Phishing and trust

Tom Sather has a great post up on the RP Email marketing blog discussing phishing. His point is that phishing lowers the overall trust in email marketing. He lists a number of things marketers should consider doing to counteract that loss of trust.
I rely heavily on the use of tagged addresses to deal with phishing in my own mailbox. If an email doesn’t come to the right address, then it’s immediately tossed as a phish. Unfortunately, as data leaks increase this is becoming less effective as a strategy.

Related Posts

Epsilon – Keep Calm and Carry On

There’s been a lot of media coverage and online discussion about the Epsilon data breach, and how it should be a big wake-up call to email recipients to change their behavior.
There’s also been a lot of panic and finger-pointing within the email industry about What Must Be Done In The Future. Most of the “you must do X in response to the data loss” suggestions are coming from the same people and groups who’ve been saying “you must do X” for years, and are just trying to grab the coattails of the publicity about this particular incident, though.
Not many people seem to be talking honestly about what this will really mean to an individual recipient whose email address Epsilon lost, though. I’m going to try to answer some questions I’ve seen asked realistically, rather than with an eye to forwarding an agenda.
1. Who are Epsilon?
Epsilon are an Email Service Provider, or ESP. That means that they handle sending email on behalf of other companies. If you’re on a company’s mailing list – you’re getting regular newsletters or special offers or any sort of email advertising – the odds are very good that the company isn’t sending you that email themselves. Instead they’re probably contracting with one of hundreds of ESPs to send the email for them. This is a good thing, as sending email to a lot of people “properly” such that it’s delivered to them in a timely fashion, it’s sent only to people who want it and so on is quite difficult to do well and any ESP you choose is likely to be better at it than a typical company trying to start sending that bulk mail themselves.
2. What happened at Epsilon?
The what is pretty simple – somebody stole a list of names and email addresses of people who were being sent email via Epsilon. Nobody outside of Epsilon and law enforcement really know the details of how it was done, though lots of people are speculating about it.
3. Is this identity theft? Do I need to check my credit rating and so on?
No, it’s not something that’s going to lead to identity theft. All that was stolen was your name, your email address and some of the companies who send you email. Your postal address, credit card numbers, social security numbers and so on aren’t at risk, even if you’ve given those to the companies who are sending you email. The only information those companies passed to Epsilon were your name and email address, nothing more, so that’s all that was stolen.
4. Is this common?
Yes, it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of two decades. That lets me track when email addresses are leaked, by who and to whom. Email addresses you give to a company leak to spammers all the time. That’s true for huge companies, tiny one-woman companies, tech-savvy companies, everyone.
5. How do email addresses leak from companies to spammers?
There are a lot of ways

Read More

Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

Read More

Real. Or. Phish?

After Epsilon lost a bunch of customer lists last week, I’ve been keeping an eye open to see if any of the vendors I work with had any of my email addresses stolen – not least because it’ll be interesting to see where this data ends up.
Yesterday I got mail from Marriott, telling me that “unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.”. Great! Lets start looking for spam to my Marriott tagged address, or for phishing targeted at Marriott customers.
I hit what looks like paydirt this morning. Plausible looking mail with Marriott branding, nothing specific to me other than name and (tagged) email address.
It’s time to play Real. Or. Phish?
1. Branding and spelling is all good. It’s using decent stock photos, and what looks like a real Marriott logo.
All very easy to fake, but if it’s a phish it’s pretty well done. Then again, phishes often steal real content and just change out the links.
Conclusion? Real. Maybe.
2. The mail wasn’t sent from marriott.com, or any domain related to it. Instead, it came from “Marriott@marriott-email.com”.
This is classic phish behaviour – using a lookalike domain such as “paypal-billing.com” or “aolsecurity.com” so as to look as though you’re associated with a company, yet to be able to use a domain name you have full control of, so as to be able to host websites, receive email, sign with DKIM, all that sort of thing.
Conclusion? Phish.
3. SPF pass
Given that the mail was sent “from” marriott-email.com, and not from marriott.com, this is pretty meaningless. But it did pass an SPF check.
Conclusion? Neutral.
4. DKIM fail
Authentication-Results: m.wordtothewise.com; dkim=fail (verification failed; insecure key) header.i=@marriott-email.com;
As the mail was sent “from” marriott-email.com it should have been possible for the owner of that domain (presumably the phisher) to sign it with DKIM. That they didn’t isn’t a good sign at all.
Conclusion? Phish.
5. Badly obfuscated headers
From: =?iso-8859-1?B?TWFycmlvdHQgUmV3YXJkcw==?= <Marriott@marriott-email.com>
Subject: =?iso-8859-1?B?WW91ciBBY2NvdW50IJYgVXAgdG8gJDEwMCBjb3Vwb24=?=

Base 64 encoding of headers is an old spammer trick used to make them more difficult for naive spam filters to handle. That doesn’t work well with more modern spam filters, but spammers and phishers still tend to do it so as to make it harder for abuse desks to read the content of phishes forwarded to them with complaints. There’s no legitimate reason to encode plain ascii fields in this way. Spamassassin didn’t like the message because of this.
Conclusion? Phish.
6. Well-crafted multipart/alternative mail, with valid, well-encoded (quoted-printable) plain text and html parts
Just like the branding and spelling, this is very well done for a phish. But again, it’s commonly something that’s stolen from legitimate email and modified slightly.
Conclusion? Real, probably.
7. Typical content links in the email
Most of the content links in the email are to things like “http://marriott-email.com/16433acf1layfousiaey2oniaaaaaalfqkc4qmz76deyaaaaa”, which is consistent with the from address, at least. This isn’t the sort of URL a real company website tends to use, but it’s not that unusual for click tracking software to do something like this.
Conclusion? Neutral
8. Atypical content links in the email
We also have other links:

Read More