Total number of Business Email Compromise (BEC) related crimes have reached epidemic levels, at nearly $3.1 billion in losses and involving 22,143 victims worldwide since January 2015, according to a new FBI report.

BEC or Business Email Compromise is defined by FBI as "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."

Most victims, according to reports to FBI, "use wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim's normal business practices."

The BEC scam continues to grow, evolve, and target businesses of all sizes the FBI reports. Since January 2015, there has been a 1,300% increase in identified exposed losses (i.e. Exposed dollar loss which includes actual and attempted loss in United States dollars.) The scam has been reported by victims in all 50 states and in 100 countries. Reports to FBI indicate fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.

Characteristics of BEC Complaints

The IC3 has noted the following characteristics of BEC complaints

•  Businesses and associated personnel using open source email accounts are predominantly targeted.

•  Individuals responsible for handling wire transfers within a specific business are targeted.

•  Spoofed emails very closely mimic a legitimate email request.

•  Hacked emails often occur with a personal email account.

•  Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.

•  The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent email requests.

•  The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.

•  Fraudulent emails received have coincided with business travel dates for executives whose emails were spoofed.

•  Victims report that IP addresses frequently trace back to free domain registrars.

The FBI recommends victims to always file a complaint regardless of dollar loss or timing of incident at www.IC3.gov.

Nearly 1 million IP addresses participated in the attack campaign against a financial company. Source: AkamaiAccording to a recent report by Akamai, an analysis of massive Account Takeover (ATO) attack campaigns targeting two of its customers, revealed 1,127,818 different IPs were involved in the attacks. These IPs performed 744,361,093 login attempts and checked 220,758,340 distinct email addresses. In other words, "ATO campaigns are massively distributed and extremely persistent."

"In the repeated attacks against a customer in the financial services industry, 999,980 IPs were involved in the attacks against the customer's login page. One campaign was responsible for more than 90% of the total attack volume." Closer look at this particular attack revealed usage of 993,547 distinct IPs checking 427,444,261 email accounts at a steady attack rate as 75% of attackers participated for multiple days.

It's a wild election season here in the US. In the past few presidential elections, email has played a bigger and bigger role in messaging and fundraising. President Obama's campaign used email effectively, but sent huge volumes. In fact, the volume was so heavy, it led to a joke on the Daily Show:

[Video: email question at the 5:56 mark] Jon Stewart: "We have been talking here for 12 - 14 minutes. I am curious. How many emails, in that time, do you think your campaign has sent me?" President Obama: "It depends on whether you've maxed out!"

This year there is a stark difference in how the candidates are using email. Return Path has different blog posts about the success of the Clinton, Sanders and Trump email campaigns which let's you play around with the data they've collected from the different campaigns.

AD AGE / June 23, 2016Recently Donald Trump's campaign has been in the news for different email related issues. He sent his first fundraising email on June 21, 2016. But 60% of those emails went to spam. Some have speculated that the spam was due to a new domain.

That spam rate, however, may not be simply due to using a brand new domain. Recent reports are that email went out to foreign nationals in Iceland, Scotland, Britain, including some government officials. Yes, Donald Trump's campaign is spamming foreign government officials on their government addresses asking for donations.

I've been around the email industry long enough to know that campaigns, special interest groups and elected officials share constituent and supporter data freely. There isn't really ever anything like informed opt-in when it comes to politics, PACs or political groups. Anything citizens do that lands an email address in the hands of a political group results in that address being shared.

– Sign a petition? Address gets shared.
– Make a donation? Address gets shared.
– Sign up to volunteer? Address gets shared.
– Contact an elected official? Address gets shared.

I don't really expect the campaigns to do only opt-in mail. I do expect campaigns to do mostly opt-in with a side of strict hygiene and well crafted messages that get good delivery. But opt-in isn't in their nature. Still, this is noteworthy in that the mail went to people that should never appear on a US political list.

With this new information, I'm much less inclined to blame his brand new domain for a 60% email rate. I think it's much more likely that the problem is the data. Who knows where the campaign got the address list, but it certainly doesn't seem like it was even political style opt-in.

This is yet another example of how data quality and source directly affects deliverability results. Sure, part of the problem may be the domain wasn't properly warmed up. But it's much more likely that the problem was the fact that the delivery problems were the result of using bad data.

Written by Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

"Massive Email Bombs Target .Gov Addresses," Brian Krebs writes in Krebs on Security: "Over the weekend, unknown assailants launched a massive cyber attack aimed at flooding targeted dot-gov (.gov) email inboxes with subscription requests to thousands of email lists. According to experts, the attack — designed to render the targeted inboxes useless for a period of time — was successful largely thanks to the staggering number of email newsletters that don't take the basic step of validating new signup requests."

— Steve Linford, CEO of Spamhaus further explanis: "This incident involved a large number of government addresses belonging to various countries being subscribed to very large numbers of lists in a very short space of time by scripts run by the attacker(s). Most of the lists hit by the attack used COI and therefore only sent confirmation requests and did not subscribe any addresses. The attack undoubtably also hit lists which used Captcha in addition to COI and thus did not even proceed to COI (those list admins deserve some sort of community ‘hi 5’ award, since one can imagine how hard it is to convince one’s management to implement COI let alone put Captcha in front of it). The issue is the badly-run ‘open’ lists which happily subscribed every address without any consent verification and which now continue as participants in the list-bombing of government addresses."

— Krebs was also the target of this subscription attack and writes about it based on his first-hand experience: "At approximately 9:00 a.m. ET on Saturday, KrebsOnSecurity’s inbox began filling up with new newsletter subscriptions. The emails came in at a rate of about one new message every 2-3 seconds. By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails. For most of the weekend until I got things under semi-control, my Gmail account was basically useless."

— Laura Atkins in her report on the incident on Monday said, "this should be a major wakeup call for ESPs and senders." ... "Internet harassment seems to be a bigger and bigger issue. I don’t know if it’s because people are being more open about harassment or if it’s actually more common. In either case, it is the responsibility of networks to minimize the harassment. If your network is a conduit for harassment, you need to do something to stop it."

