The question came up on slack and I started bullet pointing what would make a domain suspicious. Seemed like a reasonable blog post. In no particular order, some features that make a domain suspicious to spam filters. Domain is used in… … mail users complain about … mail users delete without reading … mail sent in bulk through the ISP (example: Censorship, Email and...
Botnet activity warning
A bit of advice from the folks at the CBL, posted with permission and some light editing. I’ve been seeing some folks report longer connection times at some places, and this might explain some of it. It’s certainly possible, even likely, that the large ISPs are getting a lot of this kind of traffic. A botnet, likely a variant of cutwail, has been for the past several years been...
GDPR and Whois data
For folks who aren’t following the discussion about whois records and GDPR compliance there’s a decent summary at vice.com: What Is Going to Happen With Whois? The problem, briefly stated, is that ICANN has agreements with the thousands of domain registrars around the globe like GoDaddy or HostGator which oblige the companies to post WHOIS data—such as names, emails, and phone...
Ransomware email protected by DMARC
Virus bulletin has an interesting post about DMARC and how some criminals are protecting their emails with DMARC.
Email is inherently a malicious traffic stream
It’s something many people don’t think about, but the majority of the traffic coming into the SMTP port is malicious. Spam is passively malicious, in that it just uses resources and bothers people. But there is a lot of actively malicious traffic coming into the SMTP port. Email is used as a vector to spread viruses and other malware. Email is also used for phishing and scamming. Many...
Spam, Phish or Malware?
Some mornings I check mail from my phone. This showed up this morning. My first thought was “oh, no, Pizza Hut is spamming, wonder who sold them my address.” Then I remembered that iOS is horrible and won’t show you anything other than the Friendly From and maybe it was some weird phishing scheme. When I got to my real mail client I checked headers, and sure enough, it...
What about the bots?
M3AAWG published a letter to the FCC addressing the implementation of CSRIC III Cybersecurity Best Practices (pdf link) The takeaway is that of the ISPs that contribute data to M3AAWG (37M+ users), over 99% of infected users receive notification that they are infected. I hear from senders occasionally that they are not the problem, bots are the problem and why isn’t anyone addressing bots...
LinkedIn shuts down Intro product
Intro was the LinkedIn product that created an email proxy where all email users sent went through LinkedIn servers. This week LinkedIn announced it is discontinuing the product. They promise to find new ways to worm their way into the inbox, but intercepting and modifying user mail doesn’t seem to have been a successful business model.
Compromising a Mail Client
Your entire work life is in your work mail client. All the people you communicate with – co-workers, friends, family, vendors, customers, colleagues. Every email you send. Every email you receive. Any files you attach or receive. If someone can compromise your mail client, they can see all that. They can save copies of all your emails, data-mine them and use them for whatever purpose they...
Flush your DNS cache (again)
This time it appears that DNS for major websites, including the NY Times, has been compromised. Attackers put in DNS entries that redirected visitors to a malware site. The compromise has been fixed and the fake DNS entries corrected. However, people may still have the old data in their DNS caches and security experts are suggesting everyone flush their DNS cache to make sure the fake data is...