Be on the lookout

I’m hearing more rumors of ESPs seeing customer accounts being compromised, similar to what happened with The Children’s Place.

Experian CheetahMail identified an isolated incident in which someone used a valid client user ID and password to gain access to the client’s email account and transmit an unauthorized and unlawful email. To recipients, the email appeared as a solicitation from an unrelated sender (disguised as Adobe) and directed viewers to an illicit website requesting credit card information. The impact was limited to a single, targeted outbound email.

I have a few suggestions for companies to be able to identify these types of attacks before mail goes out.
1) Set up monitoring to look for large number of uploads in a particular account. Tens of millions of new addresses, even spread over multiple uploads, should raise red flags and trigger manual review of an account.
2) Scan outgoing messages for links mentioning or advertising Adobe (all the spams so far seem to be linking to adobe phish sites).
3) Monitor for unusual send activity. A customer that sends small amounts of mail regularly, but all of a sudden spikes to 10 or 100 times more mail may be compromised.
4) Monitor FBLs for spikes in activity.
5) Monitor bounces for spikes in activity.
Much of this monitoring should trivially slot into the monitoring that you’re already doing as an ESP. You may want to add alerts to go out to relevant people inside your company.

Related Posts

I hate spam

But sometimes it makes me laugh. Yesterday I got a 419 that said, “[…]have been diagonalized with HIV/AIDS which has defiled all forms of medical treatment[…]” Diagonalized? Defiled all forms of treatment?
At least it was entertaining, right?

Read More

Turn it all the way up to 11

I made that joke the other night and most of the folks who heard it didn’t get the reference. It made me feel just a little bit old.
Anyhow, Mickey beat me to it and posted much of what I was going to say about Ken Magill’s response to a very small quote from Neil’s guest post on expiring email headers last week.
I, too, was at that meeting, and at many other meetings where marketers and the folks that run the ISP spam filters end up in the same room. I don’t think the marketers always understand what is happening inside the postmaster and filtering desks on a day to day basis at the ISPs. Legitimate marketing? It’s a small fraction of the mail they deal with. Ken claims that marketing pays the salaries of these employees and they’d be out of a job if marketing didn’t exist. Possibly, but only in the context that they are paid to keep their employers servers up and running so that the giant promises made by the marketing team of faster downloads and better online experiences actually happen.
If there wasn’t an internet and there weren’t servers to maintain, they’d have good jobs elsewhere. They’d be building trains or designing buildings or any of the thousands of other jobs that require smart technical people.
Ken has no idea what these folks running the filters and keeping your email alive deal with on a regular basis. They deal with the utter dregs and horrors of society. They are the people dealing with unrelenting spam and virus and phishing attacks bad enough to threaten to take down their networks and the networks of everyone else. They also end up dealing with law enforcement to deal with criminals. Some of what they do is deal with is unspeakable, abuse and mistreatment of children and animals. These are the folks who stand in front of the rest of us, and make the world better for all of us.
They should be thanked for doing their job, not chastised because they’re doing what the people who pay them expect them to be doing.
Yes, recipients want the mail they want. But, y’know, I bet they really don’t want all the bad stuff that the ISPs protect against. Ken took offense at a statement that he really shouldn’t have. ISPs do check their false positive rates on filtering, and those rates are generally less than 1% of all the email that they filter. Marketers should be glad they’re such a small part of the problem. They really don’t want to be a bigger part.

Read More

I don't have a "this is spam" button

Here at Word to the Wise we have some unique requirements for mail. For instance, I need to be able to receive examples of emails that are being blocked elsewhere in order to do my job. This means not only do we not outsource mail to someone else, we also run limited spam filtering on the server side. It does mean I have to wade through a bit more spam than others do, but that’s generally not a problem. My client side filters do a decent job at keeping most of the crud out of my mailboxes.
My work account gets very little spam in the folder I use as my inbox. I’m not even sure exactly why this is, but it’s true. One of the exceptions is a psychic (no, really) who has a copy of one of my work email addresses and she regularly spams me offering her spiritual guidance and the opportunity to buy her stuff in order to make peace within my world.  I’ve received these before, usually I just delete them and move on.
Occasionally, though, I long for the ease of a “this is spam” button. Just to be able to hit a single button, no work, no effort and know that I have registered my frustration with a spammer. Today was one of those days. I really don’t want this psychic spam in my mailbox. It seems reasonably professionally done, though, so I check the headers to see if it’s being send from any ESP I know and if it’s worth my time to send in a “hey, didn’t sign up for this, and no, I didn’t forget, either” email.
I visited the website belonging to the domain sending the mail.

Read More