Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Browse by Tags

Tagged Content List
  • Blog Post: Why does spam and phishing get through Office 365? And what can be done about it?

    Introduction As a filtering service, Office 365 (Exchange Online Protection, or EOP) is dedicated to providing the best antispam filtering possible, and we take this task seriously: We are working hard to keep spam out of your inbox We are working hard to ensure we don’t mistakenly mark good email as...
  • Blog Post: Submitting spam back to Office 365

    Office 365 (Exchange Online Protection) regularly asks customers to submit spam samples back so that we can improve the service. This information is also available here: Submitting spam and non-spam messages to Microsoft for analysis http://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx...
  • Blog Post: Different Levels of Bulk Mail filtering in Office 365

    In the Office 365 service, we have made a change to the way the service detects bulk email. In the past, we lumped all Bulk email together. For example, suppose you had four messages with the following Subject lines and other characteristics: Subject: Your Daily Deal-of-the-Day! You signed up for this...
  • Blog Post: I have been fighting spam for 10 years

    A week and a half ago, I “celebrated” my 10th year fighting spam. I originally joined Frontbridge in July 2004, and 10 years later I am still with Frontbridge after it was acquired by Microsoft. Since that time, it has been known as: Frontbridge (how almost everyone in the email filtering community still...
  • Blog Post: I received a pretty good Apple phish this morning

    This morning, I discovered that I had received an email “from” Apple informing me that I had recently updated my credit card with Apple: The screenshot above is from my Thunderbird email client but that’s not where I originally checked it – I originally checked it on my phone. The first thing I thought...
  • Blog Post: Let’s not be too smug when others are hacked because we all do things we shouldn’t

    This will be another long post. A couple of weeks ago, you may have read that the Syrian Electronic Army hacked into Forbes and posted a bunch of usernames and passwords. What you may not know is that Forbes has been fairly transparent in describing how it happened and how they plan to mitigate going...
  • Blog Post: Understanding identification of Bulk Email in Office 365

    Bulk email, sometimes referred to as grey mail, or gray mail, is a type of email that is difficult to classify for all users at a global level. Bulk or gray email is email that some users want but others consider spam. For example, some users want their email from Amazon Local’s Daily Deals or invitations...
  • Blog Post: Why do spammers spam? I try to explain it using the Moralization Gap

    Don’t spammers know they are irritating the rest of us? Lately, I have been thinking a little bit on why spammers spam. I have never conducted a large study of this, all of my research about their own explanations comes from my memory of articles I have read and videos I have seen of convicted spammers...
  • Blog Post: How to create more aggressive Bulk email settings in Exchange Online

    Update 2014-04-04: Updated the Text Patterns for ETR#1 - modified #2, added #12 and #13 Update 2014-08-25: This article is now updated by this one: Different levels of bulk mail filtering in Office 365 One of the more common requests in the Forefront Online Protection for Exchange (FOPE) and Exchange...
  • Blog Post: Understanding outbound spam controls in Office 365

    As a Program Manager of Antispam in Office 365, one of the questions I am frequently asked is “How many messages outbound are we permitted to send per minute? Per hour? Per day?” When I use the term “Office 365” I mean both our existing Forefront Online Protection for Exchange (FOPE) service, and our...
  • Blog Post: New features in Office 365

    Recently, in Office 365 we introduced two new features in our Forefront Online Protection for Exchange product (FOPE). I refer to this as FOPE 14 because the service runs on Exchange version 14. This is our older service, all of our customers are either migrated or will be migrated to Exchange Online...
  • Blog Post: Supporting email over IPv6, part 1 – An introduction

    One of the important projects I have been working on for the past few months is supporting email over IPv6. Long time readers of this blog (all four of you) will remember that last year I wrote a series of posts on email over IPv6: Part 1 – Introduction Part 2 – Why we can’t use IP blocklists in IPv6...
  • Blog Post: Why do safe senders in EOP and FOPE operate on the 5321.MailFrom address instead of the 5322.From?

