Services, abuse and bears

A couple weeks ago I wrote a post about handling abuse complaints. As a bit of a throwaway I mentioned that new companies don’t always think about how their service can be abused before releasing it on the unsuspecting internet.
Today’s blog post by Margot Romary at the Return Path In the Know blog reminds me that it’s not always new companies that don’t think about abuse potential before launching services.

I don’t have enough fingers to count the instances over the years when — in running one of the largest email systems in the world at my previous employer — I had to shut down a new product launch because the peer initiated email feature of this new product was insecure.

Margo also points out that networks that allow peer-initiated messages have an average of over 20 spamtraps per IP address. The only surprise about this statistic is how low it is. Margot mentions spammer abuse as one of the primary reasons, but I don’t think every form used by Return Path clients is actually open to spammer abuse. Yes, thinking about how to spammer proof peer-submission is important. But it’s as important to think about how to stop submitters from inadvertently hurting your reputation.
It’s not just forms that have problems, social networking sites also see problems with users and spammers abusing their services.
No security is going to be perfect. After years and years of this, all the people who fight abuse can do is acknowledge that we’re never going to actually stop spammers, scammers and criminals from attacking and compromising services. We are never going to outrun the bear. But that doesn’t mean we shouldn’t think about erecting as many fences and obstacles as possible.

Related Posts

First spam to Epsilon leaked address

This morning I received the first two spams to the address of mine that was compromised during the Epsilon compromise back in April. Actually, I received two of them. One was the “standard” Adobe phish email. The other was similar but referenced Limewire instead of Adobe.

Read More

The little things

It really amuses me when I get blatant spam coming from a network belonging to one of our Abacus customers. I know that the complaint will be handled appropriately.
It’s even better when the spam advertises the filter busting abilities of the spammer. I get a warm, fuzzy feeling to know that the spammer is going to be looking for a new host in the immediate future.

Read More

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More