Company responsibility and compliance

I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.

Unfortunately phishing has become one of the bad side-effects of Zoho’s rapid growth over the last couple of years, especially the growth of our mail service. Since Zoho Mail offers the most generous free accounts as part of our freemium strategy, this gets exacerbated as more malicious actors take advantage of this massive customer value. But we are clamping down on this heavily and I quickly wanted to share what we have done and will be doing.

The first step is to examine all accounts, especially free ones since this is where most of the abuse appears to be happening. We are now mandating verification using mobile numbers for all accounts, including free ones (which also helps in two-factor authentication for accounts). We are actively looking at suspicious login patterns, and blocking such users, particularly for outgoing SMTP.

The second step is around improving and tightening our policies for all users. We have recently revised and changed our policy around SPF (sender policy framework) and implemented DKIM (domain key identified mail) for our domain. This will result in a solid DMARC policy that we will also publish.

There are other heuristic methods and algorithms we are exploring and testing before we deploy at scale that we will not discuss in any detail, for all the right reasons.

I commend Zoho for the steps they’re taking. I think they are a step in the right direction.

I also want to emphasize that this is not a problem limited to very large companies. Any company, and I do mean any company, providing email services is a target for malicious entities. It doesn’t really matter how big you are or how small your customer base is. It is crucial for anyone providing online services to have plans for what to do in case of abuse.

Does this mean every company needs a full fledged compliance desk? Possibly not. If your customer base is very small, like a few hundred customers and you only advertise to a niche group then you may get away with hiding from the bad guys. But security by obscurity has never been a long term solution to most security problems.

In my experience, if you’re big enough to have a dedicated customer support desk, then you’re big enough to monitor deliverability and abuse. This isn’t as hard as it sounds if you’re using a 3rd party to send mail. Companies like Sendgrid, Sparkpost, Mandrill and many of the SMTP providers, are doing most of the heavy lifting for you. They’re signed up for and collecting feedback loop emails, they’re analyzing bounce data and providing all this information for you in an easy to digest way.

The simplest thing to do is task one of your support people with monitoring deliverability metrics from your upstream and reading the abuse@ mailbox. As your company grows, they become the lead for your compliance team. Whatever you decide, it’s critical that someone have ownership of compliance. Compliance needs to be built into processes from an early stage.

It is, of course, possible to add compliance onto an existing company, that’s how most existing companies have done it. But they’ve mostly done it due to business interrupting events because they ignored abuse and compliance issues for too long. Zoho wasn’t specifically ignoring compliance, our experience was they did cut off phishers, but someone missed the bigger picture that there was other abuse going on.

Whatever your company size, if you’re providing email services you must address abuse issues. The bad guys will find you and abuse you. It’s not a question of if, it’s a question of when. The longer you wait the more likely it is that you’re going to have a business interrupting event like a Spamhaus listing, disconnection by your ESP or even disconnection by your registrar. Planning ahead doesn’t mean you’ll never be abused, it just means you’ll be equipped to deal with it.

Related Posts

Complaints, contacts and consequences

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Read More

Way to go Equifax

Earlier this month I wrote about how we can’t trust Equifax with our personal data. I’m not sure we can trust them with a cotton ball. Today, we discover Equifax has been sending consumers worried about their personal information leaking to the wrong site.

Read More

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.
DataSecurity_Illustration
That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

Read More