Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Security, security, security
Amendment is futile, part 2

Related Posts

Spammers and the law

Robert Soloway, one of the people crowned with the title “Spam King”, has been released from jail. He was an extremely prolific spammer, generating over 10 trillion messages over the course of his career.
As Mr. Soloway exits jail, another spammer heads to serve his 20 year sentence. Peter Maxson Anyanyueze sent Nigerian 419 spams telling people they could profit from helping him move money around. The scam is that the victim needs to pay small amounts of money, sometimes totalling tens or hundreds of thousands of dollars.

Read More

Light blogging for a while

Sorry for the lack of substantive posts, things seem to have gone completely out of control and I’m not finding a lot of extra cycles to sit down and blog. I’ll try and get some stuff up this week, but I’m also getting ready for MAAWG and the sessions I’m a part of there.
There was an interesting post by Romer over on his personal blog. If you don’t know, Romer helps maintain one of the commercial mail filters. He recently got spammed by one of his vendors and talked about how this is probably not the best idea. Al adds his own take on companies assuming permission. I’ve talked about taking permission in the past but haven’t touched on things like “spamming the guy who runs the filter.”
You’d be surprised, or maybe you wouldn’t, about how many people who run filters for large organizations get spammed regularly. You wouldn’t be surprised to find out that those people do factor in their own personal spam load when adjusting their organizational filters.

Read More

Time for a real security response

I’ve seen a number of people and blogs address the recent breaches at some large ESPs make recommendations on how to fix things. Most of them are so far from right they’re not even wrong.
One group is pointing at consumers and insisting consumers be taught to secure their machines. But consumers weren’t compromised here.
Another group is pointing to senders and insisting senders start authenticating all their email. But the failure wasn’t in authentication and some of the mail is coming through the ESP systems and is authenticated.
Still others are claiming that ISPs need to step up their filtering. But the problem wasn’t with the ISPs letting too much email through.
The other thing that’s been interesting is to watch groups jump on this issue to promote their pet best practices. DKIM proponents are insisting everyone sign email with DKIM. Extended SSL proponents are insisting everyone use extended SSL. But the problem wasn’t with unsigned email or website trust.
All of these solutions fail to address the underlying issue:
ESPs do not have sufficient security in place to prevent hackers from getting into their systems and stealing their customers’ data.
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists.  These controls must address technical attacks, spear phishing attacks and social engineering attacks.
What’s happening here actually looks a lot like the Comodo certificate attack or the RSA compromise.
It’s time for the ESP industry to step up and start taking system security seriously.

Read More