Get a helmet

G

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.
Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.
There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches.  To be fair, the problem seems to have stopped more recently.
Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

I really hope this doesn’t come as a surprise to you, and that you were aware of the compromise. I don’t have much more information than what I’ve already given you, but am happy to answer any questions that I can.

The response was “This is unexpected, we’ll get back to you.” I can only hope that they forgot about the getting back to me part, because it’s been 6 weeks, the spam is ongoing and I’ve not heard boo from them.
But ESPs are not just targets because they’re sources of valid email addresses. Spammers are also using stolen credentials to actually steal ESP reputations. They are using customer credentials to get access to the high powered mail engines and send the spam through an ESP. All that hard work ESPs and their customers do to create and maintain good sending reputations are stolen by spammers. In some cases, the reputations can be relatively easily rebuilt, in others the IP addresses have to be retired from use.
We’re not publishing information about security failures because we’re trying to be mean, or we’re trying to undermine the industry or we’re trying to help the bad guys. ESPs are a target, and many are responding poorly or not at all to the threats.
Other Security related blog posts at Word to the Wise

About the author

3 comments

Leave a Reply to Martijn Grooten

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “the spam is ongoing”
    That’s not really surprising, given that even the strongest security solution can’t unsteal addresses. But their reaction (or lack thereof) isn’t good at all – and unfortunately, that’s also my experience with ESPs and leaked lists.
    Some months ago, I started to receive spam on four tagged addresses, three of which I could link to the same ESP (the fourth never had receive any legitimate email so I wasn’t 100% sure, but spams always came in fours so I assume they were the same ESP’s customer). I told them when I discovered this, which was a few months after this started. They were happy to hear of me and didn’t seem to be aware of what had happened. If I were to work as an ESP and someone told me this, I would be tempted to at least pretend I was aware. But more likely, I would leave one or more tagged addresses on _all_ of my customers’ lists so that I would know right away when something got leaked.

By laura

Recent Posts

Archives

Follow Us