Mail software consists of a large number of cooperating pieces, described in RFC 5598. A user composes a message with a Mail User Agent (MUA), which passes it to a Mail Submission Agent (MSA), which in turn usually passes it to a sequence of Mail Transfer Agents (MTAs), which eventually hand it to a Mail Delivery Agent (MDA) to place it in the user's mail store. If the recipient user doesn't read mail on the same computer with the mail store (as is usually the case these days) POP or IMAP transfers the mail to the recipient's MUA. more
For many years, I have tracked spam from botnets and reported on it. I have analyzed those botnets' distribution patterns by number of IPs, number of messages per email envelope and geographical distribution. While spam from botnets is interesting, and the main source of spam, it is not the only source of spam. What about spam that originates from the MAGY sources? more
Today I released a report on 'National cyber crime and online threats reporting centres. A study into national and international cooperation'. Mitigating online threats and the subsequent enforcing of violations of laws often involves many different organisations and countries. Many countries are presently engaged in erecting national centres aimed at reporting cyber crime, spam or botnet mitigation. more
At the end of January, the DMARC (Domain-based Message Authentication, Reporting & Conformance) specification was publicly announced and resulted in widespread media coverage, blog posts and discussion. Since that time various individuals and organizations have been working on writing code for DMARC validators and report parsers. The dmarc-discuss list has been fairly active as various questions and issues have been raised and clarified. Now it is time to see how well the various implementations play together in live testing. more
DNS blacklists for IPv4 addresses are now nearly 15 years old, and DNSBL operators have gathered a great deal of expertise running them. Over the next decade or two mail will probably move to IPv6. How will running IPv6 DNSBLs differ from IPv4? There aren't any significant IPv6 DNSBLs yet since there isn't significant unwanted IPv6 mail traffic yet (or significant wanted traffic, for that matter), but we can make some extrapolations from the IPv4 experience. more
I opined about a year ago that DNS blacklists wouldn't work for mail that runs over IPv6 rather than IPv4. The reason is that IPv6 has such a huge range of addresses that spammers can easily send every message from a unique IP address, which means that recipient systems will fire off a unique set of DNSBL queries for every message... Now I'm much less sure this will be a problem... more
Knowing how long to store your company email can be confusing. For some industries and public companies there are laws dictating how long emails should be kept, but for other companies it is more discretionary. A document retention policy can help with this. Deciding which emails to keep and for how long - and then most importantly, sticking to your policy - will be looked on more favourably should you find yourself justifying missing email evidence to a judge. more
Courtesy forwards have been a standard feature of e-mail systems about as long as there have been e-mail systems. A user moves or changes jobs or something, and rather than just closing the account, the mail system forwards all the mail to the user's new address. Or a user with multiple addresses forwards them all to one place to be able to read all the mail together. Since forwarding is very cheap, it's quite common for forwards to persist for many years. Unfortunately, forwarding is yet another thing that spam has screwed up. more
It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, [email protected], there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook. more
There has been a lot of recent discussions and questions about reputation, content and delivery of email. I started to answer some of them, and then realized there weren't any basic reference documents I could refer to when explaining the interaction. So I decided to write some. This post is about IP address reputation with some background on why IPs are so important and why ISPs focus so heavily on the sending IP. more
While Canada was dragging the chain when it came to introducing anti-spam legislation, it is now making up for lost time. Ottawa's new law -- expected to be operational early this year -- has severe fines for violations and is viewed by some as too tough. Known as CASL, the new law aims to crack down on spammers and mailing list companies but in doing so, tightly regulates the way businesses can market to prospective customers via email and online. more
In my last post I blogged about greylisting, a well-known anti-spam technique for rejecting spam sent by botnets. When a mail server receives a an attempt to deliver mail from an IP address that's never sent mail before, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail senders always retry, badly written spamware often doesn't. I found that even though everyone knows about greylisting, about 2/3 of IPs don't successfully retry. more
Since November of last year we have been discussing the problem of illicit and illegal online pharmacy support by ICANN-accredited Registrars. In several articles and direct contact with the Registrars we have tirelessly tried to convey the seriousness of this problem, many listened, some did not... With the background information already known, the case presented here is much more specific and concerns EvaPharmacy, which was until recently, the world's largest online criminal pharmacy network. more
There's a pernicious meme floating around that DomainKeys Identified Mail (DKIM) doesn't work with discussion lists, particularly those hosted on common open source software packages like MailMan. It's particularly odd to see this claim after I set it up successfully on a stock Debian server in less than half an hour, just a few weeks ago. Here's how it can, should, and does work. more
The best part is ... this isn't one of those 'now that I've got your attention' tricks, like one of those old "free beer" posters; there really is a ton of stuff happening above the 49th parallel this summer. To begin with, as a precursor to Canada's Anti-spam Law coming into effect later this year, the Office of the Privacy Commissioner, the Canadian Radio-television Telecommunications Commission, and Industry Canada have all issued regulations, the latter two in draft form with an RFC. more