Malware Email AttachmentsI recently was catching up on my email, and I was struck that there wasn’t a single marketing message with an attachment in my inbox. The only notes with attachments were transactional in nature: a receipt from a store I made a purchase from and a voicemail notification from my company’s phone system. Those transactional messages didn’t have any images, nor were they long with a bunch of offers. Sure, there were a few links to their website where I could find marketing offers, but no big call to action beyond the essential transactional purpose of the message.

Now curious, I also took a look at my spam folder. In contrast, it had quite a few messages with attachments that looked to be marketing. Upon further investigation, though, it became very clear that those seeming marketing messages actually contained malware. Yikes.

Now you may think, how does this affect me? “The attachments I send aren’t malware, so what’s the problem?” Simple: you might be lumped in with the bad guys because receivers will judge you guilty by association. Anything you do that looks even slightly like the behavior of malware spammers will hurt your deliverability. In this post, I’ll look at some popular techniques used by these bad actors.

Malware_1

First and foremost, the bulk sending of non-transactional messages with attachments has become a clear indicator to ISPs that your messages have a high risk of being malware. It’s hard to understate what a significant problem computers infected with malware have become for ISPs. When a PC gets infected, it’s often used for sending more spam, which harms the ISP’s reputation, eats up bandwidth, and degrades their network for their customers. When an ISP permits marketing or other bulk senders to send attachments, they’re taking a very sizable risk of exacerbating this problem.

Forewarned and forearmed, I picked apart the header of a message that purported to be from a well-known sender, USAA. However, I immediately noticed a major red flag: a lack of authentication. SPF failed, and there was not a DKIM or Domain Key Signature. It is important to do both SPF and DKIM authentications in order to get into the inbox. ISPs have made it clear that without it, you’re fighting an uphill battle, and at high likelihood of being disposed of as spam.

Malware_2

SparkPost understands the importance of authentication and therefore signs with SPF and goes the extra step of signing with DKIM for the sending domain as well as the SparkPost domain.

Malware_3_4_5

Moving on from the message headers of this spoofed USAA message, I saw that this spammer was trying really hard to convince me to open the attachment. Sure, the imperfect grammar was a good warning that something wasn’t legit, but a recipient who is a USAA member, and perhaps not reading carefully, just might fall for it—and then, boom, the spammer’s mission is accomplished. Those of us in the business may be a little jaded, but if this technique weren’t effective, it wouldn’t still be around after all these years. It’s a major reason ISPs have become more and more strict about blocking bulk messages with attachments.

Malware_6

As we saw, the example malware spam above was sent in mass, without authentication, and with an attachment. To maximize deliverability legitimate senders should strive to look as different from that profile as possible. In most cases, it is far better to send an email with no attachment and instead include a link for your recipient to click to access the content you otherwise would have attached. But, if you do find yourself unavoidably in need of sending attachments there are a few key things to keep in mind:

  1. Don’t send attachments in bulk. Instead, send them only in response to transactions initiated by your subscriber. If a subscriber is expecting an email, they are more likely to locate the message and open it, even if it’s in the spam folder.
  2. Don’t include images or marketing-centric calls to action. It’s OK to reference offers and point them to your site, but be careful not to look like you are attempting to slide in the attachment with a marketing message.
  3. Don’t send apps or executable files, as they will be blocked instantly. There is a host of file types that are not allowed by ISPs. Do some advance testing to make sure what you are sending will be accepted by the ISPs you are sending to.
  4. Watch your grammar and spelling. Content is looked at very carefully when sending attachments.
  5. Authenticate! This is a best practice when sending any message, transactional or commercial.

Even when following these best practices, you may still find yourself in the spam folder. If that’s the case, it may be best to throw in the towel and try another approach—like using a file-hosting service to handle the attachment.

Cloud-Trust_shutterstock_131702831Successful email engagement is predicated on trust. Recipients need to trust that your emails are actually from you. That’s why SparkPost requires you undertake additional setup steps versus services that are less concerned with reputation.

A secure email service starts by preventing phishing—emails that fraudulently claim to be from someone else in an illicit attempt to gain benefit. It’s the email that claims to be from the reader’s bank, but downloads malware or steals a password when they follow the message links.