A few days ago I was startled to get an anti-spam challenge from an Earthlink user, to whom I had not written. Challenges are a WKBA (well known bad idea) which I thought had been stamped out, but apparently not.

The plan of challenges seems simple enough; they demand that the sender does something to prove he's human that a spammer is unlikely to do. The simplest ones just ask you to respond to the challenge, the worse ones like this one have a variety of complicated hoops they expect you to jump through.

What this does, of course, is to outsource the management of your mailbox to people who probably do not share your interests.

In this case, I sent a message to a discussion list about church financial management, and the guy sending the challenges is a subscriber.

Needless to say, an anti-spam system that challenges messages from mailing lists to which the recipient has subscribed is pretty badly broken, but it's worse than that.

On the rare occasions that I get challenges, my goal is to make the challenges go away, so I have two possible responses:

• If it's in response to mail I didn't send, i.e., they're responding to spam that happens to have a forged From: address in one of my domains, I immediately confirm it. That way, when the guy gets more spam from the forged address, it'll go straight to his inbox without bothering me. Since the vast majority of spam uses forged addresses, this handles the vast majority of the challenges.
• If it's in response to mail I did send, I don't confirm it, since I generally feel that if it's not important enough for them to read my mail, it's not important enough for me to send any more. In this particular case, I wrote to the manager of the mailing list and encouraged him to suspend the offending subscriber, since if he's sending me challenges, he's sending them to everyone else who posts to the list, too.

You may have noticed that neither of these is likely to be what the person sending the challenges hoped I would do. But you know, if you give random strangers control over what gets into your inbox, you get what you get. So don't do that.

There are plenty of other reasons not to send challenges, notably that many mail systems treat them as "blowback" spam with consequent bad results when the system sending the challenges tries to send other mail, but I'd hope the fundamental foolishness of handing your inbox to strangers would be enough to make it stop.

Written by John Levine, Author, Consultant & Speaker

Unsubscribing from mailing lists is hard. How many times have you seen a message "please remove me from this list," followed by two or three more pointing out that the instructions are in the footer of every message, followed by three or four more asking people to not send their replies to the whole list (all sent to the whole list, of course,) perhaps with a final message by the list manager saying she's dealt with it?

For marketing broadcast lists, it's even worse because there's no list to write to. Messages are supposed to have an unsubscribe link (required by law in most places) which usually works except when it doesn't, or it leads to a web page making incomprehensible demands ("click here unless you want not to be removed only from this sender's mail") so for a lot of users it's easier just to click the junk button until the messages go away.

Mail system managers know that users aren't very good at unsubscribing, so they've invented some ad-hoc ways of dealing with it. Many large mail systems have feedback loops (FBLs) which let mail senders register their ranges of IP addresses or in Yahoo's case DKIM signatures, so the sender or perhaps sender's network gets a report when a recipient marks a message as junk. When the sender is a bulk mailer, they generally try to handle the report as an unsubscribe request.

While FBLs are great for finding when an ISP customer is compromised and starts spamming, they're not so great as a substitute for unsubscriptions. One reason is that even though there's a standard format called ARF (see RFC 5965) for sending FBL reports, each mail system includes slightly different details, so the original mail sender needs to try and parse out enough from the report to identify the list and the subscriber. Many mail systems redact their ARF reports on advice of their lawyers, and the redaction is often so severe that it can be impossible to tell who to unsubscribe from what. AOL's reports are so redacted that the only way I can figure out who to unsubscribe is to take the transaction ID in a Received: header of the reported message and manually match it up with my outgoing mail logs. And Gmail doesn't provide individual FBL reports at all, only aggregate data.

The obvious solution to this problem is the List-Unsubscribe: header that has been a standard since 1998 (see RFC 2369). It can contain an e-mail address with subject line, or a web URL or both. When a user clicks the junk button, the system could simulate a click on the URL, or send mail to the e-mail address, and in theory they're off the list. The practice is not so simple.

The problem with the click is that a lot of anti-spam systems automatically follow all the URLs in the message to see if they lead to malicious sites, and there's no way for the target of the URL to mechanically tell a request from a spam filter from a click by a live user. It's quite reasonable for spam filters to do this: Imagine a bad guy sending deliberately uninteresting spam with a fake unsubscribe link leading to his malware site.

As a result, the unsubscribe link usually leads to a web page with a confirmation button that the malware checkers won't click but a live person will. The confirmation page may also ask what address to remove. While there have been attempts to parse the web pages and figure out what to fill out and what to click next, they don't work very well since the confirmation buttons vary all over the place. Unsubscribing by mail works at small scale, but operators of large mail systems like Gmail and Yahoo have told me that they are so big compared to most other mail systems that what seems to them like a moderate amount of automated mail can easily overwhelm recipient systems.

To solve this problem, a few people at Gmail, AOL, Optivo (the bulk e-mail part of the German post office) and I have come up with an automatic one-click unsubscribe scheme. The goal is to allow automatic unsubscribes as an option for the junk button — when the user clicks junk, a little window asks whether to unsubscribe too.

One-click unsubscribe uses an https POST action rather than the simpler GET. POST is intended for actions that change something, as opposed to GET which is just supposed to retrieve data. Anti-spam and malware checkers do GETs, not POSTs. (We know not everyone follows these rules, but they're how the web is supposed to work and usually does.)

We've defined a new message header List-Unsubscribe-Post: used in combination with List-Unsubscribe:. The POST action goes to the URL in the List-Unsubcribe: header, using the contents of the List-Unsubscribe-Post: as the body of the request, analogous to the form fields in a POST generated by a web form. This is intended to be easy for the mail senders to implement; most web servers can handle GET and POST in the same code, typically providing a parameter to the code to say which one it is, and passing in the fields from the POST. If it's a GET, it returns the confirmation form, but if it's a one-click POST, it just does it.

This one-click design avoids the redaction issue, since the user asked for the unsubscription, and the request goes directly to the link in the message, not an address intuited from IP addresses or DKIM signatures. The point of the FBL ARF redaction is in case the intuiting guessed wrong and the message went back to someone other than the sender, but there's no guessing here.

