Recent Posts

… until it stops moving

Nothing is impossible to kill. It’s just that sometimes after you kill something you have to keep shooting it until it stops moving.Mira Grant, Feed
Read More

Your entire work life is in your work mail client.
All the people you communicate with – co-workers, friends, family, vendors, customers, colleagues.
Every email you send. Every email you receive. Any files you attach or receive.
If someone can compromise your mail client, they can see all that.
They can save copies of all your emails, data-mine them and use them for whatever purpose they like. They can build a view of your social network, based on who you exchange emails with, and a model of who you are, based on what you talk about.
That companies like Google do this for “free”, advertising supported webmail shouldn’t be much of a surprise by now – but your corporate email system and your work email is secure, right?
What if an attacker were to set up a man-in-the-middle attack on your employees? Install malware on their iPhone, such that all traffic were transparently routed through a proxy server controlled by the attacker?
Or they could use a more email-centric approach, configuring the compromised mail client to fetch mail from an IMAP server controlled by the attacker that took the employees credentials and passed them through to their real corporate IMAP server – that would let the attacker completely control what the compromised user saw in their inbox. As well as being able to read all mail sent to that user, they could silently filter mail, they could deliver new mail to the users inbox directly, bypassing any mail filters or security. They could even modify the contents of email on-the-fly – adding tracking links, redirection URLs or injecting entirely new content into the message.
Similarly, the attacker could route all outbound mail through a man-in-the-middle smarthost that copied the users credentials and used them to send mail on to their real corporate smarthost. As well as being able to read and modify all mail sent the attacker could also use that access to send mail that masqueraded as coming from the user.
Sounds like the sort of thing you’d expect from criminal malware? Not quite. What I’ve just described is Intro, a new product from LinkedIn.
LinkedIn will be asking your users to click on a link to install a “security profile” to their iPhones. If they do, then LinkedIn will have total control over the phone, and will use that to inject their SMTP and IMAP proxies into your users mailstreams. The potential for abuse by LinkedIn themselves is bad enough – I’ve no doubt that they’ll be injecting adverts for themselves into the mailstream, and their whole business is based on monetizing information they acquire about employees and their employers. But LinkedIn have also been compromised in the past, with attackers stealing millions of LinkedIn user credentials – if they can’t protect their own users credentials, I wouldn’t trust them with your employees credentials.
You might want to monitor where your employees are logging in to your servers from – and suspend any accounts that log in from LinkedIn network space.
Edit: Bishop Fox has looked at Intro too, and come to similar conclusions. TechCrunch too.

The J.D. Falk award 2013

M³AAWG awarded the second J.D. Falk award today in Montreal. The winner was Gary Warner from the University of Alabama.
Gary has been involved in fighting abuse and online crime since the 1990s. He developed the Center for Information Assurance and Joint Forensics Research at the University. This is an education program that not only teaches students about online threats and how to fight them, but collaborates with both industry experts and law enforcement.
You can check out Gary at his blog or on twitter.

Experian selling data to identity thieves

If you’re not following or reading Brian Krebs, you should be. He does some of the best investigative reporting in the email, security and internet space. Today’s blog post is a disturbing look into the data selling and identity theft industries. Brian details evidence that shows Experian (yes, that Experian) has been selling consumer data to identity thieves.

Misdirected email

While this does seem to be more common with gmail addresses, it’s not solely limited to gmail. I’ve written about this frequently.

Everything leaks eventually

We have a role address we use to receive support requests from users of our Abacus ticketing system – they’re typically abuse or security desk administrators at ISPs or ESPs, inside corporate firewalls and protected by multiple layers of security and malware protection.
We’ve been using it since around 1997, so we’ve had a good, spam-free run, but in the past few days it’s started receiving botnet originated malware.
If you give an email address to other people, eventually it’ll leak and start receiving spam and malware.

Looking for some experiences…

… with emailreg.org. A client of mine asked today if it was worth registering domains with emailreg.org as a whitelisting process. I’ve asked a few delivery folks for their feedback, but I was wondering what the broader email community thought. Does registering there help delivery to domains behind barracuda processes? Drop me a line on our contact page or add your experiences in the comments.
I normally reject comments with fake or forged email addresses. Because this may be sensitive and some commenters may want to be anonymous, I’ll let anonymous comments through if they’re clearly not forging someone else’s address.

Is it real or is it spam?

The wanted but unexpected email is one of the major challenges facing ISPs and filter developers. If there was never any need or desire for people to receive email from someone they don’t know, then mail clients could be locked down to only accept mail from addresses on a whitelist. It wouldn’t completely solve the spam problem, for a number of reasons, but it would lessen the problem, particularly for average email users.
But, we don’t live in a world where we know beforehand who will be sending us mail, so we can’t just whitelist correspondents and reject everything else. I think this is a good thing. Email can be used to meet new people, develop new relationships and introduce new opportunities.
While the “cold call” email isn’t much talked about I think it’s worth some discussion. What makes a good cold email? What makes a bad one? We can use two recent emails I received as examples.
Example 1:

No, I'm really not Christine

Got this to one of my accounts recently.

Congratulations and welcome to emailinform.

SORBS – back soon

If you’ve tried to get an address delisted from SORBS this week you’ll have found that their site is degraded, and there’s no way to request delisting.
They’ve been dealing with some very nasty database / hardware problems and while they’re fixing those the externally visible SORBS services are running in a read-only mode (where the list is published, but IP addresses can’t be added or removed).
The migration to new infrastructure is going well, and unless something unexpected happens I’d guess they’ll be running normally some time tomorrow.