Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

28 Apr 2011

What next for Email Service Providers? Email

It's been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events sugests all the ESPs whose clients were compromised were themselves compromised first. (That's how the crooks knew who to attack.)

The Online Trust Alliance published some guidelines, that offer mostly good advice. So what should ESPs do now?

First, this is a situation that needs to be fixed, not glossed over. There's nothing shameful about a business being attacked by bad guys; that shows you're successful enough to be worth attacking. What's shameful is not protecting oneself and one's customers against future attacks that will certainly come. Claims like "only one of our customers was phished" give the message that an ESP doesn't take the problem seriously, and is a sitting duck for the next round of compromises.

It seems likely that most if not all of the attacks are from the same group of people, so the more that ESPs share data about the attacks with each other and with law enforcement, the better the chance of tracking them down. (If you're with an ESP that hasn't arranged to share attack data, have someone from your security department drop me a line and I'll make some introductions.)

Beyond that, ESPs need to both limit the damage from the current attacks and from future ones. That means both making it hard to break in and detecting and mitigating breakins when they happen. Valuable data needs to be treated as though it's valuable. That means limiting access to it, and logging access by both internal and external users. Encrypt databases so that if a backup falls off the proverbial truck, there's no compromise since the data is useless without the key. (And don't put the keys on the same backup as the data.)

Compromised customers have been tricked into installing keyloggers, hidden malware that sends a copy of everything the victim types to the attacker. ESPs can and should alert the customer and ensure that they remove the malware, but the unfortunate fact is that removing malware is hard, and users who can be tricked once can often be tricked again. (This doesn't imply that the customers are dumb--who'd have expected a spreadsheet that appears to be about employee benefits to include an embedded Flash application that exploits a Flash security hole?) Changing the customers' passwords doesn't help, since the keylogger will steal the new password the next time the customer logs in. But there are ways to make it harder for keyloggers to steal passwords. One is to use a variable password. Rather than having the user type the whole password each time, pick three positions at random and have them type those three letters. Stealing those letters won't help if the next login asks for different ones. Or use an external security device, which could be a keyfob that generates a security code, or the client's mobile phone, to which the ESP texts a one-time password on each login. These techniques should be familiar to anyone who banks online.

The next layer of defense is to detect and stop spamming from client accounts. A simple and fairly effective technique is to look at the URLs in the body of outgoing mail, see if any of them are listed in URL blacklists such as SURBL and the Spamhaus DBL, and if so, lock the account until the ESP can review and fix the mail. It can also be useful to run outgoing messages through widely used anti-spam packages like Spamassassin to check for unusual scores. (Even if the mail turns out to have been sent by the customer, something is seriously wrong if it contains blacklisted URLs or triggers Spamassassin's spam detectors.)

Beyond that are a variety of tests for suspicious behavior, such as a client uploading a large new list and sending mail to it, or the rejection rate of a client's mail suddenly increasing.

Yes, all of these will cost ESPs money. ESPs live in a narrow zone between their clients who want to pump out vast amounts of mail and want 100% of it delivered instantly (dream on), and recipient networks who accept and deliver it for free, Every smart ESP knows that their goal is to send mail that the recipients want, and to avoid annoying the recipients and their mail managers as much as they possibly can. Spam is annoying, spam sent from previously benign sources is really annoying, since it tends not to be filtered well. So now that ESPs are on notice that the data they hold is valuable, and the damage to them from its misuse is so great, I hope they understand what they have to do.

posted at: 12:41 :: permanent link to this entry :: 1 comments
posted at: 12:41 :: permanent link to this entry :: 1 comments

comments...        (Jump to the end to add your own comment)

Speaking of costing ESPs money... the big ESPs are moving in a direction that will inexorably put the little guys (like me) out of business. The experience with Yahoo described below is the third one I've had, in which access to the customers of a major ESP has been suddenly denied without cause and without evidence, and also in which the remedy offered by the ESP did not work. I have also learned that my experience is far from unique. Do we really want an internet with just a few giant, privately-held ESPs who don't answer to the whole community of e-mail users? I think not, and for many reasons, including the civil defense reasons that originally motivated the development of the Internet Protocol.

John, I'm forced to communicate with you in this way because I can't find your e-mail address anywhere. When I alerted them to my experiences, EFF referred me to you. Here's my complaint to the FCC:

Dear Consumer,

Thank you for contacting the Federal Communications Commission (FCC). This is an automated message to confirm that we have received your correspondence. We will review your information to determine how we can best serve you.

If you need to send additional information, you may reply back with this email, leaving the case number (example: CIMS0123456789) in the subject line, or contact us at our toll free phone number 1-888-Call-FCC (1-888-225-5322) and reference the case number.

The Federal Communications Commission

Visit us at our Web Site located at, where you will find a wealth of information on a wide variety of communications-related topics. ---------- Original Message ---------- From: Received: 5/5/2011 10:39:01 AM Subject: Yahoo is suddenly denying our longstanding access to a few of its customers, without cause. Dear FCC Commissioners,

We operate two e-mail forums, both related to the ISO 13250 "Topic Maps" standard. All of the addressees have explicitly opted-in; we do not send spam to anyone.

On April 26, Yahoo began blocking access by our server to all addressees with yahoo mailing addresses.

Obviously, Yahoo's policies in this regard are a matter for its customers to evaluate. It does, however, seem contrary to the spirit of open communications that:

(1) suddenly and without warning, our Yahoo addressees can't receive mail that they have requested, and

(2) Yahoo is placing a paperwork and business-practice-disclosure burden upon us in our role as the provider of a public communications service -- a service we provide at no charge and without advertising or deriving income in any other way. Our server is logging many messages like the following message (I have redacted the addressee in this one):

May 5 08:06:34 amati postfix/error[23228]: 044CC349F66F: to=, relay=none, delay=147448, delays=147448/0.01/0/0.03, dsn=4.7.1, status=deferred (delivery temporarily suspended: host[] refused to talk to me: 421 4.7.1 [TS03] All messages from will be permanently deferred; Retrying will NOT succeed. See

If you look at the website indicated above, you'll see that Yahoo is seeking to collect valuable business-practice information from us, as one price of restoring access by our server to Yahoo customers. If such a practice is lawful and within regulatory guidelines, then we need improvement in the law or regulatory framework. Otherwise, communications between individuals are subject to the caprice of giant corporations, and smaller entities cannot expect equal access to the public by means of communications networks. Moreover, the public cannot expect ESPs to refrain from arbitrary sudden censorship of their incoming mail -- even mail which they have explicitly requested. Needless to say, *all* our e-mail to yahoo addressees, including personal and business mail, has been blocked. Aside from the serious public policy implications, it may also be a case of tortious interference with our onging business relationships.

I'll be glad to answer any questions if you'd like to know more. It seems worth mentioning that Yahoo operates similar forum services at no charge; it profits from these by attaching advertisements to each e-mail -- something we do not do. Can it be that Yahoo is harassing us in order to "persuade" us to put our lists under *its* control?

Steve Newcomb Coolheads Consulting +1 910 363 4032

Our forums:

(by Steve Newcomb 07 May 2011 09:36)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Remembering JD Falk - 10 years later
223 days ago

A keen grasp of the obvious
New Hope for the Dead
465 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.