One-click should be useful in some other situations, too, notably when a mailbox has been closed or abandoned, so the recipient system wants to unsubscribe it from everything. Several large mail systems have said they plan to implement one-click as part of their junk buttons, so with any luck, it'll soon be helping senders send less mail the recipients don't want.

The current draft spec is here.

Written by John Levine, Author, Consultant & Speaker

It was revealed yesterday that Yahoo has been scanning people's email for the federal government.

Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events. (Reuters)

This activity was, apparently, authorized by Yahoo CEO Marissa Meyer but not the former CSO Alex Stamos. Mr. Stamos left Yahoo in June 2015. He also publicly disagreed with the director of the NSA back in February 2015 about the NSA having access to encrypted data.

This is probably the part where I'm supposed to write something insightful, but honestly, I don't have much. Like many people, I'm shocked and dismayed at Marissa Meyer's decisions to allow this. I'm also somewhat heartened by the fact that, reportedly, Yahoo staff detected the malicious software within a few weeks of it being deployed. Apparently the deployed software was buggy and could have been compromised by third parties.

On the heels of a major compromise of email accounts by "unrelated 3rd parties" I have to wonder how much more bad news Yahoo can take. They've had their ups and downs, but most folks I know who worked there don't any longer. It's certainly not a place anyone I know considers when looking for new jobs.

In many ways it's sad to watch one of the foundations of the internet flail and fail. It didn't have to be this way, I'm sure.

What's interesting is who has commented on this.

Verizon: nothing I can find. If you remember, Verizon announced a deal to buy Yahoo for 4.83 billion dollars this past summer. The deal was supposed to close in Q1 2017. Wonder if Verizon is questioning their purchase now?

Other companies have responded.

Google: We didn't and wouldn't do this.

Microsoft: We didn't and wouldn't do this.

Twitter: We didn't and wouldn't do this.

Facebook: We didn't, wouldn't and will fight any attempt at this.

We know Apple has fought this kind of request, publicly. Interesting to note in that article, Yahoo is not one of the technology companies listed as supporting Apple's stance.

I'm sure this isn't going away any time soon. The internet, privacy, free speech, access, harassment, abuse… these are all issues many folks have hand waved around for a long time. Now we're really going to have to start addressing them, not just with technology but also with real, concrete actions.

Written by Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

Cloud-based interest in email infrastructure trended up this past quarter. Port25, a Message Systems Company, tracks cloud-based interest (CBIs) among large volume senders based on evaluation and purchase requests received, in conjunction with overall site engagement. In Q3, CBIs on Port25's website grew by 34.97% over Q2, to a total of 48.2% of unique evaluation and purchase requests. Essentially half of all visitors who made inquiries at the www.port25.com site were interested in learning more about cloud-based infrastructure for email.

Port25's CBI number has been hovering around 38% of unique evaluation requests since Q1 of 2015 , so this uptick represents a significant upward spike in interest in cloud solutions. This mirrors general industry trends, which place public cloud services on a trajectory to grow 17% in 2016 over 2015. This growth represents a 22% increase in SaaS and a whopping 43% growth in infrastructure as a service (IaaS).

To arrive at our trend numbers, we placed data from unique inquiries into five different volume bins, based on a client's maximum email messages per hour: less than 10K, 10K-50K, 50K-250K, 250K-1M, and 1M+. The 1M+ category includes some very large senders, since Port25 has customers who send more than 1B emails in a given 24-hour period.

Every visitor in this data set completed a minimum of two and a maximum of nine events per session. The data has been normalized by placing visitors into event bins 2 through 9. Each event includes an action such as a knowledge base download, form submission, support request, button click, etc.

The number of users who opted-in to receive cloud-based information rose most among smaller senders. In Q3, 31.34% of visitors who expressed interest in CBI fell into the volume bin of less than 10K per hour, while 25.36% of requests were generated by senders who mail 10K-50K per hour. Among the larger senders, CBI is much lower: roughly 14.81% across the larger sending volume categories expressed interest in cloud services. That number is consistent with the highest volume bin of over 1M per hour, which had a CBI of 14.25%.

Our data suggests that, while senders in the less than 10K category appreciate the convenience of cloud-based email infrastructure, a stronger driver may be that small ESPs lack the resources needed to manage complex tasks involved in hosting their own sending infrastructure in house. Moving to a cloud-based email infrastructure can be a cost-effective way for smaller ESPs to meet their investment objectives, maintain security, and outsource the administrative knowledge needed to manage increasing volumes of email while properly configuring server requirements.

The largest service providers, (the top 1% of ESPs) have been reticent to migrate to the cloud due to the complexity of their sending environments. One understandable constraint, mentioned to Port25 by a large ESP in Germany, is that large ESPs don't want to relinquish control of their reputable IP addresses. Reputation aside, certain SLAs among large senders prohibit them from releasing sensitive customer data to a third party. In addition, high volume senders generally require some degree of custom integration to create a seamless hybrid cloud infrastructure. Concerns about integration may be holding back some larger email senders from using cloud-based services.

These headwinds are mitigated by the growing number of small and midsize ESPs that understand the economic and administrative benefits of a cloud solution for email infrastructure. They are driving the huge growth in API-driven cloud email infrastructure solutions that systematically integrate with any existing front-end email platform. In time, this trend may move large ESPs to jump on board. Even now, while CBI is not as great among our higher volume customers, Port25 has successfully on-boarded dozens of large enterprises in our ecosystem to the cloud.

This article was intended to uncover the latest trends in enterprise level interest for cloud-based email. You can read more about cloud-based email infrastructure trends in an earlier article here.

Written by Fred Tabsharani, VP of Marketing at Port25

A new report from SecureWorks Counter Threat Unit has revealed a hacking group operating from the Russian Federation, implemented spearphishing techniques involving use of look-alike Google login pages to gain access to DNC emails and other data. According the the report, hackers targeted the staff working for or associated with Hillary Clinton's presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton's communications, travel, campaign finances, and advising her on policy.

