Brian Krebs posted a couple days ago about his experience with the subscription bomb over the weekend. He talks about just how bad it was over the weekend. At approximately 9:00 a.m. ET on Saturday, KrebsOnSecurity’s inbox began filling up with new newsletter subscriptions. The emails came in at a rate of about one new message every 2-3 seconds. By the time I’d finished deleting and unsubscribing...
October 2015: The month in email
When you spend most of your day working on email and spam issues, it starts to cross into all aspects of your life. In October, I was amused by authors who find names in spam, SMTP-related t-shirts on camping trips, and spam that makes you laugh. Maybe I need a vacation? We were quite busy with conference presentations and client work this month, but took time to note the things that captured our...
Peeple, Security and why hiding reviews doesn't matter
There’s been a lot of discussion about the Peeple app, which lets random individuals provide reviews of other people. The founders of the company seem to believe that no one is ever mean on the Internet and that all reviews are accurate. They’ve tried to assure us that no negative reviews will be published for unregistered users. They’re almost charming in their naivety, and it...
Ashley Madison Compromise
Last month Brian Krebs reported that the Ashley Madison database was compromised. Ashley Madison is a dating site that targets married folks who are looking to have affairs. Needless to say, there is a lot of risk for users if their data is found on the released data. Today what is supposedly the Ashley Madison data was released. The release of this data can have some significant impacts on the...
Phishing costs company $46 million
Brian Krebs posted about a tech firm that lost $46M dollars due to fraud. The company reported in its SEC filings that the money was lost when someone impersonated an employee and directed the finance department to transfer money to outside accounts. This is becoming more common. In some cases, DMARC authentication may stop this kind of fraud. But DMARC has a lot of deployment challenges and can...
Are botnets really the spam problem?
Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email. Botnets are a problem online. They’re a problem in a lot of ways. They can be...
Deliverability and IP addresses
Almost 2 years ago I wrote a blog post titled The Death of IP Based Reputation. These days I’m even more sure that IP based reputation is well and truly dead for legitimate senders. There are a lot of reasons for this continued change. Improved computing power I touched on the increase in computing power in my 2013 post. The power and the complexity of filters in even greater now than then...
Arrests in ESP data breach
The FBI announced today arrests of three people in the ESP data breaches from the compromises of various ESPs a few years ago. Krebs on Security: Feds Indict Three in 2011 Epsilon Hack Department of Justice: Three Defendants Charged with One of the Largest Reported Data Breaches in U.S. History After stealing over a billion addresses from 8 ESPs, the lists were monetized through affiliate...
Email filtering: not going away.
I don’t do a whole lot of filtering of comments here. There are a couple people who are moderated, but generally if the comments contribute to a discussion they get to be posted. I do get the occasional angry or incoherent comment. And sometimes I get a comment that is triggers me to write an entire blog post pointing out the problems with the comment. Today a comment from Joe King showed...
Alice and Bob and PGP Keys
Last week Alice and Bob showed how to cryptographically sign messages so that the recipient can be sure that the message came from the purported sender and hasn’t been forged by a third party. They can only do that if they can securely retrieve the senders public key – which means they need to retrieve it from the actual sender, rather than an impostor, and be sure it’s not...