Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.

Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.

This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.

Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

1 comment

  1. John Levine says

    Well, the spam does have a funky URL that points to China which is a bit implausible for a clothing retailer that operates only in North America.

    This reinforces my point that ESPs have a lot of valuable data, and they need to treat it that way, which includes looking for customer fraud. It’s the same reason that my bank calls me on the phone to verify unusual transactions.


Your email address will not be published. Required fields are marked *

  • AOL FBL change

    Reminder for folks, AOL is changing their FBL from address starting on Jan 17th. AOLlogoForBlogThe (in)famous is going away to be replaced by fbl-no-reply @ These messages will be signed with the d= Time to update your scripts!No Comments

  • Vague reports of Yahoo problems

    A number of people, on different forums, have been asking if anyone is seeing a higher bounce rate than usual with Yahoo. Not sure exactly what's going on here. As I understand it, folks are talking with Yahoo about it. If I hear anything more, I'll share. For now, though, if you're seeing a small increase in Yahoo bounces (or other weirdnesses) others are seeing something odd, too.No Comments

  • Responsive design just got easier at Gmail

    Today Gmail announced they are supporting media queries in Gmail and Google Inbox. This should simplify the creation of emails for multiple platforms. The full list of supported rules can be found on the Google Developer Site.No Comments