Recent Posts

More security problems

I know a lot of people are putting all their eggs in the 2 factor authentication (2FA) basket as a solution to the recent breaches. Earlier this year, however, RSA had their internal systems breached and unknown data was stolen. Speculation from a lot of sources is that the information stolen from RSA by the attackers could be used to infiltrate systems protected by 2FA.
Today I, Cringely reports that a very large U.S. defense contractor may have been breached despite protection by SecurID. Anyone who has been around folks that work for defense contractors, or even just people with security clearances, knows that security and secrecy becomes second nature. They are naturally suspicious and careful, particularly when interacting with secure systems.
What should really concern anyone thinking about implementing security is that the defense contractor’s security folks implemented extra security after the RSA breach, but someone still managed to infiltrate their systems.
Whatever happens with RSA and the defense department, it’s pretty clear that 2FA is not a panacea. And even when we’re talking about security experts, including defense contractors and RSA, hackers can still get into their systems.
Many of the compromises start with spam linking to payloads. In fact, just last night another email expert had their gmail account compromised, resulting in virus being sent to multiple mailing lists and individuals. Some of the compromises happen through Facebook with links that fool people who should know better.
Security is critical for everything on the internet. But recently the attackers seem to be gaining the upper hand over the defenders. When even the experts are compromised, what chance does the average user have?
UPDATE: Reuters reports that the defense contractor was Lockheed.

As a past guest and/or meeting planner of Millennium Hotels and Resorts we are pleased to share these occasional special offers. If you no longer wish to receive email communications from us, please click the unsubscribe link. Please note that this broadcast is sent from an address which is not monitored. If you have questions about the offer, please contact us directly. Our hotel contact details may be found in this email offer above or you may visit www.millenniumhotels.com.
Read More

Email filters

What makes the best email filter? There isn’t really a single answer to that question. Different people and different organizations have different tolerances for how false positives versus false negatives. For instance, we’re quite sensitive to false positives here, so we run extremely conservative filtering and don’t block very much at the MTA level. Other people I know are very sensitive to false negatives and run more aggressive filtering and block quite a bit of mail at the MTA level.
For the major ISPs, the people who plan, approve, design and monitor the filters usually want to maximize customer happiness. They want to deliver as much real mail as possible while blocking as much bad mail. Blocking real mail and letting through bad mail both result in unhappy customers and increase the ISP’s costs, either through customer churn or through support calls. And this is a process, filters are not static. ISPs roll out new filters all the time, sometimes they are an improvement and sometimes they’re not. When they’re not, they’re pulled out of production. This works both for positive filters like Return Path and negative filters like blocklists.
Then there is mail filtering that doesn’t have to do with spam. Business filters, for instance, often block non-business mail. Permission of the recipient often isn’t even a factor. Companies don’t often go out of their way to block personal mail, but if personal mail gets blocked (say the vacation plane ticket or the amazon receipt) they don’t often unblock it. But when you think about why a business provides email, it makes perfect sense. The business provides email to further its own business goals. Some personal usage is usually OK, but if someone notices and blocks personal email then it’s unlikely the business will unblock it, even if the employee opted in.
In the case of email filters, the free market does work. Different ISPs filter mail differently. Some people love Gmail’s filters. Other people think Hotmail has the best filtering. There are different standards for filtering, and that makes email stronger and more robust. Consumers have choices in their mail provider and spamfiltering.

Further amendment would be futile

Both Microsoft and Yahoo filed their motions to dismiss the Holomaxx first amended complaint (FAC). Each company filed the same set of documents.

The wonders of owning a business

We are a small company. We have some contractors that we bring in for projects, but generally everything that gets done here is done by us. Today was heavy lifting day. We started the morning by renting a truck and picking up our two shiny new database servers. Then we headed over to the colo facility to install them and pick up the dead server they’re replacing.
All this is a round about way to say that I have not actually thought about delivery at all today. I was going to blog about the filings in the Holomaxx v. Hotmail/Yahoo! case, which are due today. But they’ve not been filed as of 3pm Pacific.
Have a great weekend, and if I don’t see you Monday, have a wonderful afterlife.

User education doesn't work

A growing OSX security problem illustrates why user education is not the solution to virus, spam or malware problems.
HT: @briankrebs

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

It’d be nice to have a tool to uncover the zombie email addys, but until then, read this from @wise_laura: http://bit.ly/jxjZ9M Kelly Lorenz
Read More

Spam works

I got a spam today advertising spamming services that ended with a tagline that can be paraphrased: We managed to spam you, let us spam others on your behalf!
OK, so what they actually said was:

Don't take my subscribers away!

Tom Sather has a good summary of the problems with inactive email addresses and why data hygiene is critical to maintain high deliverability. These recommendations are some of the most difficult to convince people to implement.
Some of my clients even show me numbers that show that a recipient that hadn’t opened or read and email in 18 months, suddenly made a multi-hundred dollar purchase. Another client had clear numbers that showed even recipients that didn’t open for an entire year were responsible for 10% of revenue.
They tell me I can’t expect them to let their customers go. These are significant amounts of money and they won’t let any potential revenue go without a fight.
I understand this, I really do. The bottom line numbers do make it tough to argue that inactive subscribers should be removed. Particularly when the best we can offer is vague statements about how delivery may be affected by sending mail to unengaged users.
I don’t think many senders realize that when they talk about unengaged users they are actually talking about two distinct groups of recipients.
The first group is that group of users that actively receive email, but who aren’t opening or reading emails from particular senders. This could be because of their personal filters, or because the mail is going to the bulk folder or even simply because they don’t load images by default. This is the pool that most senders think of when they’re arguing against removing unengaged users.
The second group is that group of users that never logs in ever. They have abandoned the email address and never check it. I wrote a series of posts on Zombie Emails (Part 1, 2, 3) last September, finishing with suggestions on how to fight zombie email addresses.
Unlike senders ISPs can trivially separate the abandoned accounts from the recipients who just don’t load images. Sending to a significant percentage of zombie accounts makes you look like a spammer. Not just because spammers send mail to really old address lists, but a number of spammers pad their lists with zombie accounts in order to hide their complaint rates. The ISPs caught onto this trick pretty quickly and also discovered this was a good metric to use as part of their filtering.
I know it’s difficult to face the end of any relationship. But an email subscription isn’t forever and if you try to make it forever then you may face delivery problems with your new subscribers.

Recent Posts

More security problems

Relevance?