General discussion

Locked

Circ Dude's Blog

By Dan Scofield ·
Tags: Off Topic
blog root

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

The Email Industry Needs Friction

by Dan Scofield In reply to Circ Dude's Blog

<p>I recently returned from the ?<a href="http://emailauthentication.org/">Email Authentication Implementation Summit 2005</a>? conference in NYC. The main focus of the show was to talk about what legitimate emailers can do to make sure the good email makes it thru and the junk mail gets eliminated. It?s a lofty goal but one that the industry needs to address now.</p>
<p>According to Esther Dyson of <a href="http://www.release1-0.com/">Release 1.0</a> what the industry needs is ?<strong>friction</strong>?. It?s just too easy for spammers to send out email. There?s little to no cost and the risk of arrest or fines is minimal. There needs to be more friction to make it more difficult to send out mail. It?s up to the industry to figure out what this means before the government steps in. The easiest solution would be to start charging email postage just like snail mail. This would certainly reduce spam but it would no doubt hurt legitimate businesses so no one is eager to jump on this band wagon. </p>
<h3>Email ?Authentication? is a good first step</h3>
<p>According to a report prepared by the Direct Marketing Organization (DMA) and Bigfoot Interactive the industry needs to require Authentication. Authentication is a relatively simple and inexpensive method but will require resources from your IT department or email service provider. Authentication can be <strong>IP-based via Sender ID/Sender Policy Framework</strong> (SPF) or <strong>cryptographic based on domain keys</strong>.  Authentication does not reveal the true identity of the sender; it simply verifies that a sender with that address is authorized to send mail. </p>
<p>The way verification happens is based on the IP or cryptographic information. The IP-based domain level authentication matches up the Domain Name System (DNS) registration data to verify it is coming from a legitimate domain. If it matches then the mail gets delivered. The other method is cryptographic-based ?message level? authentication where there are public/private key pairs created by email senders. One of the keys is stored in the DNS with a second matching key embedded in the outbound email message. If the keys match, then it is a good message and would be delivered. If they don?t match, it?s marked as spam and gets trashed.</p>
<p>Until authentication is widely accepted and implemented, companies IT departments will still need to rely on traditional non-authenticated spam filtering. </p>

Collapse -

Spear Phishing coming to your email inbox this holiday season

by Dan Scofield In reply to Circ Dude's Blog

<p>When it is 95+ degrees outside its kind of hard to think about this falls holiday shopping season but this is one of the hot topics covered at the recent ?Email Authentication Implementation Summit 2005?. As legitimate email marketers continue to hone their seasonal targeting skills to bring contextually relevant offers to their customers so do the spammers. They are working just as hard to come up with new and creative ways to target your end users and to steal their <strong>personal and workplace identities</strong>.
<p>The good news is that as IT pros you are no doubt familiar with the term phishing. The bad news according to a study by the <a href="http://www.pewinternet.org/PPF/r/161/report_display.asp">Pew Internet and American Life Project</a> is that ?<em>70% of surveyed internet users never heard of phishing or aren?t sure that it refers to e-mail scams that try to trick users into revealing sensitive information by masquerading as a legitimate bank or credit card issuer</em>."</p>
<p>A common spammer trick is to modify the friendly from in email so it looks like it?s coming from a legitimate source. If someone is spear phishing a message could be made to look like it is coming from an internal human resources representative ? ie: <a href="mailto:human_resources@yourcompany.com">human_resources@yourcompany.com</a>. The open rate for a message from HR is likely to be extremely high so the click rates are likely to be high too. The next dirty trick is to send an HTML message with an image that looks like plain text. By using an image it can display a url string that would be common in your company and would not raise any red flags. It could look something like this, "Go here to update your information by this Friday <a href="http://yourcompany.com.update_my_401k/">http://yourcompany.com.update_my_401k</a>". It looks important, it?s coming from HR, I need to know how my 401k is performing and if HR says I need to change my password then I should do it right? Well, when your end user clicks on the text link they are really clicking on the image and it?s going to a site masquerading as your company trying to steal personal or confidential company data. As soon as one person in your company completes the requested data the fish has been speared and the spiral begins. Pretty scary stuff if you don't expect it.</p>
<p>Ok, so here is the litmus test. </p>
<p>What would your mother do if she got an email like this?</p>
<p>Let us know what are you doing to protect your end users and your company from attacks?</p>

Back to After Hours Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums