Company responsibility and compliance

I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.

Unfortunately phishing has become one of the bad side-effects of Zoho’s rapid growth over the last couple of years, especially the growth of our mail service. Since Zoho Mail offers the most generous free accounts as part of our freemium strategy, this gets exacerbated as more malicious actors take advantage of this massive customer value. But we are clamping down on this heavily and I quickly wanted to share what we have done and will be doing.

The first step is to examine all accounts, especially free ones since this is where most of the abuse appears to be happening. We are now mandating verification using mobile numbers for all accounts, including free ones (which also helps in two-factor authentication for accounts). We are actively looking at suspicious login patterns, and blocking such users, particularly for outgoing SMTP.

The second step is around improving and tightening our policies for all users. We have recently revised and changed our policy around SPF (sender policy framework) and implemented DKIM (domain key identified mail) for our domain. This will result in a solid DMARC policy that we will also publish.

There are other heuristic methods and algorithms we are exploring and testing before we deploy at scale that we will not discuss in any detail, for all the right reasons.

I commend Zoho for the steps they’re taking. I think they are a step in the right direction.

I also want to emphasize that this is not a problem limited to very large companies. Any company, and I do mean any company, providing email services is a target for malicious entities. It doesn’t really matter how big you are or how small your customer base is. It is crucial for anyone providing online services to have plans for what to do in case of abuse.

Does this mean every company needs a full fledged compliance desk? Possibly not. If your customer base is very small, like a few hundred customers and you only advertise to a niche group then you may get away with hiding from the bad guys. But security by obscurity has never been a long term solution to most security problems.

In my experience, if you’re big enough to have a dedicated customer support desk, then you’re big enough to monitor deliverability and abuse. This isn’t as hard as it sounds if you’re using a 3rd party to send mail. Companies like Sendgrid, Sparkpost, Mandrill and many of the SMTP providers, are doing most of the heavy lifting for you. They’re signed up for and collecting feedback loop emails, they’re analyzing bounce data and providing all this information for you in an easy to digest way.

The simplest thing to do is task one of your support people with monitoring deliverability metrics from your upstream and reading the abuse@ mailbox. As your company grows, they become the lead for your compliance team. Whatever you decide, it’s critical that someone have ownership of compliance. Compliance needs to be built into processes from an early stage.

It is, of course, possible to add compliance onto an existing company, that’s how most existing companies have done it. But they’ve mostly done it due to business interrupting events because they ignored abuse and compliance issues for too long. Zoho wasn’t specifically ignoring compliance, our experience was they did cut off phishers, but someone missed the bigger picture that there was other abuse going on.

Whatever your company size, if you’re providing email services you must address abuse issues. The bad guys will find you and abuse you. It’s not a question of if, it’s a question of when. The longer you wait the more likely it is that you’re going to have a business interrupting event like a Spamhaus listing, disconnection by your ESP or even disconnection by your registrar. Planning ahead doesn’t mean you’ll never be abused, it just means you’ll be equipped to deal with it.

Related Posts

August 2017: The month in email

Hello! Hope all are keeping safe through Harvey, Irma, Katia and the aftermath. I know many people that have been affected and are currently out of their homes. I am proud to see so many of my fellow deliverability folks are helping our displaced colleagues with resources, places to stay and money to replace damaged property.
Here’s a mid-month late wrapup of our August blog posts. Our favorite part of August? The total eclipse, which was absolutely amazing. Let me show you some pictures.





Ok, back to email.
We’re proud of the enormous milestone we marked this month: ten years of near-daily posts to our Word to the Wise blog. Thanks for all of your attention and feedback over the past decade!
In other industry news, I pointed to some interesting findings from the Litmus report on the State of Email Deliverability, which is always a terrific resource.
I also wrote about the evolution of filters at web-based email providers, and noted that Gmail’s different approach may well be because it entered the market later than other providers.
In spam, spoofing, and other abuse-related news, I posted about how easy it is for someone to spoof a sender’s identity, even without any technical hacks. This recent incident with several members of the US presidential administration should remind us all to be more careful with making sure we pay attention to where messages come from. How else can you tell that someone might not be wholly legitimate and above-board? I talked about some of what I look at when I get a call from a prospective customer as well as some of the delightful conversations I’ve had with spammers over the years.
In the security arena, Steve noted the ongoing shift to TLS and Google’s announcement that they will label text and email form fields on pages without TLS as “NOT SECURE”. What is TLS, you ask? Steve answers all your questions in a comprehensive post about Transport Layer Security and Certificate Authority Authorization records.
Also worth reading, and not just for the picture of Paddington Bear: Steve’s extremely detailed post about local-part semantics, the chunk of information before the at sign in an email address. How do you choose your email addresses (assuming they are not assigned to you at work or school…)? An email address is an identity, both culturally and for security purposes.
In subscription best practices — or the lack thereof — Steve talked about what happens when someone doesn’t quite complete a user registration. Should you send them a reminder to finish their registration? Of course! Should you keep sending those reminders for 16 months after they’ve stopped engaging with you? THE SURPRISING ANSWER! (Ok, you know us. It wasn’t that surprising.)

Read More

Zoho, phishing and who’s next?

ZDnet reports that Zoho’s problems with phishing aren’t over. Their report states that Zoho is being used as a pipeline to exfiltrate data from phished accounts.

Read More

The Blighty Flag

Back in the dark ages (the late ’90s) most people used dialup to connect to the internet. Those people who had broadband could run all sorts of services off them, including websites and mail servers and such. We had a cable modem for a while handling mail for blighty.com.
At that time blighty.com had an actual website. This site hosted some of the very first online tools for fighting abuse and tracking spam. At the same time, both of us were fairly active on USENET and in other anti-spam fora. This meant there were more than a few spammers who went out of their way to make our lives difficult. Sometimes by filing false complaints, other times by actually causing problems through the website.
At one point, they managed to get a complaint to our cable provider and we were shut off. Steve contacted their postmaster, someone we knew and who knew us, who realized the complaint was bogus and got us turned back on. Postmaster also said he was flagging our account with “the blighty flag” that meant he had to review the account before it would be turned off in the future.
I keep imagining the blighty flag looking like this in somebody’s database.

That is to say, sometimes folks disable accounts they really shouldn’t be disabling. Say, for instance:

This was an accident by a twitter employee, according to a post by @TwitterGov

Read More