Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Related Posts

Turn it all the way up to 11

I made that joke the other night and most of the folks who heard it didn’t get the reference. It made me feel just a little bit old.
Anyhow, Mickey beat me to it and posted much of what I was going to say about Ken Magill’s response to a very small quote from Neil’s guest post on expiring email headers last week.
I, too, was at that meeting, and at many other meetings where marketers and the folks that run the ISP spam filters end up in the same room. I don’t think the marketers always understand what is happening inside the postmaster and filtering desks on a day to day basis at the ISPs. Legitimate marketing? It’s a small fraction of the mail they deal with. Ken claims that marketing pays the salaries of these employees and they’d be out of a job if marketing didn’t exist. Possibly, but only in the context that they are paid to keep their employers servers up and running so that the giant promises made by the marketing team of faster downloads and better online experiences actually happen.
If there wasn’t an internet and there weren’t servers to maintain, they’d have good jobs elsewhere. They’d be building trains or designing buildings or any of the thousands of other jobs that require smart technical people.
Ken has no idea what these folks running the filters and keeping your email alive deal with on a regular basis. They deal with the utter dregs and horrors of society. They are the people dealing with unrelenting spam and virus and phishing attacks bad enough to threaten to take down their networks and the networks of everyone else. They also end up dealing with law enforcement to deal with criminals. Some of what they do is deal with is unspeakable, abuse and mistreatment of children and animals. These are the folks who stand in front of the rest of us, and make the world better for all of us.
They should be thanked for doing their job, not chastised because they’re doing what the people who pay them expect them to be doing.
Yes, recipients want the mail they want. But, y’know, I bet they really don’t want all the bad stuff that the ISPs protect against. Ken took offense at a statement that he really shouldn’t have. ISPs do check their false positive rates on filtering, and those rates are generally less than 1% of all the email that they filter. Marketers should be glad they’re such a small part of the problem. They really don’t want to be a bigger part.

Read More

Social networks and bulk email

There’s been a bit of a commotion on Twitter and over at J Caldwell’s blog about Al’s reaction to someone harvesting his address off LinkedIn and then adding that email address to his company’s marketing / newsletter database. Al objected to getting the mail, the person who did this shot back that it wasn’t spam, there was lots of arguing both over twitter and on the blog post.
This also recently happened when a well known email marketer took all 500+ of his Linked In contacts (including me) and added them to his corporate Christmas card list. His behaviour also created a bit of a stir, although it was a little less public.
That mailing was interesting, because a number of people who received the card thought this was the Best Use of Email, EVER! Some of them went so far as to opine “How could ANYONE not like this mail? What are they, Scrooge?” Well, actually, I found the mail irrelevant and a bit annoying. I have to admit I would have been a lot less annoyed if I knew this was a one time thing. However, in order to comply with CAN SPAM he included an opt-out. Which lead to some head scratching: have I been added to their full list? Am I going to get their newsletter from now on? Do I have to opt-out? What was he thinking?
Watching both of the above situations go down I have come up with a list of things you must consider when sending bulk mail to people who have connected with you on social networks.

Read More

Still more spam stats

Mailchannels put together another post looking at spam volumes. Related to that, many people are reporting that bot levels are climbing again.

Read More