DOCSLIB.ORG

Email Sender Authentication Development and Deployment

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

EMAIL SENDER AUTHENTICATION DEVELOPMENT AND DEPLOYMENT (PROJECT CHEESEPLATE) Volume I Technical and Management Proposal pobox.com IC Group, Inc. [email protected] v1.01 20041217 Full Proposal Control Number EB8A Email Sender Authentication OFFICIAL TRANSMITTAL LETTER IC Group, Inc., a New York State corporation, doing business as pobox.com, respectfully submits a proposal in response to solicitation BAA04-17 for Cyber Security Research and Development. It is submitted under Category 3, Technical Topic Area 7, Technologies to Defend Against Identity Theft, for consideration as a Type II Prototype Technology. Solicitation Title: BAA 04-17 Topic Title: Technologies to Defend Against Identity Theft Type Title: Type II (Prototype Technologies) Full Proposal Control Number: EB8A Proposal Title: Email Sender Authentication A companion proposal, Reputation System Clearinghouse (1RGT), is also being submitted under the same category and type. We request that these two proposals be read together. This proposal should be read first. This proposal was authored by Meng Weng Wong, Founder and Chief Technology Officer for Special Projects. He can be contacted at [email protected]. Meng Weng Wong IC Group, Inc. 1100 Vine St Ste C8 Philadelphia, PA 19107 December 15th 2004 EIN: 113236046 Central Contractor Registration: 3EKUCT Email Sender Authentication 2 EXECUTIVE SUMMARY Pobox.com aims to fight phishing by adding sender authentication “Phishing” is a class of high-tech scam that functionality to the Internet email system. First we will build a library uses fraudulent e-mail to deceive consum- ers into visiting fake replicas of familiar to implement a useful set of recently devised anti-forgery specifica- Web sites and disclosing their credit card tions, including ip-based approaches such as SPF and crypto-based numbers, bank account information, Social approaches such as DomainKeys. The library will also be able to Security numbers, passwords and other sensitive information. – BAA04-17 query arbitrary third party reputation and accreditation services. It will be constructed as a reference implementation and documented as a standard. Then we will integrate that library into the Mail Trans- fer Agents (MTAs) which carry the bulk of the Internet's email. At the end of the project, it will be possible for most mail systems to simply upgrade their MTAs. After upgrading, systems can “flip a switch” and automatically recognize, block, or flag suspected spam and phishing emails. This meets the requirements of tta 7. In this system, receivers of email will enjoy protection from iden- tity theft and phishing. They will have the option to easily block obvious forgeries. They will also have the option to flag mail which does not pass some form of authentication, or which does not meet minimum standards of reputation. These capabilities do not exist today in a non-proprietary, non-commercial form suitable for fast free widespread adoption. This project creates these capabilities and introduces them to the email system. The project will last approximately eighteen months. The bulk of the money will go toward paying programmers to write software and plug it into popular MTAs both commercial and opensource. The project will be managed by the team who produced the successful SPF specification and software development effort. Software produced by the project will be as free as is practical. Li- censing will work according to generally accepted opensource prac- tices. Participation in the antiforgery system will be voluntary and free of external costs for both senders and receivers. Most of these benefits will not require end-user involvement. Software deployment will rely on trained system administration pro- fessionals. Portions that do affect end-users are designed to be as simple as possible and no simpler – at about the level of complexity of the web browser padlock icon. To achieve these goals, we seek a grant between us50,000 and us750,000. The base level of funding covers the development of the core library. Higher levels of funding will allow us to upgrade more software to use that library. Email Sender Authentication Performance Goals 3 PERFORMANCE GOALS The ultimate goal of this project is to change the way Internet email works. This ambition deserves explanation. When email was invented, abuse considerations were secondary to functionality. The ability to get mail from random strangers was considered a primary virtue. Today, spam outnumbers non-spam email (ham). In the absence of filtering, messages from strangers are now, more likely than not, spam. This position may be regrettable but it reflects reality. It calls for a new paradigm of email. While content filtering has proven effective in the past, it is unsat- isfactory in a number of fundamental ways. The first generation of antispam technologies filtered out bad messages based on what they contained. The next generation of antispam technologies will filter in good messages based on who sent them. Sender authentication is now generally considered