In order to reassure both human beings and protective computer systems that are looking for fraudulent email activity, SparkPost requires you to set up either SPF or DKIM at a minimum and potentially DMARC reporting as a means of reassuring these recipients and systems that messages are truly from you. SPF is like a guest list at a party—a list of servers that are authorized to send for your domain. DKIM uses encryption in the email headers that refers to the sender’s domain to legitimize the message for the recipient. It assures your recipients that even though your emails are coming via SparkPost, people and systems can really trust that your messages are from you. In part, DMARC is a reporting mechanism for DKIM failures, alerting domain owners when others try to use their domain without authorization.

Email security is also about protecting your recipients. Attackers are getting more sophisticated and they know that there are often ways to get information from people. They’ll leverage email to get bits of information that a person might not think are important, but in fact are stepping stones to getting more valuable information. That well-known data breach at Target started when someone found a bit of information in a company that did air conditioning services for stores; the attackers leveraged that third party’s access to hack into additional systems inside Target.

SparkPost requires you to use DKIM and SPF because they are proven best practices. When you’re sending just a few emails, things could go wrong, but the small quantity means it only qualifies as a hassle. When you’re sending email in very high volumes, there’s a lot of potential for damage. On the flipside, email security increases engagement and deliverability: messages set up with authentication allow recipients to trust that the links they click will not be fraudulent or malicious. That increases clicks (a measure of engagement), which in turn increases deliverability.

That’s why it’s important to secure your email, because any little piece of the puzzle can be a gateway to significant problems for you and your recipients. Our goal is to make you successful with email, and protecting your email is essential to securing your reputation as a sender.

MFA_Sidebar042115With SparkPost, our highest priority is protecting our users, their data and their reputation. We take great efforts to protect our network against external threats, but one of the biggest risks to users is their passwords being compromised and having a criminal then using those credentials to pose as them.  To prevent that, we’ve implemented multi-factor authentication(MFA) as an option on all accounts in Sparkpost. With MFA enabled, when you login to your SparkPost.com account you will also need to enter a token that you receive on your mobile device.

Multi-factor authentication (MFA) has become the gold standard of ensuring a user is legitimate at log in time to an internet service or app. By requiring the user to receive and enter a code on their known device at a pre-determined mobile number, businesses can greatly reduce the risk of fraud. MFA is in use today at companies known for high security standards like financial institutions. MFA is an excellent way to protect your account and we recommend all users enable it on their accounts. While many of us are used to MFA, it is certainly not standard in all email services on the web as evidenced by a recent high profile break-in using an email delivery service. To enable MFA, login to SparkPost, go to your account tab, and the security sub-tab, and click to enable two-factor auth.

privacy-policyIn this day and age, every company or organization that collects any personal information (pretty much all of them!) needs a privacy policy. Since larger organizations are likely to already have privacy policies in place, I’m going to speak here to the needs of smaller organizations. Here are 3 reasons your smaller organization should create a privacy policy:

Transparency

With data breaches and identity theft constantly in the news, people are more concerned than ever about what’s happening with their personal information. They are very aware that their information is being collected, and they want to know what’s happening with it. Without a privacy policy, people may wonder what information you’re collecting about them and what you’re doing with it, and may choose not to work with you when they can’t easily find out by reading your policy clearly linked on your website.

Consistency

As your organization grows, your data collection practices may change. It’s easy to get caught up in the whirlwind of new technology and not realize how your collection of personal information is changing. As new people join your team, they may have new ideas about what information is needed, and how best to make use of it. As things change, it’s good to have a policy as a touchstone.

Setting a privacy policy gives you a guiding light on how your organization thinks about personal information and interacts with customers. It will keep you from making drastic changes without consideration. Having a privacy policy will ensure that your team seeks to fully understand new technologies that collect information before deploying them. In the event of any legal complaints, having a privacy policy in place that your organization follows will protect you from charges that you are working outside the expectations of your customers.

Trust

It all comes down to trust. If I don’t know what you’re doing with my personal information, I am less likely to give you my personal information in the first place. If I’m not sure you’ll notify me if you change your practices or think changes through, I am not likely to want to do business with your organization. People do business with organizations they trust, and they trust organizations that are transparent and consistent with their use of personal information. Having a privacy policy in place shows all your potential customers that you take their concerns seriously, and that you can be trusted with their information.