— Examination of hillaryclinton.com DNS Records shows that the domain's MX records - i.e. the mail server used by the domain - point to aspmx.l.google.com, the mail server used by Google Apps. Hakcers exploited the Hillary for America campaign's use of Gmail and leveraged campaign employees' expectation of the standard Gmail login page to access their email account."

— First malicious URLs targeting hillaryclinton.com email addresses were created in mid-March 2016; the last URL was created in mid-May. Overall, 213 URLs targeting 108 email addresses on the hillaryclinton.com domain were created during the period.

— Through open-source research, researchers identified owners of 66 of the targeted email addresses. No open-source footprint were found for the remaining 42 addresses, which would indicate they were acquired from another source.

— The targeted email owners held a wide range of responsibilities within the Hillary for America campaign, extending from senior figures to junior employees and the group mailboxes for various regional offices. Targeted senior figures managed communications and media affairs, policy, speech writing, finance, and travel, while junior figures arranged schedules and travel for Hillary Clinton's campaign trail.

The National Cybersecurity Center of Excellence (NCCoE) has invited comments on a draft practice guide to help organizations improve email security and defend against phishing, man-in-the-middle, and other types of email-based attacks.

The draft of the National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide titled, Domain Name Systems-Based Electronic Mail Security (NIST Special Publication 1800-6), demonstrates how commercially available technologies can help email service providers improve the security of email communications. "Protocols such as Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Domain Name System Security Extensions (DNSSEC), and Domain Name System (DNS) Authentication of Named Entities (DANE) exist and are capable of providing needed email security and privacy protection.)

— "Large email service providers, such as Gmail and Yahoo, have taken steps to reduce the prevalence of email scams by implementing mechanisms to verify the origin of an email. However, these mechanisms are difficult to implement, require long lead times, and must integrate into existing systems, making it difficult for organizations without a large IT department to do so. As a result, many enterprises have been slow to embrace these protections." –William "Curt" Barker, Domestic Guest Researcher, NIST

— The draft guide can be downloaded from the NCCoE website, which includes a form for submitting comments. The public comment period is open through December 19, 2016.

First ever provider of Email Authentication as a Service automates email authentication for 2.7 billion global inboxes

ValiMail, the world's first provider of automated email authentication, today announced a $12 million series A funding round led by Shasta Ventures, with follow-on investments from Flybridge Capital Partners and Bloomberg Beta. This round brings ValiMail's total funding to $13.5 million to date. The company will use the funds to meet the rapidly expanding demand for its patent-pending authentication platform which brings visibility, control, compliance, and security to cloud-based email services.

"Our mission is to authenticate the world's communications, starting with email. As cloud services multiply, enterprises realize they need visibility, control, compliance, and security to address the corresponding proliferation of cloud email services. ValiMail is able to auto-identify and block 100% of unauthorized email and criminal impersonation attempts with unprecedented accuracy."

Alexander García-Tobar
CEO, ValiMailThis announcement comes on the heels of an exponential growth year for the company. Founded just over a year ago, ValiMail already authenticates billions of emails each month for its fast-growing and diverse client base that includes Uber, Time Warner, Yelp, Twilio, and Fenwick & West.

The rapid rise of cloud services has brought an explosion of new email senders to the enterprise. As a result, companies lose visibility and control over the email sent on their behalf, creating concerns about compliance, best practices, "Shadow IT," and modern spear phishing attacks. This trend drives the need for the discipline that authentication brings to email.

ValiMail today is able to shield 2.7 billion consumer inboxes from unauthorized and imposter emails by automating implementation of an open standard called DMARC, which is enforced by the world's largest email service providers including Google, Microsoft, Yahoo, and AOL. Though more than 60,000 domains have DMARC in place, recent research has highlighted that more than 70% are incomplete or broken and in need of an automated solution to address rampant phishing attacks, and to address Shadow IT — a concern for over 80% of the nation's CIOs.

"ValiMail has been instrumental in securing our well-known consumer brands against phishing attacks," says Stephen Fridakis, Vice President, Chief Information Security Officer at HBO. "We look forward to a fruitful partnership with them as we continue to secure our company's information and email communications."

Customers can manage their approved sending services and view all email activity — authorized, unauthorized, and criminal — through a one-click online dashboard. ValiMail's use of open APIs and partner-friendly approach enables enterprises, Secure Email Gateways (SEGs), and other traditional security firms to integrate email authentication into their existing solutions.

"We are impressed by ValiMail's approach to email authentication as a service," says Jason Pressman, Managing Director at Shasta Ventures. "The Valimail differentiated solution allows its customers visibility and control into one of their most important communication channels, allowing them to protect their brands, employees and, ultimately, their bottom line."

ValiMail provides a free domain check tool indicating whether a domain is authenticating properly and how exposed it is to phishing attacks.

Image Source: British Government Digital Service, gov.Uk

We recently discussed governmental organizations that send out warnings rather than preventing spear phishing attacks through email authentication. Therefore it's good to see a pair of prominent governmental organizations giving clear guidance to their constituents about using DMARC to enforce authenticity of email on their domains.

The British Government Digital Service announced in June an upcoming requirement that all services using subdomains of gov.uk would need to have a DMARC policy at enforcement. The deadline for that enforcement came in the last week.

"Services should publish a DMARC policy and set it to the highest level, called 'p=reject'. If you have not set up this policy by 1 October 2016, your emails may be rejected by external email providers."

Simultaneously, the National Institute of Standards and Technology (NIST) has published its special report "Trustworthy Email" (also known under the catchy name 800 — 177). This report contains a long section on SPF, DKIM, and DMARC, the last of these sections extending from pages 54 through 62. The NIST report contains clear recommendations for both email senders and receivers.

To the senders it says,

"Security Recommendation 4 — 11: Sending domain owners who deploy SPF and/or DKIM are recommended to publish a DMARC record signaling to mail receivers the disposition expected for messages purporting to originate from the sender's domain."