essential to See remarks by the FTC in the Federal Register, fight phishing, spam, worms, viruses, and other forms of online mes- http://www.ftc.gov/opa/2004/09/emailauth.htm saging abuse. Authentication technologies, when widely deployed Reputation systems are described in the accom- and used in conjunction with reputation systems, promise to make a panying proposal, Reputation System Clearing- house. permanent contribution to the antispam and antiphishing effort. Under the new paradigm, email receivers use authentication tech- nologies to tell if the senders and authors of messages really are who they say they are (spoof detection). Then receivers use reputation technologies to check if those senders are recognized or not (stranger detection). Receivers can use these technologies together in service of policy: if a message is authenticated and recognized, then it is not spoofed and not from a stranger. Receivers can opt to treat the mes- sage positively. If the sender is not authenticated or not reputable, then the message is from a stranger. It may contain undesirable con- tent, and receivers can opt to treat the message negatively. (The cri- teria used for determining “strangerness”, and how positive and neg- ative dispositions are handled, are locally determined by individual end-users and receiver systems.) Receivers can use these technolo- gies and apply these policies to automatically screen out unwanted messages, including phishing attempts and traditional spam. The proposed project uses the above approach to meet the goals specified in tta 7. The project will implement a collection of authentication and reputation technologies and deploy them across a wide variety of software programs that make up the Internet email system. THE NEED FOR A COORDINATED ROLLOUT History shows that if we leave industry to its own devices, rollout Email Sender Authentication Performance Goals 4 may occur in a slow, haphazard, and “every man for himself” fash- ion. Such a rollout could threaten the integrity of the email system. Furthermore, some MTA offerings, particularly opensource prod- ucts, may lack the resources to implement the desired improvements in a timely fashion. If we coordinate the rollout, we can ensure that implementations meet a minimum standard of quality; we can test interoperability; and we can set a rough schedule for deployment. After a receiver site implements sender authentication, and after Government domains are also expected to a useful fraction of sending sites emit authenticated messages, it will participate in sender authentication to protect themselves from receiving spoofs and from be- become significantly easier for end-users to recognize phishing at- ing spoofed. tempts, and for machines to automatically block them altogether. The bulk of these technologies are intended to occur at the core of the email system and will be deployed by trained system administra- tion professionals. Some user-visible changes to Mail User Agent (MUA) software are, however, unavoidable; they add an element to the MUA user experience roughly comparable to the padlock icon in web browsers. THE NEED FOR FUNDING To end spam and phishing, the email system must evolve. Free and open standards must form the basis for this evolution because email is too important to be owned or controlled by anyone. The single most widespread and successful such standard is SPF. In twelve months SPF has grown to cover approximately 20% of all Internet email. During that time, however, the project received only Nathaniel Borenstein, Distinguished Engineer about 3,000 in donations. This has not been enough to pay pro- at IBM and author of the MIME specification, has counted at least thirty-one consortia grammers, so people who work on SPF do so in their spare time. chartered to fight spam. Many of them have The world seems to want a final solution to spam very badly, but budgets in the millions of dollars. Many of it doesn’t seem to want to spend much to get it. At the same time, them have held expensive conferences to discuss the spam problem. None of them, it seems quite happy to spend billions of dollars treating the symp- to my knowledge, have allocated resources toms. towards actually writing any antispam code. Money spent on treating symptoms: $3,000,000,000. Experts estimate direct losses from phishing at Money given to curing the disease: $3,000. anywhere from $150 million to $500 million. http://news.zdnet.co.uk/internet/security/ 0,39020375,39175678,00.htm Yes: the most successful project to end a worldwide scourge is More broadly, what does spam cost the being run on a budget of 3,000 by hobbyists working nights and economy? It depends who you ask. Ferris Research estimated a loss of $11.4 billion in weekends. Imagine how much better they could do if only they had 2002. Other experts say that number is bogus. a little more time and money. But it’s obvious that enterprises and ISPs spend With proper funding, programmers could devote more time to millions to handle spam volume – millions that could be better spent elsewhere, or not spent the project.
Recommended publications
  • DMARC — Defeating E-Mail Abuse

