BLOG

Get a helmet

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.

Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.

There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches.  To be fair, the problem seems to have stopped more recently.

Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

I really hope this doesn’t come as a surprise to you, and that you were aware of the compromise. I don’t have much more information than what I’ve already given you, but am happy to answer any questions that I can.

The response was “This is unexpected, we’ll get back to you.” I can only hope that they forgot about the getting back to me part, because it’s been 6 weeks, the spam is ongoing and I’ve not heard boo from them.

But ESPs are not just targets because they’re sources of valid email addresses. Spammers are also using stolen credentials to actually steal ESP reputations. They are using customer credentials to get access to the high powered mail engines and send the spam through an ESP. All that hard work ESPs and their customers do to create and maintain good sending reputations are stolen by spammers. In some cases, the reputations can be relatively easily rebuilt, in others the IP addresses have to be retired from use.

We’re not publishing information about security failures because we’re trying to be mean, or we’re trying to undermine the industry or we’re trying to help the bad guys. ESPs are a target, and many are responding poorly or not at all to the threats.

Other Security related blog posts at Word to the Wise

3 comments

  1. Martijn Grooten says

    “the spam is ongoing”

    That’s not really surprising, given that even the strongest security solution can’t unsteal addresses. But their reaction (or lack thereof) isn’t good at all – and unfortunately, that’s also my experience with ESPs and leaked lists.

    Some months ago, I started to receive spam on four tagged addresses, three of which I could link to the same ESP (the fourth never had receive any legitimate email so I wasn’t 100% sure, but spams always came in fours so I assume they were the same ESP’s customer). I told them when I discovered this, which was a few months after this started. They were happy to hear of me and didn’t seem to be aware of what had happened. If I were to work as an ESP and someone told me this, I would be tempted to at least pretend I was aware. But more likely, I would leave one or more tagged addresses on _all_ of my customers’ lists so that I would know right away when something got leaked.

  2. Al Iverson says

    Hey Laura, can you recommend a good online helmet store?

  3. Michael Hammer says

    Excellent article Laura .Like Steves article as well.

Comment:

Your email address will not be published. Required fields are marked *

  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


  • Fixing discussion lists to work with new Yahoo policy

    Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy. One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you're not having to rewrite things that don't need to be rewritten, but it will also mean you won't be caught flat footed if (when?) other free mail providers start publishing p=reject.No Comments


  • Sendgrid's open letter to Gmail

    Paul Kincaid-Smith wrote an open letter to Gmail about their experiences with the Gmail FBL and how the data from Gmail helped Sendgrid find problem customers. I know a lot of folks are frustrated with Gmail not returning more than statistics, but there is a place for this type of feedback within a comprehensive compliance desk.No Comments


Archives