And to receivers it instructs,

"Security Recommendation 4–12: Mail receivers who evaluate SPF and DKIM results of received messages are recommended to dispose them in accordance with the sending domain's published DMARC policy, if any. They are also recommended to initiate failure reports and aggregate reports according to the sending domain's DMARC policies."

We understand that educating the broad community of government organizations will take some time in both the UK and the USA. It's encouraging that these two thought leadership organizations have laid out clear direction, which will help us get to the day when we don't have to see any more stories in the media about government offices falling for spear phishing attacks.

Since Trump’s victory, the number of new users signing up for the Switzerland-based encrypted email service provider, ProtonMail, has doubled compared to the previous week, the company reported. In the special post-election report, the company has revealed that many of its users have voiced a few common concerns both on Twitter and via emails: "Given Trump’s campaign rhetoric against journalists, political enemies, immigrants, and Muslims, there is concern that Trump could use the new tools at his disposal to target certain groups. As the NSA currently operates completely out of the public eye with very little legal oversight, all of this could be done in secret."

— "How much power over the NSA does Trump have?" Andy Yen, co-founder of ProtonMail writes: "Due to the way the US government is structured, President Trump will have a large amount of control over the NSA. The NSA is not different from any other federal agency which the president controls. The US president will be able to dictate how the agency operates through his power to appoint the NSA Director. The NSA Director needs to be confirmed through majority vote by the US Senate, but due to Republican control over the Senate, President Trump will have complete freedom to appoint anyone he wants to carry out his orders."

— "It is tempting to blame all this on Trump and his supporters, but that is taking the easy way out. All Trump does is put a new face on the existing privacy problem, so now it concerns a segment of the population that previously didn’t care as much. ProtonMail users have always come from both the left and right side of the political spectrum. Today, we are seeing an influx of liberal users, but ProtonMail has also long been popular with the political right, who were truly worried about big government spying, and the Obama administration having access to their communications. Now the tables have turned."

I have groused at length about the damage that anti-phishing technique DMARC does to e-mail discussion lists. For at least two years list managers and list software developers have been trying to figure out what to do about it. The group that brought us DMARC is working on an un-DMARC-ing scheme called ARC, which will likely help somewhat, but ARC isn't ready yet, and due to ARC's complexity, it's likely that there will be many medium or small mail systems that enforce DMARC and can't or won't use ARC.

The Internet Engineering Task Force, which writes technical standards for the Internet, works primarily through discussion lists, and the pain from DMARC has gotten to the point where we may do something about it. So we've been doing some experiments.

The DMARC problem is that mail sent through discussion lists is generally modified on the way through, most often with subject line tags or message footers, the modifications invalidate DKIM message signatures, and the invalid signature makes DMARC misidentify the list mail as phishes.

There are a lot of DMARC workarounds (summarized here,) all of which do some damage to the mail, but they damage the mail in different ways. Currently the most popular is to rewrite the From: line and replace the message author's address by the list's address. This satisfies DMARC since it keys on the From: line address, but it messes up lists since it makes it hard to tell who actually wrote a message, and even harder to send a private reply to the author.

Another less used option is to wrap the messages in outer messages as attachments. The outer message is created by the list software so it has no DMARC problems. The attached message is the original message, modified however the list software modified it, but since it's an attachment, DMARC doesn't care about it. List that send daily digests typically wrap messages in the same way, so you can think of this trick as turning every message into a one-message digest.

The good thing about message wrapping is that the wrapped message is exactly the one the list would have sent without DMARC. The bad thing is that user mail programs tend not to display wrapped messages very well. In the worse cases, the mail program doesn't know how to display the message/rfc822 MIME part containing the wrapped message and just shows a box or a download link. Sometimes it shows the message, but doesn't show the wrapped message's headers so you can't see the From: or Subject: to see who sent it or what it's about. Often if you can see the From:, you can't click on it, so there's no way to send a response to the author other than manually cutting and pasting the address into a new message. Or if there's a Reply-To header, sometimes the mail program follows it, sometimes not. (We get the impression that displaying wrapped messages has never been a priority among mail program developers.)

To find out how wrapped messages work in various mail programs, I've written a little message wrapping 'bot. You send a message to the bot, it wraps it a couple of ways and sends it back. The bot's addresses are:

• wrap@dmarc.fail Send back wrapped versions with the message as the outer message's only MIME part.
• wrapm@dmarc.fail Send back wrapped versions with two parts, a text introduction, and the original message.
• wrapr@dmarc.fail Same as wrap, but add a Reply-To: header to the outer messages with the sender's address.
• wrapmr@dmarc.fail Same as wrapm, but add a Reply-To: header to the outer messages with the sender's address.

Each message is returned twice, once where the outer message has a normal looking From: line with a throwaway return address, and one with an empty group address. If you only get one copy back, look in your spam folder for the group address, or on some systems, it just disappears since they (erroneously) reject the group address as bad syntax.

Don't send anything secret, since I keep copies of all the mail. The 'bot is heavily rate limited to deter abuse and accidental or deliberate mail loops.

We've checked all of the major webmail providers and some popular desktop mail programs like Apple Mail and Thunderbird, but reports on other mail programs, particularly on tablets and phones, would be useful. How legible are the messages? How hard is it to reply to the list address (in this case, wrap@dmarc.fail or whatever) or to the author (you)?

Written by John Levine, Author, Consultant & Speaker

The new year is upon us and it's time for our annual look at CircleID's most popular posts of the past year and highlighting those that received the most attention. Congratulations to all the 2016 participants and best wishes to all in the new year.

Additionally, you can also visit the leaderboards for CircleID's overall top 100 community and industry participants.


