Recent Posts

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Happy April Fools!

There’s nothing useful I can post on April the first. Plus, it’s sunny and 85 here and, I’m about to declare it the weekend.
So I leave you with a picture of what I Can Haz Cheezburger thinks of our business.

Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

Does your unsubscribe process work? Are you sure?

I stumbled across an interesting problem today.
A company I bought something from a while back added me to their newsletter. They seem to be having trouble making sales this quarter, as they’ve gone from an occasional email every few weeks to bombarding me with increasingly desperate offers in the past week or two. So I do what most recipients do in that situation (well, the ones who don’t just mark the mail as spam, anyway). I click the unsubscribe link.
I get a perfectly normal, standard unsubscription page, with a nice, prominent “Unsubscribe from all” button with good text explaining that that will remove me from all of the companies mailing lists. No requirements to log in, set dozens of checkboxes or provide a password I don’t have. So far this is a textbook example of a good unsubscription process.
I click the button. Nothing happens. That’s not good.
So I grab one of the people I know over at that ESP and we start looking at it. He clicks the button, and it loads a new page saying that I’ve been unsubscribed from all of the companies mailing lists.
A bit more testing shows that the unsubscription works if you use Internet Explorer or Firefox, but not if you use Safari. The cause of the bug was threefold:

Just give it up already

I have a mail system totally separate from my inbox to use when I’m testing signup forms. Some of them are client, some of them are vendors my clients are thinking about using. In any case, it’s mail I’m seriously concerned won’t stop just by me opting out of it.
The server hosting that mail system has been flakey lately, and needs to be hard power cycled to make it come back. We had a major power glitch this morning and so ended up down at the colo and power cycled that box while we were there.
This box was last working February 4th. It’s been off the internet for almost 2 months now. It wasn’t answering on port 25. It was dead. No mail here. And, yet, a bunch of legitimate email marketers are still attempting to send those addresses mail.
Really. Dead for 2 months and the senders keep trying to mail to those addresses. The server came back about 2 1/2 hours ago. I already have 6 emails from two different senders.
Seriously. If you can’t deliver a mail to someone for TWO MONTHS just give it up already. I am sad that even companies that get the best advice I can give them still can’t get the simple things right.
And, really, don’t argue “but it came back! Clearly we should keep trying!” Yes, it came back. But in all the years I’ve had this disposable email system I have not opened a single image. I’ve not purchased a single thing. I’ve never shown any sign of life on any of those addresses. The mailserver has been down for months at a time. There is no value to continuing to send mail to those addresses. And, yet, people still do it.
Why? WHY!?

News about the Rustock takedown

Spam levels plummeted 2 weeks ago as the Rustock botnet was beheaded. Reports have been trickling out in the press about the takedown, about the botnet and about the team responsible.
Rustock Takedown Analysis at The Register
Brian Krebs’ intitial report of the takedown
Taking down botnets from a Microsoft attorney
Spam Network Shut Down at the Wall Street Journal
Global Spam Levels Graph from Symantec

Spammers, eh?

From my inbox, missed by the spamfilter:

Do you know people who have worked a lot or could not find a job for a long time and suddenly began to earn well, gain valuable items and look better?
We can reveal to you their secret.
Anyone who bought a diploma from us raised their standard of living in half!
Our diplomas are verified and credible. We offer expert help in selection of the right option and a short waiting time.
Don’t look at other – DO YOUR OWN SUCCESS!
—–
+ 1 – 646 – 555 – 1212
—–
We need your infarmation:
1) Your Name
2) Your Country
3) Telephone No. with a code of country if you are outside USA
Do Not Reply to this Email.
We do not reply to text inquiries, and our server will reject all response traffic.
We apologize for any inconvenience this may have caused you.
This is not a spam
If you don’t want to receive this message to your e-mail, call this number and refuse it – spell your e-mail
Read More

Holomaxx v. MSFT and Yahoo

I mentioned way back in January that Yahoo had filed a motion to dismiss the case against Holomaxx. Microsoft filed a motion to dismiss around that time, although I didn’t mention it here.
And, of course, Holomaxx filed a motion in opposition in both the Microsoft case and the Yahoo case. Nothing terribly interesting here, about what you’d expect to read.
On March 11 the judge ruled on both motions to dismiss and in both cases ruled that the case was dismissed. He did, however, give leave for the complaints to be amended in the future.
As I expected the Judge agreed that MSFT and Yahoo have protection under the CDA. First, the court made it clear that providers are allowed wide leeway in determining what is objectionable to their customers.

Letters to the abuse desk

Ben over at Mailchimp has shared some of the mail that comes into the mailchimp abuse desk. It’s a post well worth a read.
One of the things that leaped out at me during that post is that the positive emails highlight how much the Mailchimp delivery and compliance people help their users get good delivery. They’re not just saying “you can’t do that” because they’re mean or they want to make life more difficult for their users. They are saying no because what the user wants to do is a bad idea.
I also appreciated the letter from the customer who had to tell Mailchimp that management had decided to not take Mailchimp’s advice. This is something that happens to me sometimes. Clients agree with my recommendations but management decides that they’re not going to implement them. It can be difficult to watch, particularly when I then see how much that company is struggling with blocks or see them show up on some of the big spam lists. But, it’s also part and parcel of the job. Not everyone, no matter how effectively I make my cases, will take my advice.

Getting it so wrong

One of the things I notice is when vendors send me badly formatted emails. There’s one vendor of ours that gets it so wrong I find it offensive to receive their mails. Not only have they not managed to invoice or process payments correctly for months, but their billing emails come to me with one of the ugliest From: lines I’ve ever seen.
Now, I’ve seen Dave Crocker’s lectures on email address. I believe that technically this is a legal From: address. But, seriously? I’m amazed they ever get mail delivered.
“COMPANY <Firstname.Lastname”@company.com
Yes, I changed the name to protect the stupid.
I tried to reply to the email address and my mail client tells me “this does not appear to be a valid email address.” Well, no. No it doesn’t. But let’s try anyway.
And there’s the bounce. “Invalid address!!!”.
This vendor is sending out invoices with totally broken From: address. I wonder how many of their customers are not getting an actual invoice from them?
But, being the helpful person I am, I actually mailed the person and pointed out that their From: address was horribly broken and may be negatively impacting their delivery. I’m not expecting an answer, but at least I have done my good deed for the day.
As part of the deployment process of any new email system you should check to make sure the address is correct and people can reply to it. That single test “reply to mail” would have identified this problem 5 months ago and not taken one of their recipients to point it out to them.