Background:
Compromised email accounts are on the rise, from almost every sector,
and often it is the same actors and infrastructures that are being used
as a source to send out their malware and phishing from these
compromised accounts. Historically, while we identify these threats, we
have only used it to protect our own customers, albeit we do share some
of this intel with RBL's to make that information more widely available.
But given the high profile of some of the email servers that are being
abused, eg government email servers, we are considering actually
reporting this information back to the email operators who have the
compromised/abused accounts.
However, we need to do this in an automated way, that creates real value
for the email operators, while not adding an undue burden to our teams.
The challenge is that because of the diverse nature of email operators,
that simply sending an email to abuse@ seems unlikely to work in many
cases, and of course.. the recipient has to be assured that our data is
indeed accurate..
There are so many different use cases:
* Small operator with a cPanel server
* Large hosting provider with many shared servers
* Enterprise and Governments still using Zimbra
* Gmail, o365, Apple
* Other large email hosting platforms
* Foreign Operators
While, it would be nice to see everyone adopting DROP lists, and AUTH
lists, that isn't likely to happen anytime soon..
So, assuming we see one of the above types of operators, leaking
dangerous content, where the authenticating IP is on a known threat
database (eg, a bullet proof hoster, or IP associated with a well known
APT actor), the questions are:
* Should we notify the operator?
* How BEST to notify the operator?
Of course, we could just reject the email as normal, (but usually the
only person that would even notice is the bad actor themselves), we
could report the email server to an RBL given it is sending dangerous
information (of course, Gmail and o365 might be hard to do that).
And of course, no use sending alerts, if they will simply be ignored..
Like to hear from the community, any and all ideas surrounding the topic
of feedback intel to email operators when they have compromised emails,
from sources that they should block to protect their customers..
Comments?
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
