Start Thinking Like an ISP

Today’s most dangerous forms of messaging abuse are no longer the broad, indiscriminate attacks of the past, flooding ISPs with spoofed email in hopes that some would catch subscribers unaware. Such attacks still occur, but more troubling are the highly sophisticated “spear phishing” schemes aimed at specific individuals and organizations that reflect an intimate knowledge of our ecosystem, how it works and the roles and relationships of its players.As costly as such compromises may be to the victimized companies, an even greater cost is borne by our overall ecosystem because such attacks strike at the trust relationships that underpin it — between customers and the companies they do business with and between companies and the service providers and suppliers they rely on. ISPs have been aware of these issues for years, but it’s become clear that enterprises and ESPs also must now adhere to a more rigorous set of security practices. Combatting these kinds of attacks is going to require a concerted effort from everyone in the messaging community.Fortunately, most enterprises and ESPs are already pursuing some of the best practices that could – with a little tweaking – contribute to a more secure messaging environment. Often these practices are part of their deliverability initiatives and include techniques such as capturing user feedback. Currently, enterprises and service providers use feedback loop data (complaints) primarily to auto-unsubscribe email recipients and to fine-tune the targeting and content of their campaigns. Similarly, they use bounce and block data for list hygiene and measures of campaign effectiveness. Such actions are all centered on improving deliverability, an important goal for every organization. However, this user feedback data — received directly from the user or indirectly through the ISP — should inform their messaging security program too, as it could contain critical evidence of a compromise.

For example, in the outbound mail stream, a sudden spike in complaints, bounces or blocks may mean you’ve made a grievous error in a mailing (such as a bad list pull, etc.). Or it could mean that someone has evaded your prevention measures and your deployment system has been compromised. On inbound messaging, enterprises and service providers need to be equally alert and responsive to abusive mail that their own employees find in their inboxes and take immediate action to adjust the filtering and quarantine rules. Much of this user data can and should be incorporated into your security plan.

The real trick is being able to take action immediately before great damage is done. This requires that organizations have the ability to set thresholds and define automatic actions for when those thresholds are crossed. This also requires the ability to continuously monitor inbound and outbound message streams and take action in real time. Your investigative tools need to be equally responsive to quickly validate and follow up on the actions taken. Organizations that don’t use feedback data as a standard part of their security intelligence may be unaware of abusive behavior until it’s already had a serious impact. Conversely, companies that do use this data effectively will be able to nip abuse in the bud and be perceived as leading, trustworthy brands in the eyes of customers, partners and the media.

Another security technique that can easily follow on from existing deliverability best practices is strengthening “border control.” It has been critical for some time that all players verify the identity and reputation of anyone seeking to deliver messages or gain access to their domain. This means that email authentication needs to be viewed as more than a strategy for improving the deliverability of outbound email. Enterprises and ESPs must also now check for proper authentication on inbound email and recognize the fundamental role that authentication plays in preserving message security and trust.

Having worked with ISPs and carriers in combatting similar threats, these are but a few recommendations we’d suggest that enterprises and ESPs consider. See our new whitepaper for further detail on how to safeguard your message streams. Also be sure to take a look at the guidelines issued by the OTA, ESPC and others. But remember, the spear phishers are smart, resourceful and diligent adversaries, always on the prowl for new points of vulnerability. To avoid being added to the ever-growing list of compromised companies, you’ll need to be equally smart, resourceful and diligent. And it will take more than a few changes to your operating processes to lock them out. You’ll want to take hard look at how those processes work within the context of an integrated technology framework for safe and secure messaging.