    DMARC — Defeating E-Mail Abuse

    CERT-EU Security Whitepaper 17-001 DMARC — Defeating E-Mail Abuse Christos Koutroumpas ver. 1.3 February 9, 2017 TLP: WHITE 1 Preface E-mail is one of the most valuable and broadly used means of communication and most orga- nizations strongly depend on it. The Simple Mail Transport Protocol (SMTP) – the Internet’s underlying email protocol – was adopted in the eighties and is still in use after 35 years. When it was designed, the need for security was not so obvious, and therefore security was not incor- porated in the design of this protocol. As a result, the protocol is susceptible to a wide range of attacks. Spear-phishing campaigns in particular can be more successful by spoofing (altering) the originator e-mail address to imper- sonate a trusted or trustworthy organization or person. This can lead to luring the recipient into giving away credentials or infecting his/her computer by executing malware delivered through the e-mail. While raising user awareness on how to avoid e-mail fraud is recommended, the Verizon Data Breach Investigations Report indicates that more needs to be done. The DBIR report reveals that 30% of all phishing e-mail messages were opened by the recipients and with 12% clicked on the content and executed malicious code. The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds. The median time to the first click on the attachment was 3 minutes, 45 seconds. These statistics highlight the risk for an organization on the receiving end of spear-phishing e-mails.
  • What Is SPF? Introduction

    What Is SPF? Introduction

    Valimail White Paper February 2018 What is SPF? Introduction Sender Policy Framework (SPF) is a Work on SPF started in 2003, and domains cornerstone of email authentication, and is the have been deploying it increasingly widely first of several standards established for that since then. SPF was published as RFC 4408 purpose. in 2006, and became an officially proposed Internet standard via RFC 7208 in 2014. In a simplistic sense, SPF lets you create a whitelist for IP addresses. If a mail server SPF is widely used by major and minor with an IP address that’s not on your list tries receivers of email (Google, Microsoft, Yahoo, to send email using your domain, it won’t etc.) as well as all Secure Email Gateways pass the SPF authentication test. (SEGs). How It Works The way SPF works is quite simple in principle: For instance, we examined the SPF records for all 62 sponsors of the 2017 1. Domain owners publish SPF records to RSA Conference. We found 58 who had the Domain Name System (DNS) that spell published SPF records, but 17 of those out the rule sets for their domains. An had records with errors in them. That’s SPF record is plain text, and it can be a nearly 30 percent failure rate — and as simple as a single line listing the IP that’s among security companies. addresses that are allowed to send email on the domain’s behalf. Companies that don’t have a lot of expertise in cybersecurity in general (and email 2. When an email server receives an incoming security in particular) often find SPF email, it examines the domain shown in even more tricky.
  • Electronic Mail

    Electronic Mail

    CSECSE 265:265: SystemSystem andand NetworkNetwork AdministrationAdministration ● Electronic Mail – Mail systems – Addressing, mail headers – Client/server philosophy, mail homes – Aliases, mail routing, mailing list software – sendmail – Security – Performance Spring 2016 CSE 265: System and Network Administration ©2004-2016 Brian D. Davison MailMail systemssystems ● Four components – Mail user agent (MUA) to read and compose mail – Mail transport agent (MTA) route messages – Delivery agent that stores messages for later retrieval by users – Optional access agent to connect user agent to message store Spring 2016 CSE 265: System and Network Administration ©2004-2016 Brian D. Davison TheThe bigbig picturepicture Spring 2016 CSE 265: System and Network Administration ©2004-2016 Brian D. Davison UserUser agentsagents ● Provide means to read and compose email – Outlook, Thunderbird, Eudora, pine, elm, IMP, /bin/mail, emacs, web-based gmail, and more ● Often have system-wide and personal configuration files ● Multipurpose Internet Mail Extensions (MIME) encoding for different text formats and attachments Spring 2016 CSE 265: System and Network Administration ©2004-2016 Brian D. Davison TransportTransport agentsagents ● Transport agents accept mail from a user agent, and deliver mail to the correct hosts – PMDF, postfix, smail, Exim, sendmail ● Speak the Simple Mail Transport Protocol (SMTP) or Extended SMTP (ESMTP) ● Run on port 25 (unencrypted) Spring 2016 CSE 265: System and Network Administration ©2004-2016 Brian D. Davison DeliveryDelivery agentsagents – Accepts mail from a transport agent, and delivers to the local recipient – Delivery can be to ● a person's mailbox ● a mailing list ● a file ● a program – Agents include ● /bin/mail for local users ● /bin/sh for programs ● /usr/bin/procmail for user-configurable delivery Spring 2016 CSE 265: System and Network Administration ©2004-2016 Brian D.
  • Delivering Results to the Inbox Sailthru’S 2020 Playbook on Deliverability, Why It’S Imperative and How It Drives Business Results Introduction to Deliverability

