Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Browse by Tags

Tagged Content List
  • Blog Post: Six steps to sending email over IPv6 – my Internet Draft

    A couple of weeks ago, I published my first Internet Draft to the Internet Engineering Task Force (IETF).  Today, I updated it, making it version 2 (but named version 01.txt).  It is titled Recommendations for the use of whitelists for email senders transmitting email over IPv6 . Here’s a quick...
  • Blog Post: Spammers ruining it for everyone

    Last week we had an incident with our outbound reputation that caused delivery issues to various US government agencies who don’t use our service.  One of our customers did something inadvertently that caused our outbound IP reputation to degrade with some 3rd party reputation lists and as a result...
  • Blog Post: Handling the problem of inbound bulk mail

    Over the years, our spam filtering has gotten to be pretty good.  We don’t see a lot of complaints about spam other than the odd escalation (why didn’t your filters stop this “obvious, blatant” spam from coming to my inbox?). However, that doesn’t mean that everything is fine.  There is still...
  • Blog Post: Newest round of Twitter spam

    This one fooled me for a half second. I got an email to my work account indicating that I had 3 delayed messages in my Twitter account.  The social engineering technique is designed to get me to click on the link and redirect me to a spam site, and quite possibly infect my system with malware as...
  • Blog Post: Apparently my reputation precedes me

    I recently made a slight shift in the team I report to at work.  I’m still in anti-spam but the organization under which I report has moved a bit.  Anyhow, we were in a team meeting when my new boss asked people to go around and make introductions.  When it came to me, someone said “We...
  • Blog Post: Not a great week for outbound spam

    It hasn’t been a great week this week (March 1-5) for some of our customers who use us for outbound mail relay.  I’m not going to name names because there have been a wide variety of users, but every single day this week we have had one or two organizations that have been sending abusive content...
  • Blog Post: Why send spam over TLS?

    In my previous post, I noted that rustock had started sending us a whole pile of spam over the TLS protocol.  The question now is why do it at all?  I mentioned in my post that this is clever behavior and one of my readers posted in a comment “What makes this so clever?” The issue of authentication...
  • Blog Post: More Facebook spam

    This morning, I logged into my Facebook account to see what all of my various friends were up to.  Is anyone having a birthday?  I shall write on their wall some warm wishes.  Is anyone doing anything interesting?  Perhaps I could like their status.  Does anyone have a clever...
  • Blog Post: Into the wild, wild west

    Remember way back, in summer of 1999, when Will Smith and Kevin Kline starred in the movie Wild, Wild West ?  If you don’t remember, that’s fine, because the movie really sucked.  According to the Wikipedia entry, Will Smith turned down the role of Neo in The Matrix in order to star in this...
  • Blog Post: The Top Ten Spam, Malware and E-Security Stories of 2009

    All Spammed Up has a nice little summary wrap up of the year 2009.  I have my own summary, it is a condensed version of an article that will appear in next month’s edition of Virus Bulletin. There are a lot of stories that could have gone into this that I had to cut, like Canada’s (near) passage...
  • Blog Post: Keeping track of botnets

    A couple of months ago, I posted a one-day snapshot of how much spam we see from individual botnets.  I’ve been keeping track since July 29 on the biggest ones that have names, and only for IPs that get past our RBLs.  At the time of my first post, I thought that the stats wouldn’t really change...
  • Blog Post: How to reclaim your sender reputation, part 10 - Results

    Results Forefront Online (ie, us) has come a long way in reclaiming its outbound reputation. The question now is this – has it worked? I will report on some anecdotal evidence. The Good To determine whether or not we have gotten better, I prefer to check 3 rd party sources. While we may think that we...
  • Blog Post: How to reclaim your sender reputation, part 9 – disabling offenders

    Continuing on in my 9 part series , the process of mitigating an outbound spam problem occurs in a two-fold manner. Usually they are mutually exclusive, but one can lead to the other. Cutting off mail only for the offending email address This is the default position. If only one email address is responsible...
  • Blog Post: Are we seeing more spam from Gmail, Hotmail and Yahoo?