Top 10 Featured Blogs from the community in 2016:

#1		How .MUSIC Will Go Mainstream and Benefit ICANN's New gTLD Program Constantine Roussos | Jan 06, 2016 Viewed 39,642 times
#2		Examining IPv6 Performance - Revisited Geoff Huston | Aug 19, 2016 Viewed 18,134 times
#3		Cybersquatting & Banking: How Financial Services Industry Can Protect Itself Online (Free Webinar) Doug Isenberg | May 02, 2016 Viewed 15,333 times
#4		We Need You: Industry Collaboration to Improve Registration Data Services Scott Hollenbeck | May 24, 2016 Viewed 14,751 times
#5		Usage Trumps Registrations: Why Past TLDs Failed and Why Many Will Follow in Their Path Colin Campbell | Apr 09, 2016 Viewed 14,529 times
#6		ICANN Fails Consumers (Again) Garth Bruen | Apr 15, 2016 Viewed 14,390 times
#7		Canon Takes Its .brand to the World, Moves Its Global Site to .CANON Tony Kirsch | May 18, 2016 Viewed 14,248 times
#8		Internet Governance Outlook 2016: Cooperation & Confrontation Wolfgang Kleinwächter | Jan 11, 2016 Viewed 14,222 times
#9		Internet Stewardship Transition Critical to Internet's Future Daniel A. Sepulveda | Sep 16, 2016 Viewed 13,347 times
#10		The Future of Domain Name Dispute Policies: The Journey Begins Doug Isenberg | Apr 27, 2016 Viewed 12,859 times

Top 10 News in 2016:

#1		IPv6 Now Dominant Protocol for Traffic Among Major US Mobile Providers Aug 21, 2016 Viewed 16,228 times
#2		Sweden Makes its TLD Zone File Publicly Available May 16, 2016 Viewed 13,006 times
#3		Internet Governance Forum Puts the Spotlight on Trade Agreements Dec 09, 2016 Viewed 11,462 times
#4		Hong Kong Billionaire Richard Li Becomes First Person to Own a TLD Matching His Name May 12, 2016 Viewed 10,466 times
#5		WordPress Announces New .BLOG TLD, to be Available This Year May 12, 2016 Viewed 9,686 times
#6		Next Round of New TLDs May Not Happen Until 2020, Says ICANN May 05, 2016 Viewed 8,399 times
#7		PirateBay Domains to Be Handed over to the State, Swedish Court Rules May 14, 2016 Viewed 8,052 times
#8		Series of New African TLDs Fail to Go Live, Get Termination Notice from ICANN May 11, 2016 Viewed 7,881 times
#9		Google Releases 'Noto', Free Font Covering Every Language and Every Character on the Web Oct 09, 2016 Viewed 7,057 times
#10		Cisco Issues Hight Alert on IPv6 Vulnerability, Says It Affects Both Cisco and Other Products Jun 03, 2016 Viewed 6,467 times

Top 10 Industry News in 2016 (sponsored posts):

#1		Move Beyond Defensive Domain Name Registrations, Towards Strategic Thinking Boston Ivy | May 17, 2016 Viewed 15,807 times
#2		Verisign Launches New gTLDs for the Korean Market, .닷컴 and .닷넷 Verisign | May 16, 2016 Viewed 12,915 times
#3		Meet Boston Ivy, Home to Some of the Most Specialized TLDs in the Financial Services Sector Boston Ivy | May 24, 2016 Viewed 12,397 times
#4		Verisign Opens Landrush Program Period for .コム Domain Names Verisign | May 16, 2016 Viewed 11,981 times
#5		New .PROMO Domain Sunrise Period Begins Today Afilias | Apr 14, 2016 Viewed 11,831 times
#6		Domain Management Handbook from MarkMonitor MarkMonitor | May 10, 2016 Viewed 11,810 times
#7		Afilias Announces Relaunch of .GREEN TLD Afilias | Apr 22, 2016 Viewed 11,338 times
#8		New TLD .STORE Crosses 500+ Sunrise Applications Radix | May 31, 2016 Viewed 10,095 times
#9		Minds + Machines Group Announces Outsourcing Agreements, Web Address Change Minds + Machines | Apr 08, 2016 Viewed 9,943 times
#10		Is Your TLD Threat Mitigation Strategy up to Scratch? Neustar | May 17, 2016 Viewed 9,411 times

Written by CircleID Reporter

Back in 2003, there was a race to pass spam legislation. California was on the verge of passing legislation that marketers disdained. Thus marketers pressed for federal spam legislation which would preempt state spam legislation. The Can Spam Act of 2003 did just that… mostly.

"Mostly" is where litigation lives.

According to the Can Spam Act preemption-exception:

This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.

15 USC s 7707(b)(1). The preemption-exception is big because California affords a private right of action, where the Can Spam Act does not. The Can Spam Act is enforced by state and federal authorities only.

This is where today's plaintiff, in Silverstein v. Keynetics, Inc., Dist. Court, ND California 2016, attempted to hang his coat.

According to the court, "Plaintiff is a member of the group 'C, Linux and Networking Group' on LinkedIn, a professional networking website. Through his membership in that group, he received unlawful commercial emails that came from fictitiously named senders through the LinkedIn group email system. The emails originated from the domain "linkedin.com," even though non-party LinkedIn did not authorize the use of its domain and was not the actual initiator of the emails." The emails themselves contained marketing links that led, allegedly, to defendants' businesses.

Plaintiff alleged that the names in the 'from' field of the emails were false or deceptive. According to Plaintiff, "the 'from' names include 'Liana Christian,' 'Whitney Spence,' 'Ariella Rosales,' and 'Nona Paine,' none of which identify any real person associated with any defendant. Further, Plaintiff alleges that the emails 'claim to be from actual people' and that all of the false 'from' names deceive the emails' recipients 'into believing that personal connection could be made instead of a pitch for Defendants' products.'"

A reading of the Can Spam Act would appear to be clear. The Can Spam Act preempts state causes of action "except to the extent that any such statute prohibits [either] falsity or deception." If the email is either false or deceptive, it would seem, Plaintiff could proceed. In the case at hand, the information in the 'from' field would appear to be false.