    Delivering Results to the Inbox Sailthru’S 2020 Playbook on Deliverability, Why It’S Imperative and How It Drives Business Results Introduction to Deliverability

    Delivering Results to the Inbox Sailthru’s 2020 Playbook on Deliverability, Why It’s Imperative and How It Drives Business Results Introduction to Deliverability Every day, people receive more than 293 billion Deliverability is the unsung hero of email marketing, emails, a staggering number that only represents ultimately ensuring a company’s emails reach their the tip of the iceberg. Why? The actual number intended recipients. It’s determined by a host of of emails sent is closer to 5.9 quadrillion, with the factors, including the engagement of your subscribers overwhelming majority blocked outright or delivered and the quality of your lists. All together, these factors to the spam folder. result in your sender reputation score, which is used to determine how the ISPs treat your email stream. Something many people don’t realize is that to the Deliverability is also a background player, so far in the major Internet Service Providers (ISPs) — Gmail, shadows that many people don’t think about it, until Yahoo!, Hotmail, Comcast and AOL — “spam” there’s a major issue. doesn’t refer to marketing messages people may find annoying, but rather malicious email filled with That’s why Sailthru’s deliverability team created this scams and viruses. In order to protect their networks guide. Read on to learn more about how deliverability and their customers, the ISPs cast a wide net. If a works on the back-end and how it impacts revenue, message is deemed to be spam by the ISP’s filters, it’s your sender reputation and how to maintain a good dead on arrival, never to see the light of the inbox, as one, and best practices for list management, email protecting users’ inboxes is the top priority of any ISP.
  • Presentations Made by Senders

    Presentations Made by Senders

    SES ���� ��� � �� � � � � � � � ������������� DomainKeys ��������� SPF ��������������������� ���������� ����������������� ������������������������������������������������ Contents Introduction 3 Deployment: For Email Receivers 6 Audience 3 Two Sides of the Coin 6 How to Read this White Paper 3 Recording Trusted Senders Who Passed Authentication 6 A Vision for Spam-Free Email 4 Whitelisting Incoming Forwarders 6 The Problem of Abuse 4 What To Do About Forgeries 6 The Underlying Concept 4 Deployment: For ISPs and Enterprises 7 Drivers; or, Who’s Buying It 4 Complementary considerations for ISPs 7 Vision Walkthrough 5 Deployment: For MTA vendors 8 About Sender Authentication 8 Which specification? 8 An Example 8 Conformance testing 8 History 8 Perform SRS and prepend headers when forwarding 8 How IP-based Authentication Works 9 Add ESMTP support for Submitter 8 The SPF record 9 Record authentication and policy results in the headers 8 How SPF Classic Works 9 Join the developers mailing list 8 How Sender ID works 9 Deployment: For MUA vendors 9 How Cryptographic Techniques Work 0 Displaying Authentication-Results 9 Using Multiple Approaches Automatic switching to port 587 9 Reputation Systems Deployment: For ESPs 20 Deployment: For Email Senders 2 Don’t look like a phisher! 20 First, prepare. 2 Delegation 20 Audit Your Outbound Mailstreams 2 Publish Appropriately 20 Construct the record 2 Deployment: For Spammers 2 Think briefly about PRA and Mail-From contexts. 3 Two Types of Spammers 2 Test the record, part 3 Publish SPF and sign with DomainKeys. 2 Put the record in DNS 3 Stop forging random domains. 2 Test the record, part 2 4 Buy your own domains. 2 Keep Track of Violations 4 Reuse an expired domain.
  • Combatting Spam Using Mimedefang, Spamassassin and Perl

