Home / Blogs

What Next for Email Service Providers?

John Levine

It's been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events suggests all the ESPs whose clients were compromised were themselves compromised first. (That's how the crooks knew who to attack.)

The Online Trust Alliance published some guidelines, that offer mostly good advice. So what should ESPs do now?

First, this is a situation that needs to be fixed, not glossed over. There's nothing shameful about a business being attacked by bad guys; that shows you're successful enough to be worth attacking. What's shameful is not protecting oneself and one's customers against future attacks that will certainly come. Claims like "only one of our customers was phished" give the message that an ESP doesn't take the problem seriously, and is a sitting duck for the next round of compromises.

It seems likely that most if not all of the attacks are from the same group of people, so the more that ESPs share data about the attacks with each other and with law enforcement, the better the chance of tracking them down. (If you're with an ESP that hasn't arranged to share attack data, have someone from your security department drop me a line and I'll make some introductions.)

Beyond that, ESPs need to both limit the damage from the current attacks and from future ones. That means both making it hard to break in and detecting and mitigating breakins when they happen. Valuable data needs to be treated as though it's valuable. That means limiting access to it, and logging access by both internal and external users. Encrypt databases so that if a backup falls off the proverbial truck, there's no compromise since the data is useless without the key. (And don't put the keys on the same backup as the data.)

Compromised customers have been tricked into installing keyloggers, hidden malware that sends a copy of everything the victim types to the attacker. ESPs can and should alert the customer and ensure that they remove the malware, but the unfortunate fact is that removing malware is hard, and users who can be tricked once can often be tricked again. (This doesn't imply that the customers are dumb — who'd have expected a spreadsheet that appears to be about employee benefits to include an embedded Flash application that exploits a Flash security hole?) Changing the customers' passwords doesn't help, since the keylogger will steal the new password the next time the customer logs in. But there are ways to make it harder for keyloggers to steal passwords. One is to use a variable password. Rather than having the user type the whole password each time, pick three positions at random and have them type those three letters. Stealing those letters won't help if the next login asks for different ones. Or use an external security device, which could be a keyfob that generates a security code, or the client's mobile phone, to which the ESP texts a one-time password on each login. These techniques should be familiar to anyone who banks online.

The next layer of defense is to detect and stop spamming from client accounts. A simple and fairly effective technique is to look at the URLs in the body of outgoing mail, see if any of them are listed in URL blacklists such as SURBL and the Spamhaus DBL, and if so, lock the account until the ESP can review and fix the mail. It can also be useful to run outgoing messages through widely used anti-spam packages like Spamassassin to check for unusual scores. (Even if the mail turns out to have been sent by the customer, something is seriously wrong if it contains blacklisted URLs or triggers Spamassassin's spam detectors.)

Beyond that are a variety of tests for suspicious behavior, such as a client uploading a large new list and sending mail to it, or the rejection rate of a client's mail suddenly increasing.

Yes, all of these will cost ESPs money. ESPs live in a narrow zone between their clients who want to pump out vast amounts of mail and want 100% of it delivered instantly (dream on), and recipient networks who accept and deliver it for free, Every smart ESP knows that their goal is to send mail that the recipients want, and to avoid annoying the recipients and their mail managers as much as they possibly can. Spam is annoying, spam sent from previously benign sources is really annoying, since it tends not to be filtered well. So now that ESPs are on notice that the data they hold is valuable, and the damage to them from its misuse is so great, I hope they understand what they have to do.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Email, Malware, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Smart Hard Drives Alex Tajirian  –  Apr 28, 2011 10:25 PM PDT

Another solution comes from Toshiba through a hard drive that is smart enough to lock down data—or even automatically erase it—if anyone who isn't supposed to access the device tries to, according to Computer World. The drive allows you to set select data on the drive to be encrypted, and you can set different mechanisms for triggering a wipe.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year