    Last week, I commented on the the Gmail/Hotmail/Yahoo username and password leak.  The question we now ask is whether or not we are seeing an increased amount of spam from those services.  The folks from All Spammed Up recently posted that various experts were claiming that this is the case...
  • Blog Post: How to reclaim your sender reputation, part 8 – More pattern analysis

    Islands Islands are named that way because their appearance looks like an island – a time zone infraction in which the middle sticks out above the others. Another term for this pattern is the head-and-shoulders pattern. Islands are the most ambiguous scenarios because while they indicate that a problem...
  • Blog Post: How to reclaim your sender reputation, part 7 – Pattern analysis

    Mountains A mountain pattern is when each subsequent monitoring of an outbound spam problem is worse than the previous time. It looks like you are climbing a mountain. Once a threshold is crossed, an alert is generated. Mountains generate the most obvious tells that a problem is occurring. If the amount...
  • Blog Post: How to reclaim your sender reputation, part 6 – Noise reduction

    Pattern Detection and Noise Reduction The amount of noise inherent in outbound spam detection is high. End users will routinely mark messages as spam that aren’t actually spam. An example of this would be company billing reports; these are not spam but lots of people mark them like that. How do you know...
  • Blog Post: How to reclaim your sender reputation, part 5 - Monitoring

    Monitoring FOSE has implemented a lot of different mechanisms to mitigate the spam problem. These include, but are not limited to, the following: Routing all mail from non-customer domains that is marked as spam through the NDR pool. Changing (1) and routing all spam from customer or non-customer domains...
  • Blog Post: How to reclaim your sender reputation, part 4 – More options

    Option 3 - Keep track of the mail disposition and cut off the entire organization This was one of the original ideas proposed to solving the outbound spam problem.  The idea is to filter the mail and write the disposition (spam vs non-spam) to an IP stats log for outbound mail but not take any action...
  • Blog Post: How to reclaim your sender reputation, part 3 - Options

    Options Since outbound spam was poisoning our reputation, we decided that there were two angles we had to approach: Disable customers from using our outbound service when we detected they were spamming. Neutralize the effects of their spam so that other customers were not affected. These really are the...
  • Blog Post: How to reclaim your sender reputation, part 2 – The Damage

    This is the second part of a paper that I presented at Virus Bulletin.  Check out their web page here . Outbound Mail The basic assumption for outbound mail is that the people sending it are sending legitimate content. The problem is that this is not a valid assumption. If one customer, among hundreds...
  • Blog Post: How to reclaim your sender reputation - Introduction

    The following document is part of a paper that I presented at Virus Bulletin in Sept, 2009, in Geneva.  It outlines the process that my team has iterated over to clamp down on the problem of outbound spam. How To Reclaim Your Sender Reputation Background Sender reputation is one of the keys to email...
  • Blog Post: Don’t shoot the messenger

    When doing IP reputation, generally speaking when you do an IP check, you usually do it on the connecting IP.  The assumption is that the IP sending the mail directly is the one responsible for the IP reputation.  There are exceptions, of course, but that’s how you do it. One scenario where...
  • Blog Post: Facebook spam

    One of our spam analysts saw the following spam today: http://www.facebook.com/notes.php?id=xxxxxxxxxxxxx AldLif tedHisCh in AndNarro wedHisE yes."Th eZenshi aVa r iationS ays,' AFr iendWho Cannot BeRe lie dUponI sWo rseTh an AnEnemy. '" Flo riscia XicoCou l d Bar el yContain Hers elf."...
  • Blog Post: Distribution of botnets

    Today, out of curiosity, I decided to take a look at which botnets were sending us spam and then doing a breakdown of highest offending botnets. This is a simple snapshot and not necessarily representative of our entire network.  Since we block so much of our mail at the network edge, we don't keep...
Page 1 of 3 (58 items) 123