    Combatting Spam Using Mimedefang, Spamassassin and Perl

    Combating Spam Using SpamAssassin, MIMEDefang and Perl Copyright 2003 David F. Skoll Roaring Penguin Software Inc. (Booth #23) Administrivia Please turn off or silence cell phones, pagers, Blackberry devices, etc... After the tutorial, please be sure to fill out an evaluation form and return it to the USENIX folks. 2 Overview After this tutorial, you will: Understand how central mail filtering works. Know how to use MIMEDefang to filter mail. Be able to integrate SpamAssassin into your mail filter. Know how to implement mail filtering policies with MIMEDefang and Perl. Know how to fight common spammer tactics. 3 Outline Introduction to Mail Filtering Sendmail's Milter API MIMEDefang Introduction, Architecture Writing MIMEDefang Filters SpamAssassin Integration Advanced Filter Writing Fighting Common Spammer Tactics Advanced Topics Policy Suggestions 4 Assumptions I assume that you: Are familiar with Sendmail configuration. You don't need to be a sendmail.cf guru, but should know the basics. Are familiar with Perl. Again, you don't need to be able to write an AI program in a Perl one- liner, but should be able to read simple Perl scripts. Are running the latest version of Sendmail 8.12 on a modern UNIX or UNIX-like system. 5 Why Filter Mail? The old reason: to stop viruses. The new reason: to stop spam and inappropriate content. Blocking viruses is easy. Block .exe and similar files, and test against signature databases. Blocking spam is hard, but becoming increasingly important. Organizations can even face lawsuits over inappropriate content. 6 Mail filtering is required for many reasons. In addition to the reasons given on the slide, you might need to filter outgoing mail as well to prevent virus propagation, dissemination of sensitive information, etc.
  • Account Administrator's Guide

    Account Administrator's Guide

    ePrism Email Security Account Administrator’s Guide - V10.4 4225 Executive Sq, Ste 1600 Give us a call: Send us an email: For more info, visit us at: La Jolla, CA 92037-1487 1-800-782-3762 [email protected] www.edgewave.com © 2001—2016 EdgeWave. All rights reserved. The EdgeWave logo is a trademark of EdgeWave Inc. All other trademarks and registered trademarks are hereby acknowledged. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. The Email Security software and its documentation are copyrighted materials. Law prohibits making unauthorized copies. No part of this software or documentation may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into another language without prior permission of EdgeWave. 10.4 Contents Chapter 1 Overview 1 Overview of Services 1 Email Filtering (EMF) 2 Archive 3 Continuity 3 Encryption 4 Data Loss Protection (DLP) 4 Personal Health Information 4 Personal Financial Information 5 Document Conventions 6 Other Conventions 6 Supported Browsers 7 Reporting Spam to EdgeWave 7 Contacting Us 7 Additional Resources 7 Chapter 2 Portal Overview 8 Navigation Tree 9 Work Area 10 Navigation Icons 10 Getting Started 11 Logging into the portal for the first time 11 Logging into the portal after registration 12 Changing Your Personal Information 12 Configuring Accounts 12 Chapter 3 EdgeWave Administrator
  • DMARC: Monitor & Secure Your Email Delivery

    DMARC: Monitor & Secure Your Email Delivery

    Guide DMARC: Monitor & secure your email delivery Chris Nagele Founder of Wildbit postmarkapp.com Read the web version. Do you know every source of email for your domain? Are spammers trying to spoof your email domain for hacking or fraud opportunities? Are you complying with the best email practices to ensure inbox delivery? These are the questions that DMARC answers, giving you full control of email delivery for your company’s domain. At Postmark, email authentication has been extremely important to us from day one. We believe that anyone should be able to easily send emails with proper infrastructure, tools, and email standards without having to pay enterprise prices. DMARC, and our support of it, is a big part of this mission. 2 What is DMARC? DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that prevents spammers from using your domain to send email without your permission — also known as spoofing. Spammers can forge the “From” address on messages so the spam appears to come from a user in your domain. A good example of this is PayPal spoofing, where a spammer sends an email to you pretending to be PayPal in an effort to obtain your account information. DMARC ensures these emails get blocked before you even see them in your inbox. In addition, DMARC gives you great visibility and reports into who is sending email on behalf of your domain, ensuring only legitimate email is received. The good news is that DMARC is open and free for anyone to use, allowing you to secure your domain’s emails and gain control of your email delivery.
  • Set up Mail Server Documentation 1.0

    Set up Mail Server Documentation 1.0

    Set Up Mail Server Documentation 1.0 Nosy 2014 01 23 Contents 1 1 1.1......................................................1 1.2......................................................2 2 11 3 13 3.1...................................................... 13 3.2...................................................... 13 3.3...................................................... 13 4 15 5 17 5.1...................................................... 17 5.2...................................................... 17 5.3...................................................... 17 5.4...................................................... 18 6 19 6.1...................................................... 19 6.2...................................................... 28 6.3...................................................... 32 6.4 Webmail................................................. 36 6.5...................................................... 37 6.6...................................................... 38 7 39 7.1...................................................... 39 7.2 SQL.................................................... 41 8 43 8.1...................................................... 43 8.2 strategy.................................................. 43 8.3...................................................... 44 8.4...................................................... 45 8.5...................................................... 45 8.6 Telnet................................................... 46 8.7 Can postfix receive?..........................................
  • Messagelabs Email Security Services Administrator Guide

