Home / Blogs

What Next for Email Service Providers?

John Levine

It's been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events suggests all the ESPs whose clients were compromised were themselves compromised first. (That's how the crooks knew who to attack.)

The Online Trust Alliance published some guidelines, that offer mostly good advice. So what should ESPs do now?

First, this is a situation that needs to be fixed, not glossed over. There's nothing shameful about a business being attacked by bad guys; that shows you're successful enough to be worth attacking. What's shameful is not protecting oneself and one's customers against future attacks that will certainly come. Claims like "only one of our customers was phished" give the message that an ESP doesn't take the problem seriously, and is a sitting duck for the next round of compromises.

It seems likely that most if not all of the attacks are from the same group of people, so the more that ESPs share data about the attacks with each other and with law enforcement, the better the chance of tracking them down. (If you're with an ESP that hasn't arranged to share attack data, have someone from your security department drop me a line and I'll make some introductions.)

Beyond that, ESPs need to both limit the damage from the current attacks and from future ones. That means both making it hard to break in and detecting and mitigating breakins when they happen. Valuable data needs to be treated as though it's valuable. That means limiting access to it, and logging access by both internal and external users. Encrypt databases so that if a backup falls off the proverbial truck, there's no compromise since the data is useless without the key. (And don't put the keys on the same backup as the data.)

Compromised customers have been tricked into installing keyloggers, hidden malware that sends a copy of everything the victim types to the attacker. ESPs can and should alert the customer and ensure that they remove the malware, but the unfortunate fact is that removing malware is hard, and users who can be tricked once can often be tricked again. (This doesn't imply that the customers are dumb — who'd have expected a spreadsheet that appears to be about employee benefits to include an embedded Flash application that exploits a Flash security hole?) Changing the customers' passwords doesn't help, since the keylogger will steal the new password the next time the customer logs in. But there are ways to make it harder for keyloggers to steal passwords. One is to use a variable password. Rather than having the user type the whole password each time, pick three positions at random and have them type those three letters. Stealing those letters won't help if the next login asks for different ones. Or use an external security device, which could be a keyfob that generates a security code, or the client's mobile phone, to which the ESP texts a one-time password on each login. These techniques should be familiar to anyone who banks online.

The next layer of defense is to detect and stop spamming from client accounts. A simple and fairly effective technique is to look at the URLs in the body of outgoing mail, see if any of them are listed in URL blacklists such as SURBL and the Spamhaus DBL, and if so, lock the account until the ESP can review and fix the mail. It can also be useful to run outgoing messages through widely used anti-spam packages like Spamassassin to check for unusual scores. (Even if the mail turns out to have been sent by the customer, something is seriously wrong if it contains blacklisted URLs or triggers Spamassassin's spam detectors.)

Beyond that are a variety of tests for suspicious behavior, such as a client uploading a large new list and sending mail to it, or the rejection rate of a client's mail suddenly increasing.

Yes, all of these will cost ESPs money. ESPs live in a narrow zone between their clients who want to pump out vast amounts of mail and want 100% of it delivered instantly (dream on), and recipient networks who accept and deliver it for free, Every smart ESP knows that their goal is to send mail that the recipients want, and to avoid annoying the recipients and their mail managers as much as they possibly can. Spam is annoying, spam sent from previously benign sources is really annoying, since it tends not to be filtered well. So now that ESPs are on notice that the data they hold is valuable, and the damage to them from its misuse is so great, I hope they understand what they have to do.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cyberattack, Cybercrime, Email, Malware, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Smart Hard Drives Alex Tajirian  –  Apr 28, 2011 10:25 PM PDT

Another solution comes from Toshiba through a hard drive that is smart enough to lock down data—or even automatically erase it—if anyone who isn't supposed to access the device tries to, according to Computer World. The drive allows you to set select data on the drive to be encrypted, and you can set different mechanisms for triggering a wipe.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

Non-English "IDN Email" Addresses Are Finally Working!

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Sponsored Topics