Security issues affect us all

I’ve been talking about security more on the blog. A lot of that is because the security issues are directly affecting many senders. The biggest effect recently has been on companies ending up on the SBL because their signup forms were the target of a subscription attack. But there are other things affecting online spaces that are security related. Right now not much of it is affecting email senders, but it’s good to be aware of.
DDOS attacks
There has been an increase in DDOS attacks against different companies and network. Some of the online game sites have been targeted including EA, Blizzard and others. A group called PoodleCorp is claiming responsibility for those attacks.
Another set of DDOS attacks hit Brian Krebs’ website this week. The site stayed up, but Akamai has told Brian they can no longer host his website. His website is down for now and the foreseeable future.
While this activity doesn’t affect marketers directly, it does tell us that there is active development happening on the less legal side of the internet. The volumes of the recent attacks have sent records. They’re also changing in scope and including new kinds of traffic in an effort to knock sites offline. Even more concerning, they appear to be systematically attempting to discover defenses in order to attack the internet as a whole.
Increase in Spam
Spam has been on the decrease over the last few years. Many of us were treating it as a mostly-solved problem. But a new report from Cisco Talos shows that trend is reversing and spam levels are increasing. Current levels are approaching those last seen more than 5 years ago. Cisco Talos has used a number of different sources of data, all showing an increase in spam directly and indirectly.

CBL Volumes over past 10 years: 

CBL_totalflow-tenyears
Cisco Talos also looks at the number of IP addresses in the Spamcop blocklist as a proxy for the amount of spam sent. Average numbers of listed IPs have doubled over pre-2106 levels.
According to the author, this rise is mostly attributed to the Necurs botnet. This botnet is a little different than most, in that it only uses a small subset of infected machines for each spam run. It sends some mail, and then the bot goes quiet.
While this doesn’t affect marketers directly, it does mean that spam filters will be under even more active development. I’ve actually seen some of this increase in activity myself. For me, the addresses hit hardest are the ones stolen from ESPs and retailers over the years.
ISPs being compromised
This week Yahoo announced that over 500 million accounts were compromised. Account owners are being alerted to update their passwords when they log in. Yahoo also cautions that actual Yahoo mail will have a special badge when viewed in the Yahoo web client and the smartphone applications.
The icon is a small purple Y next to the from address in the inbox:
YahooSecurity4
And in the message itself:
YahooSecurity5
Of concern is that Yahoo has attributed the hack to state sponsored actors. On the surface it’s hard to believe that a government would care about getting into people’s Yahoo mail. But, as Yahoo and other mail providers are used worldwide, they may be looking for access to certain accounts and it’s easier to take all of them or some of them.  Yahoo has set up a website for customers concerned about the compromise and to answer common questions.
For marketers this isn’t necessarily a direct concern. However, companies that tie account access to email addresses need to address the security of those accounts. What happens when the email address is compromised? How easy is it for someone to get into your system if they own someone else’s email address? Can they find credit card numbers and other PII?
What next?
Well, we don’t really have a what’s next. But security is a major issue online and with the active development of new tools everyone online needs to start prioritizing security. What are your defenses? What happens when you’re compromised? What can you do? Who do you call?  These discussions need to happen and they need to happen sooner or later.
 

Related Posts

dDOS spreads to the CBL

Spamhaus has mostly mitigated the dDOS against the Spamhaus website and mailserver, but now the CBL is under attack. They have been working to get that under protection as well, but it’s taking some time.
Right now there are no public channels for delisting from the CBL. The Spamhaus Blog will be updated as things change, and I’ll try and keep things updated here as well.
UPDATE: Cloudflare talks about the scope of the attack

Read More

CBL website and email back on line

The CBL website is back on line.
It’s possible that your local DNS resolver has old values for it cached. If so, and if you can’t flush your local DNS cache, and you really can’t wait until DNS has been updated then you may be able to put a temporary entry in your hosts file to point to cbl.abuseat.org.
You can get the IP address you need to add by querying the nameserver at ns-2038.awsdns-62.co.uk for cbl.abuseat.org. No, I’m not going to tell you the IP address – if you can’t do a basic DNS query, you shouldn’t be modifying your hosts file and you can just wait a day.

Read More

How many blocklists do we need?

There’s been a discussion on the mailop list about the number of different blocklists out there. There are discussions about whether we need so many lists, and how difficult the different lists make it to run a small mail system (80K or so users). This discussion wandered around a little bit, but started me thinking about how we got to a place where there are hundreds of different blocklists, and why we need them.
shield
There is a lot of history of blocklists, and it’s long, complicated and involves many strong and passionate personalities. Some of that history is quite personal to me. Not only do I remember email before spam, I was one of MAPS’ first few employees, albeit not handling listings. I’ve talked with folks creating lists, I’ve argued with folks running lists. For a while I was the voice behind a blocklist’s phone number.
The need, desire and demand for different lists has come up over the years. The answer is pretty simple: there are many different types of abuse. One list cannot effectively address all abusive traffic nor have policies that minimize false positives.
Lists need different policies and different delisting criteria. The SBL lists based on volume of email to addresses that are known to have not opted in to receive mail. The PBL lists IPs where the IP owner (usually an ISP) says that the IPs are not supposed to be sending mail by their policy. URIBL and SURBL list domains, not IPs. Some lists have delisting requirements, some let listees remove themselves.
The policies of listing and delisting are not one size fits all, nor should they be.
There are two widely used lists that have significantly different delisting policies: the SBL and the CBL.
The SBL focuses on IP addresses they believe are under the control of or supporting the services of spammers. They measure this by primarily relying on spamtraps, but they also accept forwarded mail from some trusted individuals. Getting delisted from the SBL means explaining to Spamhaus what steps were taken to stop the spam from coming. It’s a manual process with humans in the loop and can require significant business process changes for listees. (We’ve helped dozens of companies resolve SBL listings over the years, contact us if you need help.)
On the other hand, the CBL is a mostly automated list. It lists ources of mail that aren’t real mail servers sending real mail, but are sending a lot of stuff. As they describe it:

Read More