Late last week, a spammer decided to send a large run of spam messages in my name. We estimate that in the space of 48 hours, the spammer’s botnet spewed 10 million messages that appeared to come from one of my privately owned domains.

A small percentage of those messages bounced, resulting in 25,000 bounces in my email over a 48-hour period. At its peak, I received one misdirected bounce per second. Many of the bounces included images — about half a gigabyte of unwanted, "backscatter" email.

What should we learn from this?

1. We were impressed with how well the Symantec Brightmail spam filter that protects these domains worked. It did a near-perfect job of sifting out the bounces from the real email: better than 99% effectiveness, and no false positives — although it’s hard to be sure when there are so many messages to check in the quarantine. (For clarity, Symantec doesn’t protect the ferris.com domain; these forgeries were attacking other, privately owned domains such as richi.co.uk.)
2. Many email servers behave badly, to the extent that they bounce unwanted email, instead of rejecting it. Some of this is due to configurations that accept everything at the perimeter and only later decide the mailbox doesn’t exist. Others seem to be due to badly configured perimeter protection — including a surprising number of Barracuda appliances. If you’re responsible for a mail system that creates such backscatter, please fix it.
3. Many sites allow their users to auto-reply to email with no regard to whether they’re replying to spam (and hence sending irrelevant junk to a forged sender). Incredibly, some of these sites clearly decided the message was spam — as can be seen from SpamAssassin-like headers or subject tags added to the spam — yet they still kindly let me know that they’re "out of the office" because a spammer falsely used my email address as the spam’s sender. This is another form of backscatter; if you’re responsible for a mail system that does this, please fix it.

… Richi Jennings

Has phishing become so prevalent that banks cannot use email to contact their customers?

In a recent incident, Citibank Australia sent email to its online banking customers that was confused as a phishing attack. The issue was that Citibank’s email requested that recipients browse to a Web site, authenticate using their card number, account number, and PIN number, and then create their user ID and password — very similar to a standard phishing attack.

This email was met by a backlash from the industry, many pointing out that Citibank contravened its own privacy policy. Security experts issued conflicting statements about the use of email by banks. Some actually urged banks to stop sending email to their customers; others opined that email was still a valid communication medium but consistent messaging and proper security were imperative.

While Citibank believes that its customers are used to receiving email from the bank, and that the email didn’t contain active URLs (except to the bank’s privacy policy), it certainly contained enough "phishy" material for it to be considered suspicious.

In a way, the issue is about the email content. A message regarding new services available or a new borrowing vehicle shouldn’t really set off alarm bells. The above incident requested almost the same action of the recipient as a standard phishing attack. Organizations — not just banks — should avoid sending email to customers that confuse this issue. Unfortunately, phishing attacks are prevalent, so any request for personal information in email should be considered suspicious, no matter what the source.

… Colin R. Bush