Musings from a small IPP

Recently we had a customer whose website was infected by way of one of the infamous plugins that are sometimes bundled into themes, such as TimThumb.  The result was their site became one of the foci of a world-wide bot-net which posted tiny abouts of information (greeting and e-mail addresses)  to target fairly large SPAM messages out from their site.

This ran overnight at the weekend, so by the time we had tracked it down 25,000 messages had been submitted, all properly validated as coming from the customer’s site

Fortunately 10,000 messages were still in the system outgoing queue, and we were able to purge those, but it was still around 10 days before mail was flowing properly again.

In response to the issue we are “rate limiting” email by number of recipients from each sender. In a time window  I’ve run some analysis on the traffic logs, and apart from the mailing lists we host, which would be expected to send to many recipients, and with only 8 exceptions, in the past month no-one sends to more than 10 recipients in an hour.  We’ve exempted the known high volume senders from checks, and will be setting a sliding 1 hour window to restrict every other mail account’s submission rates to slightly more than this observed high

This may affect you if you suddenly decide to do a mass mailing.  It’s easy to enable your account if you tell us in advance, also don’t forget you can have a hosted mailing list which can individualise each message for its recipient

I smiled when I saw these 2 signatures juxtaposed. The first is my own, on the basis of a government sponsored seminar on copyright and intellectual property, the second is clearly imposed on the sender by their company…

LEGAL CLAIMER:
Any claims made at this point in a message are completely invalid as they are presented after the information they attempt to assert rights over has been disclosed without prior caveat

NOTICE AND DISCLAIMER
This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose.

In the second case, if the sensitive information is solely in the attachments, and the attachment is flagged to be an attachment vs an inline body part, then it might have some slight weight as the contents will not yet have been disclosed.

Really though if you are sending private mail you need end-to-end encryption

If there’s one thing that’s visible every day, it’s that users (& some administrators/developers) are easily confused.

Take for instance the “Find My Friends” misfeature on most Social Networking sites. None warn the user to go through and check that the invitations they are about to generate are really only going to their friends, and that they should only send mail directly to their friends, not to mailing lists.

I wonder how many suppliers get invitations to connect to customers whom they don’t really know on LinkedIn? How many mailing lists are invited to sign up and befriend FaceBook users? Some sites like Flickr limit their invitations to existing users, others need blocked from every mailing list.

Example setting for Mailman > Privacy > Sender filter