Get a helmet

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.
Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.
There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches.  To be fair, the problem seems to have stopped more recently.
Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

I really hope this doesn’t come as a surprise to you, and that you were aware of the compromise. I don’t have much more information than what I’ve already given you, but am happy to answer any questions that I can.

The response was “This is unexpected, we’ll get back to you.” I can only hope that they forgot about the getting back to me part, because it’s been 6 weeks, the spam is ongoing and I’ve not heard boo from them.
But ESPs are not just targets because they’re sources of valid email addresses. Spammers are also using stolen credentials to actually steal ESP reputations. They are using customer credentials to get access to the high powered mail engines and send the spam through an ESP. All that hard work ESPs and their customers do to create and maintain good sending reputations are stolen by spammers. In some cases, the reputations can be relatively easily rebuilt, in others the IP addresses have to be retired from use.
We’re not publishing information about security failures because we’re trying to be mean, or we’re trying to undermine the industry or we’re trying to help the bad guys. ESPs are a target, and many are responding poorly or not at all to the threats.
Other Security related blog posts at Word to the Wise

Related Posts

First spam to Epsilon leaked address

This morning I received the first two spams to the address of mine that was compromised during the Epsilon compromise back in April. Actually, I received two of them. One was the “standard” Adobe phish email. The other was similar but referenced Limewire instead of Adobe.

Read More

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More

More on Rove Digital

Brian Krebs has more on Rove Digital and the criminal connection to other scammers and spammers.

Read More