Need help to create a good policy? The Better Business Bureau has a great sample policy here.

Coming Soon: Why You Need to Adhere to Your Privacy Policy

In the next installment in this series, we’ll take a look at what can go wrong when companies put in place solid data privacy policies, but then fail to follow them.

Stop the New Messaging Threats

Large-scale phishing email blasts still make the news, but today’s most dangerous digital attacks use spearphishing messages aimed directly at particular individuals or organizations. Both the Online Trust Alliance and Symantec accorded 2013 the dubious honor of being the year of data breaches. According to Symantec’s 2014 Internet Security Threat Report, the total number of breaches in 2013 was 62 percent greater than in 2012 with 253 total breaches. Eight of the breaches in 2013 exposed more than 10 million identities each. In 2012 only one breach exposed over 10 million identities.

Spearphishing exploits begin with targeted, personalized messages that seem legitimate, yet lure recipients to open malware, or hand over passwords or login information. Such attacks have an alarming success rate. When successful, they can result not only in the loss of critical data, but also the unauthorized use of email deployment systems or other critical infrastructure. Moreover, these attacks can jeopardize your sender reputation and your brand.

emailattacksummary_600x315

Target’s well-publicized data breach earlier this year cost the company deeply in terms of brand reputation and revenue and was traced back to a single phishing email. This is why all enterprises — and the email service providers (ESPs) that work with them — must safeguard not just inbound message streams, but outbound streams as well.

A More Intelligent Approach to Message Security

In a recent report released by the Online Trust Alliance scoring the email integrity of businesses, it was noted that:

Unfortunately, in many enterprises the email infrastructure does not natively support outbound signing or inbound checking for SPF, DKIM or DMARC. Equally as concerning is the lack of support for inbound authentication from leading MTAs (Mail Transfer Agents), the hosting community and email technology providers.”

– 2014 Email Integrity Audit report

Out of the 800 companies and brands that were audited, Message Systems was among the 12% of companies that measured up to the stringent security standards of OTA. Unlike commodity MTAs, Message Systems takes the issue of email security very seriously. Our email infrastructure platform, Momentum, (available in on-premise and managed cloud versions) is designed to support both inbound and outbound email authentication. A two-way approach is critical because threats change constantly, points of vulnerability are too numerous to list conclusively, and realistically not all messaging attacks can be prevented. You may think your security systems are functioning correctly, only to see a sudden spike in complaints, bounces or blocks in your outbound stream, exposing an attack in progress and a compromised email deployment system.

Spearphishing attacks per day

Respond Immediately and Prevent Recurrence

With Message Systems solutions, prevention and mitigation processes are inter-connected. Our customers gain the ability to apply a full range of default and custom policies for screening out abusive mail at the network and protocol layers. And they can integrate best-of-breed third-party solutions for optimal scanning at the content layer. With this approach, organizations can instantly take user feedback into account, pinpoint suspicious activity and take action before damage is done. Additionally, by facilitating responsive action and self-learning, Message Systems helps companies to not only stop malicious activities as quickly as possible, but prevent them from happening again in the future. In fact, Message Systems’ commitment to ensuring that our customer’s emails are safe from phishing attacks, is one of the many reasons why the world’s largest senders choose us to send 20% of global legitimate email.

Learn more about how DMARC is helping to save the world’s email in the How DMARC Is Saving Email eBook today!

How DMARC Is Saving Email

Message Systems is pleased to announce today that we have qualified for the Online Trust Alliance’s 2014 Email Integrity Honor Roll. The audit evaluates a company’s adoption of email authentication practices and focuses in particular on email authentication that helps detect and block spoofed and forged email such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) practices.

Companies are recognized as leaders in the space of email security and brand protection if they have:

  • Implemented SPF and DKIM at the corporate or top-level domain
  • Have a DMARC record published

As part of this audit, the Online Trust Alliance reviewed over 800 companies and brands, out of which only 12% passed, and Message Systems is honored to make the list!

