filtered into spam.

The more attention you pay to security, the better your deliverability will be.

For those unaware, "spoofing" is a technique that allows threat actors to send emails from your email address without having real access to your account - LITERALLY from the email address you use (not even a similar one).

09/19/2024

After configuring Yahoo CFL for several domains, I figured out that Mailchimp fails to recognize spam reports for certain Yahoo-owned domains. These domains include:
comnetcomnet

Subscribers with email addresses from these domains continue to remain active subscribers, even after marking emails as spam.

Be cautious with your email newsletters and always monitor the email feedback loop. Cross-check any abuse reports with your Mailchimp database, unless you have a script or a Zapier integration that automates this process for you.

Every time before you send a newsletter or add a new lead to an action plan, consider cleaning up your database, as it’s...
09/03/2024

Every time before you send a newsletter or add a new lead to an action plan, consider cleaning up your database, as it’s likely full of spam traps and throwaway emails that drag down your deliverability.

When you notice low email open rates, it doesn’t mean your emails are going to spam - you might want to check what % of your database consists of real people, especially those coming through social media ads.

This is quite easy to identify: simply go to your FUB, Mailchimp, Constant Contact, etc., and search for common offensive words or patterns like "123", "abc", "1111", "girl", etc.

You might be surprised by which leads are entering your pipeline and who's receiving your action plans, batch campaigns, and weekly newsletters.

And this is where your deliverability issues begin - it’s not FUB, trigger words, or even invalid emails in your database, which likely make up about 10% of all the emails you have.

The real culprits are spam traps, throwaway accounts, bot submissions, and large corporations monitoring how responsibly you send emails and whether you care about who you’re sending to and what you’re sending.

And when they see you don’t really care, they start rejecting your emails or spam filtering them.

Yesterday, I faced a phishing attempt where a TA exploited vulnerabilities on the vertigo360.me server. They impersonate...
08/28/2024

Yesterday, I faced a phishing attempt where a TA exploited vulnerabilities on the vertigo360.me server. They impersonated Squarespace customer support, attempting to deceive me into renewing one of my domains.

The phishing email originated from IP address 212.132.122.97, which is part of the RIPE NCC network and appears to be associated with the domain pibaas.com in the UK. However, further investigation revealed that this domain has never been registered, suggesting that the hostname ip212-132-122-97.pbiaas.com was likely dynamically generated.

The lack of an SPF record on the vertigo360.me server allowed the TA to send the phishing email without any authentication checks, leading to its successful delivery. Had an SPF policy with -all/FAIL been in place, the server would have recognized the email as potentially spoofed and blocked it accordingly.

Also, the absence of a DMARC policy left the door wide open for this phishing attempt. Implementing a DMARC policy with the p=reject setting, along with a RUA tag for reporting, would help in identifying legitimate sources and blocking suspicious ones, significantly reducing the risk of such attacks.

Interestingly, the phishing link within the email led to a non-existent blog on Dutch Blogspot, adding another layer of deception to this attempted scam.

Address

Miami, FL

Website

Alerts

Be the first to know and let us send you an email when SH Consulting posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Business

Send a message to SH Consulting:

Shortcuts

Featured

Share

Category