    In my previous blog post How to use Safe Senders in EOP and FOPE , I explained that in the EOP and FOPE service, the spam filter inspects the 5321.MailFrom when doing a safe senders check whereas Outlook adds the 5322.From address (the one you see in your email client) to the safe senders list. The...
  • Blog Post: How to use Safe Senders in EOP and FOPE

    In the EOP (Exchange Online Protection, our newer service) and FOPE (Forefront Online Protection for Exchange, our older service), there are some nuances that end users should be aware of when using the safe senders and blocked senders feature. Customers who use Outlook as their mail client and sync...
  • Blog Post: Phishing infographic – how phishing works

    A reader sent me the following infographic detailing how phishing works. Check it out: It contains statistics on the prevalence of phishing Some characteristics of phishing messages, and Some advice on how to protect yourself Good stuff. Source: Phishing advisory infographic by Lifelock.com
  • Blog Post: Another day, another phish campaign

    Today we are seeing another high volume spam campaign. It is very similar to the one I wrote about yesterday : The IPs are all compromised (i.e., the spam is coming directly from botnets). The URLs point mostly to compromised web hosts, that is, the URLs are legitimate but have been broken into and are...
  • Blog Post: Why people keep proposing a Final Ultimate Solution to the Spam Problem (FUSSP)

    In the antispam world, from time to time somebody new likes to come in and propose a solution that will wipe out spam: Email authentication! Statistical classifiers! Blacklists! User education! These terms are derisively referred to as the Final Ultimate Solution to the Spam Problem. It’s a term that...
  • Blog Post: Large scale spoofing campaign

    Over the past week or so we have seen a lot of spoofing going on with campaigns that look like the following: These campaigns have the following characteristics: They are high-volume zero-day campaigns. The IPs typically end up on IP blocklists but they are successful at emitting huge blasts of spam...
  • Blog Post: Are spammers just like high frequency traders? Or is it the other way around?

    A couple of weeks ago, we had a problem wherein a spammer signed up for our service tens of thousands of times and started sending out low volume spam. He would send a small blast and then discard the account. He would then move on to the next one and would send out the same spam campaign. He did this...
  • Blog Post: A promising new antispam technique – does it deliver what it promises?

    I’m always skeptical when I read about new antispam techniques, especially those ones coming out of academia. Today, while browsing news stories, I came across the following article entitled Scientists devise new technique to get rid of spam mail . Here are some excerpts: Researchers have proposed a...
  • Blog Post: How to measure False Positive rates

    As someone who is in charge of our spam filtering here in Microsoft Forefront (i.e., I’m on the spam team and one of my tasks is to improve the service, but it’s not me all by myself), there are two critical pieces of information: What’s our spam catch rate? What’s our false positive rate? I’m talk about...
  • Blog Post: Is the term “cyberwarfare” overstating the case?

    At the Virus Bulletin conference last month, Andrew Lee from ESET gave a talk entitled “ Cyberwar: Reality or Weapon of Mass Distraction ?” In it, Lee talks about how the term “cyberwar” is thrown around a lot these days. However, he disagreed with the use of the term because it uses inflationary language...
  • Blog Post: The Top Spamming Countries

    A little over a week ago, Sophos published a blog post about the countries that sent the most spam in the third quarter of 2012 . They found that India was number one on the list with 16% of the spam, followed by Italy at number two with 9% and the US at number three with 7%. As usual, I’m a little late...
  • Blog Post: How should large financial institutions use hosted filtering?

    This post is an opinion piece that reflects what I think are best practices. Should large financial institutions use hosted email services? Services like ours ( Forefront Online Protection for Exchange , FOPE)? Why am I even asking this question? I ask this question from a security perspective. The advantages...
  • Blog Post: A Plan for Email over IPv6, part 5 – Removals, Key differences and standards

    What happens if spammers get on the whitelists? The question arises – what happens if a spammer gets onto the whitelist? Maybe they have compromised an IP address of a good sender. Or maybe they snuck onto the list. What should be done if this is the case? A whitelist model makes abuse tracking...
Page 1 of 6 (148 items) 12345»