    Messagelabs Email Security Services Administrator Guide

    Email Security Services Administrator Guide For Microsoft Exchange® Environments Licensed Customer Confidential Licensed Customer Confidential Legal Notices Copyright© 1998-2009 Dell MessageOne, Inc. All Rights Reserved. Information in this document is subject to change without notice. All names of companies, organizations, persons, or other entities, and all sample data used in content and examples is fictitious and not meant to represent any real company, organization, person, or actual data. No part of this publication may be reproduced, modified, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise without the prior written permission of Dell MessageOne, Inc. Reproduction prohibitions do not extend to distribution among the employees of licensed customers or for use in activities conducted by Dell MessageOne partners in the course of sales, marketing, training, or support. MessageOne is a registered trademark and “Business Continuity that makes Business Sense,” EMS, SyncManager, RedirectorSink, RedirectorController, RecoveryManager, and OneSwitch are trademarks of Dell MessageOne, Inc. MessageLabs® and the MessageLabs logo are trademarks of MessageLabs Ltd. Research in Motion, RIM, and BlackBerry are trademarks/registered trademarks of Research in Motion Limited. All other trademarks are the property of their respective owners. This product uses certain third-party software. Relevant licensing information is provided in the MESSAGEONE LICENSE file in the installation directory. Dell
  • Using Dmarc to Improve Your Email Reputation Zink

    Using Dmarc to Improve Your Email Reputation Zink

    USING DMARC TO IMPROVE YOUR EMAIL REPUTATION ZINK USING DMARC TO IMPROVE up with ways to mitigate this problem using two primary technologies. YOUR EMAIL REPUTATION Terry Zink 1.1 Terminology Microsoft, USA In email, people naturally thing that the sender of the message is the one in the From: fi eld – the one that they see in their email Email [email protected] client. For example, suppose that you are a travel enthusiast and you receive the email shown in Figure 3. You received the message ‘from’ [email protected], right? Wrong. ABSTRACT In email, there are two ‘From’ addresses: In 2012, the world of email fi ltering created a new tool to combat 1. The SMTP MAIL FROM, otherwise known as the RFC spam and phishing: DMARC [1, 2]. DMARC, or Domain-based 5321.MailFrom [3]. This is the email address to which the Message Authentication, Reporting & Conformance, is a technology that is designed to prevent spammers from From [email protected] <[email protected]> forging the sender, thus making brands more resistant to Subject Receipt for your Payment to Penguin Magic abuse. However, its most powerful feature is the built-in To Me reporting mechanism that lets brand owners know they are being spoofed. June 10, 2014 08:42:54 PDT DMARC has its upsides, and it is very useful for Transaction ID: 8KAHSL918102341 preventing spoofi ng, but it also has some drawbacks – it will fl ag some legitimate email as spam, and it will Hello Terry Zink, cause some short-term pain. You sent a payment of $427.25 USD to Penguin Magic.
  • Permanent Email • Spam and Spoofing

    Permanent Email • Spam and Spoofing

    CU eComm Program Permanent Email • Spam and Spoofing We get a lot of inquiries regarding SPAM. As a result, we have compiled a list of the most frequently asked questions with explanations for each. See below. I hope you find this information helpful. SPAM FAQ Is the alumni association sending me spam? No. Neither the alumni association nor Harris Internet Services, who host the Alumni Connections servers that maintain the email forwarding service, are the source of the spam. We respect your privacy and do not sell, or otherwise distribute, alumni email addresses; nor have they been stolen. How did the spammers get my address? Unfortunately, there are many ways that spammers obtain email addresses: addresses compiled by commercial entities from web commerce; web crawlers searching for specific domain names (such as @alumni.anyschool.edu) on any web site where contact information might be listed; and a practice sometimes called "blind spamming" or "dictionary spamming" in which spammers simply guess at the username before the @ sign and send literally thousands of messages. This is why you may see a message addressed to "albert@, allen@, andrew@ ...," etc. The spammers run what is basically a dictionary of usernames against a domain • those that don't immediately bounce are kept and reused. This can give the false impression that the spammer has access to the list of user accounts. Viruses can also generate unwanted email and harvest addresses for spammers. Even if your computer is not infected, if someone else has your address in their address book and their computer becomes infected, viruses will often send multiple messages to everyone in the address book.