Wandering Thoughts archives

2008-11-16

ProviderHint

A hint for email providers

Here is something that I shouldn't have to say to all sorts of email providers but apparently need to:

If someone says that you have spammed them, your first reaction should not be to proclaim that you are a legitimate business (and that you don't spam and that you have strong policies and so on); your first reaction should be to profusely apologize and attempt to open a dialog so that you can fix the situation.

There are a number of reasons for this, assuming that you are a legitimate business and actually want to deal with any spam problem that you have. First, any public comments are the tip of an iceberg of your problem; for every person who says something in public that you can find there are probably at least ten who have just quietly done something about your email. This means that you have a bigger problem than you can see and you need to do something about it fast, and so you actually need the information that this person might be able to provide if you approach them nicely.

The second reason is that it is good public relations. Regardless of what actually happened, you have done something that annoyed this person. If you go around proclaiming your innocence, you are coming very close to also calling them a liar, which rarely goes down well with the already irritated; you are unlikely to do anything except harden their unfavorable reaction to you. By contrast, apologizing and working to solve the situation both acknowledges their situation as real and is more likely to leave them feeling positively inclined towards you.

(Hint: it does not matter if you did not actually, technically, spam them. What matters is that you left someone with the belief that you did.)

The final reason is that it doesn't work. Regardless of the facts of your specific case, this particular well is already poisoned; too many spammers have spent too much time proclaiming their innocence for anyone to believe you. This includes bystanders, and remember that under almost all situations, the person you are trying to 'correct' can have the last word if they want to.

(This general advice is applicable in situations beyond spam, of course. For example, technical support.)

ProviderHint written at 00:37:10; Add Comment

2008-11-02

WhyWebmailProblem

Why university webmail systems are attractive to spammers

I think that there are reasons why university webmail systems are attractive to spammers, beyond the fact that they're there and have a good reputation. Unfortunately, universities offer an environment with a very attractive set of features.

First is the fact that they're accessible at all. Relatively few places have a reason to run a webmail system (or any sort of mail system) that the outside world can reach. Most organizations, even large ones, do not have lots of people that need access to the mail system from the Internet with relatively primitive tools. Needing only primitive tools is very useful for attackers, because it makes it much easier for spammers to exploit any passwords that they get.

(Many organizations actively don't want people to be able to get inside the firewall from random machines that only have a web browser, because said random machine may well be compromised.)

In fact, I think that there's basically three sorts of organizations like this: free webmail providers, commercial ISPs, and universities. I do not think that it is a coincidence that spammers have been exploiting all three (in roughly that order, webmail first, then ISPs, and now universities).

In this hierarchy of accessible webmail systems, universities have the advantage that they generally have a lot less anti-spam precautions than the first two. Large webmail providers have been worrying about spam for a long time, and even before spammers started exploiting the webmail systems of commercial ISPs, the ISPs had to worry about their own customers being spammers. Universities have not really had to worry about their own users being spammers until now, and are thus ripe for being exploited.

Finally, universities generally have lots of users, so the phisher can maximize the number of potential targets for a given amount of research effort (getting the information that they need to write a convincing phish letter and finding out email addresses to spam). If you have a day to work on a phish, targeting it against ten thousand users is likely to get you more results than targeting it against a few hundred.

WhyWebmailProblem written at 01:17:18; Add Comment

(Previous month | Next month)
By day for November 2008: 2 16; before November; after November.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.