The Judge in the Silverstein decision, however, hangs her hat on a previous 9th Circuit decision in Gordon v. Virtumundo, 575 F.3d 1040 (9th Cir. 2009). In Gordon, defendant sent out marketing emails from domain names that it had registered such as "CriminalJustice@vm-mail.com," "PublicSafetyDegrees@vmadmin.com," and "TradeIn@vm-mail.com." These were, in fact, defendant's domain names. While the 'from' field may not have clearly identified who the defendant was, the information was not false nor was it deceptive. Furthermore, according to the court, the WHOIS database accurately reflected to whom the domain names were registered. Therefore, at best, the 'from' field information was incomplete, but not false or deceptive. As a result, the Can Spam Act preempted litigation under state law.

The Gordon court elaborated that it is insufficient for the information in the spam to be merely problematic. It had to be materially problematic. The Gordon court looked at the words "false" and "deceptive," and other language of the Can Spam Act, and said, "we know those words. Those words refer to 'traditionally tortious or wrongful conduct.'" Recognizing the Internet as a trans-border medium of communication, Congress had attempted to solve the patchwork of inconsistent state spam laws that were arising and establish a nationwide legal standard. It would be logically incongruous, the court argued, for Congress to erect a nationwide standard only to leave it vulnerable to a collage of immaterial exceptions emanating from state laws. The exceptions would undo the nationwide playing field for conducting business. Thus, immaterial information inaccuracies that are insufficient to in fact deceive a plaintiff are therefore insufficient to sustain a preemption-exception.

In the case at hand, although plaintiff has alleged that the names in the 'from' field were false, the court concluded that plaintiff has failed to establish that they are materially deceptive. Plaintiff did not, for example, alleged that the false names were people who were known to him and that the sender was spoofing their identities. Nor has plaintiff alleged that the false names somehow confused or deceived plaintiff about the nature of the emails. The emails themselves, including the subject line "How a newbie banked $5K THIS WEEK . . . What Nobody Told You About,” made clear the marketing nature of the communication.

Plaintiff's claim, therefore, does not fit within the Can Spam Act preemption-exception.

Written by Robert Cannon, Cybertelecom

Unsubscribing from mailing lists is hard.

How many times have you seen a message "please remove me from this list," followed by two or three more pointing out that the instructions are in the footer of every message, followed by three or four more asking people to not send their replies to the whole list (all sent to the whole list, of course,) perhaps with a final message by the list manager saying she's dealt with it?

For marketing broadcast lists, it's even worse because there's no list to write to. Messages are supposed to have an unsubscribe link (required by law in most places) which usually works except when it doesn't, or it leads to a web page making incomprehensible demands ("click here unless you want not to be removed only from this sender's mail") so for a lot of users it's easier just to click the junk button until the messages go away.

Mail system managers know that users aren't very good at unsubscribing, so they've invented some ad-hoc ways of dealing with it. Many large mail systems have feedback loops (FBLs) which let mail senders register their ranges of IP addresses or in Yahoo's case DKIM signatures, so the sender or perhaps sender's network gets a report when a recipient marks a message as junk. When the sender is a bulk mailer, they generally try to handle the report as an unsubscribe request.

While FBLs are great for finding when an ISP customer is compromised and starts spamming, they're not so great as a substitute for unsubscriptions. One reason is that even though there's a standard format called ARF (RFC 5965) for sending FBL reports, each mail system includes slightly different details, so the original mail sender needs to try and parse out enough from the report to identify the list and the subscriber. Many mail systems redact their ARF reports on the advice of their lawyers, and the redaction is often so severe that it can be impossible to tell who to unsubscribe from what. AOL's reports are so redacted that the only way I can figure out who to unsubscribe is to take the transaction ID in a Received: header of the reported message and manually match it up with my outgoing mail logs. And Gmail doesn't provide individual FBL reports at all, only aggregate data.

The obvious solution to this problem is the List-Unsubscribe: header that has been a standard since 1998 (see RFC 2369.) It can contain an e-mail address with a subject line, or a web URL or both. When a user clicks the junk button, the system could simulate a click on the URL, or send mail to the e-mail address, and in theory, they're off the list. The practice is not so simple.

The problem with the click is that a lot of anti-spam systems automatically follow all the URLs in the message to see if they lead to malicious sites, and there's no way for the target of the URL to mechanically tell a request from a spam filter from a click by a live user. It's quite reasonable for spam filters to do this: Imagine a bad guy sending deliberately uninteresting spam with a fake unsubscribe link leading to his malware site.

As a result, the unsubscribe link usually leads to a web page with a confirmation button that the malware checkers won't click but a live person will. The confirmation page may also ask what address to remove. While there have been attempts to parse the web pages and figure out what to fill out and what to click next, they don't work very well since the confirmation buttons vary all over the place. Unsubscribing by mail works at small scale, but operators of large mail systems like Gmail and Yahoo have told me that they are so big compared to most other mail systems that what seems to them like a moderate amount of automated mail can easily overwhelm recipient systems.

To solve this problem, a few people at Gmail, AOL, Optivo (the bulk e-mail part of the German post office) and I have come up with an automatic one-click unsubscribe scheme. The goal is to allow automatic unsubscribes as an option for the junk button — when the user clicks junk, a little window asks whether to unsubscribe too.

One-click unsubscribe uses an https POST action rather than the simpler GET. POST is intended for actions that change something, as opposed to GET which is just supposed to retrieve data. Anti-spam and malware checkers do GETs, not POSTs. (We know not everyone follows these rules, but they're how the web is supposed to work and usually does.)

We've defined a new message header List-Unsubscribe-Post: used in combination with List-Unsubscribe:. The POST action goes to the URL in the List-Unsubcribe: header, using the contents of the List-Unsubscribe-Post: as the body of the request, analogous to the form fields in a POST generated by a web form. This is intended to be easy for the mail senders to implement; most web servers can handle GET and POST in the same code, typically providing a parameter to the code to say which one it is, and passing in the fields from the POST. If it's a GET, it returns the confirmation form, but if it's a one-click POST, it just does it.

This one-click design avoids the redaction issue, since the user asked for the unsubscription, and the request goes directly to the link in the message, not an address intuited from IP addresses or DKIM signatures. The point of the FBL ARF redaction is in case the intuiting guessed wrong and the message went back to someone other than the sender, but there's no guessing here.