From the positive effects we’re seeing across the industry, it’s clear that DMARC is succeeding as intended in deterring malicious email attacks – which is great news. Message Systems will continue to provide the technologies our customers need to quickly implement SPF, DKIM and DMARC to protect their brands and customers.

– Phillip Merrick CEO, Message Systems

Earlier this year, we also qualified for the Online Trust Alliance’s 2014 Online Trust Audit and Honor Roll – this latest honor further recognizes our commitment to educating the industry on email security for online brand protection through leading by example.

Here’s the Good News

The 2014 Email Integrity Audit had several key findings, both positive and negative, on the state of email authentication in the various industries. As always, let’s start with the good:

  • Adoption of SPF and DKIM is rising across all the industries. The Internet Retailer 100 had an 88% adoption rate, while the Internet Retailer 500 had the largest growth, rising from 56% to 74% adoption.
  • Adoption of DMARC is increasing slowly but steadily, and the top social sites had the highest score for DMARC adoption at 36%.

Email Domain Brand Protection

Among the list of companies that made the 2014 Email Integrity Honor Roll, many were our customers and partners, and we’d like to offer everyone a hearty congratulations!

Internet Retailer Top 500

American Greetings logo Groupon logo

Social Top 50

fb_icon_325x325 twittericon linkedin zyngalogo1

DMARC allowed us to dramatically reduce the number of forged emails sent to our users. DMARC was a direct benefit to our users by blocking these impersonations.

– Josh Aberant Postmaster, Twitter

OTA Members

Harland Clarke Digital logo Return Path logo

SPF and DKIM are vitally important for email senders to implement today, but they are merely table stakes in an escalating battle against email fraud. DMARC is a powerful solution empowering senders who are prone to brand infringement and malicious attacks.

– Robert Holmes General Manager, Fraud & Brand Protection Services, Return Path

… And Now for the Bad News

While adoption rates for SPF, DKIM and DMARC continued to grow, the news about the state of email authentication in the industry wasn’t all quite as rosy:

  • Of all the consumer domains sampled, only 8.3% have implemented SPF, DKIM and DMARC.
  • Brands are failing to authenticate at top level domains; SPF and DKIM adoption only grew at the level of sub domains, thus leading to limited brand and consumer protection.
  • While DMARC adoption is growing, it still remains low.
  • Top FDIC insured banks had the highest failure rate compared to all sectors due to a lack of email authentication – only 17% passed the audit.
  • The top 50 federal government sites consistently scored at the bottom of all email authentication metrics – only 4% passed the audit.

The 2014 Email Integrity Audit findings revealed that consumers are at a higher risk of receiving forged and spoofed email from major banks and federal government sites – a scary thought as these are institutions that generally command the trust of the public. The 2014 Email Integrity Audit report also specifically called out the security weaknesses in email infrastructure in enterprises and commodity message/mail transfer agents:

Unfortunately, in many enterprises the email infrastructure does not natively support outbound signing or inbound checking for SPF, DKIM or DMARC. Equally as concerning is the lack of support for inbound authentication from leading MTAs (Mail Transfer Agents), the hosting community and email technology providers.”

– 2014 Email Integrity Audit report

The report points to the inconsistency of email authentication in organizations due to email marketing being outsourced to disparate third party systems. We’d like to point out that our email infrastructure platform, Momentum, (available in on-premise and managed cloud versions) fully supports both inbound and outbound email authentication – one of the many reasons why the world’s largest senders choose us to send 20% of global legitimate email through Momentum.

Finally, we’d like to end with a note of caution from the audit report: a lack of email authentication exposes businesses to the risk of liability and class action suits in the event of a data breach. If you’re interested to find out whether your email service provider is authenticating your mail, test it with our email Validator – it checks for DKIM, SPF and DMARC email authentication.

Free Email Testing Tool - The Validator

First it was Heartbleed. Then last week, another 6 to 7 less serious flaws came to light. The recent OpenSSL security breaches have once again shown us the need to maintain vigilance in monitoring vendor notifications and other reputable advisories regarding software and operating system updates.

