It’s been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events sugests all the ESPs whose clients were compromised were themselves compromised first. (That’s how the crooks knew who to attack.)
The Online Trust Alliance published some guidelines, that offer mostly good advice. So what should ESPs do now?
First, this is a situation that needs to be fixed, not glossed over. There’s nothing shameful about a business being attacked by bad guys; that shows you’re successful enough to be worth attacking. What’s shameful is not protecting oneself and one’s customers against future attacks that will certainly come. Claims like “only one of our customers was phished” give the message that an ESP doesn’t take the problem seriously, and is a sitting duck for the next round of compromises.
It seems likely that most if not all of the attacks are from the same group of people, so the more that ESPs share data about the attacks with each other and with law enforcement, the better the chance of tracking them down. (If you’re with an ESP that hasn’t arranged to share attack data, have someone from your security department drop me a line and I’ll make some introductions.)
Beyond that, ESPs need to both limit the damage from the current attacks and from future ones. That means both making it hard to break in and detecting and mitigating breakins when they happen. Valuable data needs to be treated as though it’s valuable. That means limiting access to it, and logging access by both internal and external users. Encrypt databases so that if a backup falls off the proverbial truck, there’s no compromise since the data is useless without the key. (And don’t put the keys on the same backup as the data.)
Compromised customers have been tricked into installing keyloggers, hidden malware that sends a copy of everything the victim types to the attacker. ESPs can and should alert the customer and ensure that they remove the malware, but the unfortunate fact is that removing malware is hard, and users who can be tricked once can often be tricked again. (This doesn’t imply that the customers are dumb–who’d have expected a spreadsheet that appears to be about employee benefits to include an embedded Flash application that exploits a Flash security hole?) Changing the customers’ passwords doesn’t help, since the keylogger will steal the new password the next time the customer logs in. But there are ways to make it harder for keyloggers to steal passwords. One is to use a variable password. Rather than having the user type the whole password each time, pick three positions at random and have them type those three letters. Stealing those letters won’t help if the next login asks for different ones. Or use an external security device, which could be a keyfob that generates a security code, or the client’s mobile phone, to which the ESP texts a one-time password on each login. These techniques should be familiar to anyone who banks online.
The next layer of defense is to detect and stop spamming from client accounts. A simple and fairly effective technique is to look at the URLs in the body of outgoing mail, see if any of them are listed in URL blacklists such as SURBL and the Spamhaus DBL, and if so, lock the account until the ESP can review and fix the mail. It can also be useful to run outgoing messages through widely used anti-spam packages like Spamassassin to check for unusual scores. (Even if the mail turns out to have been sent by the customer, something is seriously wrong if it contains blacklisted URLs or triggers Spamassassin’s spam detectors.)
Beyond that are a variety of tests for suspicious behavior, such as a client uploading a large new list and sending mail to it, or the rejection rate of a client’s mail suddenly increasing.
Yes, all of these will cost ESPs money. ESPs live in a narrow zone between their clients who want to pump out vast amounts of mail and want 100% of it delivered instantly (dream on), and recipient networks who accept and deliver it for free, Every smart ESP knows that their goal is to send mail that the recipients want, and to avoid annoying the recipients and their mail managers as much as they possibly can. Spam is annoying, spam sent from previously benign sources is really annoying, since it tends not to be filtered well. So now that ESPs are on notice that the data they hold is valuable, and the damage to them from its misuse is so great, I hope they understand what they have to do.