One-click should be useful in some other situations, too, notably when a mailbox has been closed or abandoned, so the recipient system wants to unsubscribe it from everything. Several large mail systems have said they plan to implement one-click as part of their junk buttons, so with any luck, it'll soon be helping senders send less mail the recipients don't want.

The current draft spec is here. (Update: The spec has now been issued as RFC 8058.)

Written by John Levine, Author, Consultant & Speaker

One challenge for all new top-level domains (TLDs) is the so-called Universal Acceptance. Universal Acceptance is a phenomenon as old as TLDs exist and may strike at many occasions e.g.:

• Using a very short email address like a@d.am
• Using an IDN email address like λ@ελ.ελ
• Using an email address or domain name based on a new gTLD
• Filling out an online form or using a software application either using email addresses or domain names as described before
• Other events

The effect when universal acceptance hits you is that you cannot send or receive email, get error messages or even worse when it looks like everything works but it does not, and you do not even get a notification.

All new gTLD registry operators but not limited to them are facing this problem and registrants are the people that are hurt by this problem.

The software and hardware which does not take into effect that since 2014 more than thousand new gTLDs have been added as valid TLDs. As this software and hardware will still be used for many years, the problems may not be fixed completely anytime soon. ICANN has identified this problem and is working with the Internet community, especially the technical community, to palliate the problem.

Reloaded – The medal has two sides

Throughout the last three years, Universal Acceptance has merely been seen as a technical problem. But as Registry Operator for .berlin, we are not only running all the technical stuff, we also market domain names to Berliners. By this, we have experienced that Universal Acceptance has two sides like a medal. There is not only the obvious technical side that contributes to Universal Acceptance but also the people's side of the medal which seem to us equally important. We brought this to a simple formula which we would like to propose:

Universal Acceptance &nsash; Technical Acceptance + People's Acceptance

Please see our definitions below for which we adopted the existing wording done by ICANN with some new definitions we would like to suggest.

* * *

The technology side of Universal Acceptance

Technical Acceptance – is the concept that all domain names should be treated equally by technical systems. Domain names and email addresses should be accepted, stored, processed and displayed in a consistent and effective manner.

Linkification – is the action when a software application uses algorithms and rules to determine whether a string should create a hyperlink to a valid Internet location (URL) or an email address (mailto:) and executes the linkification.

+

The people's/consumer's side of Universal Acceptance

Universal Awareness – is when those people who are domain name owners or want to become domain name owners are aware of the large choice and benefits of the new top-level domains that complement the legacy TLDs.

Universal Recognition – is when people, especially Internet users, identify a combination of two or more labels separated by dots as a potential domain name and type it into a browser or search bar or forward that information.

=

The full picture of Universal Acceptance

Universal Acceptance – is the state when both, technology and people, identify a label.label combination as a potential or real Internet address (= domain name) and perform appropriate action on it.

* * *

Our Suggestion

In order to overcome the Universal Acceptance issues, we would like to make the following suggestion:

With enormous existing funds of over US$ 230 million from the new gTLD auction proceeds, ICANN could spend a serious amount for a worldwide campaign towards all stakeholders relevant to Universal Acceptance. Stakeholders may range from the large Internet companies to software developers, IT people, advertisers and the general public.

Written by Dirk Krischenowski, Founder and CEO of dotBERLIN GmbH & Co. KG

Proportion of Internet users, website and native language speakers / Analysysy Mason paper

Report from a new study by Analysys Mason, commissioned by the Universal Acceptance Steering Group (UASG), says there is a potential USD $9.8 billion growth opportunity in online revenue through a routine update to Internet systems, including those for speakers of languages that do not use the English script. "The Domain Name System (DNS) has expanded dramatically and now includes more than 1,200 gTLDs. Many of those top-level domains are longer than the legacy three-character domain name (e.g. .com, .edu and .org) or are in non-Latin based scripts (such as Chinese, Arabic or Cyrillic). ... [A]lthough many online systems do not recognize these domain names as valid. For example, problems may arise when a user enters a domain name or related email address into an online form on a website and it is rejected. When this happens, it not only frustrates the user and reduces the opportunities for the organization to win a new customer, but it also lessens the cultural, social and economic benefits made possible by the Internet."

— Ram Mohan, Chair of UASG: "To excel in the long run, organizations should seize the opportunity — and responsibility — to ensure that their systems work with the common infrastructure of the Internet — the domain name system. Universal Acceptance unlocks a significant economic opportunity and provides a gateway to the next billion Internet users by ensuring a consistent and positive experience for Internet users globally. Additionally, governments and NGOs will be better able to serve their citizens and constituencies if they adopt Universal Acceptance."

— Research estimates that support for Internationalized Domain Names could bring 17 million new users online. These include users whose lack of local language services was previously a barrier to a complete online experience. "The report's estimate is based on the examination of just five major languages and language groups that would benefit from IDNs because they use non-Latin scripts (Russian, Chinese, Arabic, Vietnamese and Indic language groups) and the proportion of non-Internet users for whom a lack of local language services is a barrier. The research shows that online spending from these new IDN users could start at USD 6.2 billion per year."

— Potential increased revenues from existing gTLD users: "According to one study, 13 percent of websites reject new domain names with more than three letters — when a simple update of these websites (effectively a "bug fix") could increase online revenues by USD 3.6 billion per year as a result of Universal Acceptance."

— Andrew Kloeden, Principal at Analysys Mason: "Our analysis shows that the main impediment to Universal Acceptance is a lack of awareness of the issue, rather than any technical challenges. This is not a heavy lift. The efforts required by software and application owners to implement UA are not particularly onerous; in fact most companies treat UA issues simply as ‘bug fixes.’"

Bell Canada, nation’s largest telecommunications company, disclosed late on Monday the illegal access of Bell customer information by an anonymous hacker. The information obtained are reported to include email addresses, customer names and/or telephone numbers. From the official release: "There is no indication that any financial, password or other sensitive personal information was accessed. ... The illegally accessed information contains approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers. ... This incident is not connected to the recent global WannaCry malware attacks."