Messaging and email servers in particular, such as Momentum, need to be monitored and maintained especially carefully. By their nature, email servers need to be both accessible and easily found so that external parties can send you a message.  These email servers or senders also require an excellent sender reputation so that they can maintain very high levels of message and email deliverability. This makes them an excellent target for would-be attackers wanting to disseminate some kind of malicious messaging. Not only can cybercriminals find email servers easily via DNS, but they can also be fairly sure that these servers will be offering Internet facing messaging services (such as SMTP) that they can attempt to attack. If successful, these attackers will potentially be able to get at a great deal of messages sent based upon your sender reputation.

Message Systems doesn’t ship OpenSSL with Momentum – instead we rely on the operating system-supplied libraries on our supported platforms. As such, it’s up to our customers to maintain and configure these systems as securely as possible. This requires someone, whether they are a dedicated security resource or just the ‘IT guy with many hats’, to keep track of all applicable vendor notifications and advisories, and take action when necessary to promptly patch or update systems when serious issues arise.

This can seem like a fairly daunting task given the number of open source packages from all manner of developers and vendors that are typically ‘assembled’ into a modern operating system. Since the majority of our customers run on Red Hat or a derivative of it, Red Hat’s own security team and website are excellent resources to begin your email security and OpenSSL efforts. Red Hat provides timely notifications, patches and an authoritative commentary on the issues and their impact via their security blogs and other newsletters.

Information is key when it comes to security; the quality of that information even more so. Having access to up-to-date, accurate security advisories will allow you to see the issues in your own context. This will allow you to determine which of the many security notifications you’ll see each week apply to your specific deployment and configuration, and of those, which are serious enough to warrant immediate update and which can wait for a maintenance window.

Message Systems may not ship many of the affected libraries and software, but we do monitor security issues and advisories from all the vendors of our support platforms. If you need more information or want to know just how a specific issue relates to Momentum, then we’re always here to help.

With email deliverability so strongly influenced by sender reputation and the abundance of data stored and used to personalize the user experience, you can rest assured that would-be spammers, scammers and identify thieves are monitoring and acting on security vulnerabilities – and so should you.

When it comes to ensuring the integrity of your emails, the DMARC email standard is a must. Find out How DMARC Is Saving Email in this free E-Book.
How DMARC Is Saving Email

Right off the bat, 2014 seems to be a year of great security peril. We’ve had to deal with the fallout of the Target data breach, and the news brings us a never-ending stream of stories and warnings about keeping our accounts secure.

While the Online Trust Alliance 2014 Data Protection & Breach Readiness Guide states that 2013 was a record year for data security breaches, with 740 million records being exposed, I’m betting 2014 might well top that with the extensive number of sites being compromised by Heartbleed. Personally, I’ve had to change my passwords more times than I can count this year.

While the importance of security is surely underscored by these incidents, the news hasn’t been all bad. In fact, when it comes to email security and abuse, we appear to be entering a new era where phishing exploits are drastically reduced. Recently, PayPal – one of the most-spoofed brands online – reported that suspicious email has decreased by more than 70% during 2013 with DMARC implementation. Similarly, Twitter reports that they’ve gone from seeing as many as 110 million phishing emails per day down to just a few thousand.

At Message Systems, we’re big fans of email security, and have long been proponents of email security and DMARC email implementation. (Quick aside: our software is fully compatible with double DKIM signing as required in Gmail feedback loop reporting as well.)

When it comes to DMARC, widespread industry support and adoption is key, hence we sat down with our partner and email deliverability expert, Return Path, for a quick chat about the importance of industry wide DMARC email adoption. Here’s what John Arnold, Senior Director of Product Marketing, had to say.

Looking for more resources on DMARC? Try the How DMARC Is Saving Email eBook!

How DMARC Is Saving Email

The Social Security Administration has implemented online access to accounts via their mySocialSecurity portal. Naturally, the cons came out almost immediately, as phishers began spamming seniors to connive them into “creating mySocial Security accounts” on fraudulent sites.

The phishing isn’t restricted to email – scammers are making cold calls, claiming they need to obtain personal data as a way of updating Medicare accounts. Phishing has become the fourth most prevalent form of consumer fraud as of 2012, according to the Better Business Bureau and reporting sources.

Keep your brand safe from phishing and online fraud. Watch our Don’t Deprioritize DMARC webinar replay to learn how!

Don't Deprioritize DMARC webinar