Ken has an article up today about the ongoing attacks against ESPs and email marketers. In it he says:
Someone in permission-based email marketing should have sounded the alarm about the wedding-photo attacks months before Blumberg did.
The attacks were being talked about on at least 2 different private lists. One made up primarily of email marketers and most of them didn’t seem to take it very seriously. The other list, though, had a number of people sounding loud alarms, sharing IP addresses to block and reporting the information to various block lists and anti-spam vendors in order to protect their infrastructure. One of my clients has been aggressively chasing this for a few months, as well.
To the best of my knowledge, no one knew of any actual compromises that had happened. I only received my first phish last Wednesday. The only other company that had sent mail to that tagged address was Return Path and I immediately notified them that they appeared to be breached.
While I know nothing was made public and that may be a problem, to assert that no one sounded an alarm is untrue. There were a lot of people that were sounding alarms and sharing information to help other companies protect themselves from the phishing attacks. To the best of my knowledge the truly targeted spear phishing attacks on ESPs started about 6 weeks ago.
Ken touches briefly on something that I, and others, have been saying. Email is hostile traffic. Email marketers seem to not understand how much hostile traffic comes into the average users’ mailbox nor how many email marketing practices actually train users to be accepting of that traffic.
It’s something I will be blogging about over the next few days or months. Because it’s time for email marketers to understand just how malicious spammers are and how they can stop helping the criminals.
RSS - Posts
I’ll be blogging about it too, once things calm down here.
We do need some form of industry-driven publicity around these things, potentially by asking a few associations to collaborate on that. Return Path will probably help drive this, as we have staff on the Boards of most of the relevant associations (DMA/EEC, MAAWG, ETIS, ESPC, OTA).
well said thank you
Hi Laura, actually, the emails I received in regards to this attack indicate that the attacks started almost a year ago, and certainly we at Return Path never heard anything substantial about them prior to being attacked ourselves, which was really disappointing, to say the least. I’m glad, if nothing else, that there is now a nascent effort to exchange what we know so we can mutually protect ourselves.
The good that comes out of this could, as Matt says, be a collaborative effort to the betterment of the industry – end-user education program driven by the world’s biggest marketers, a free exchange of technical data on attacks in a lawyer-free zone, unified legal strike-backs and so on, are initiatives I personally believe need to be undertaken.
the companies who covered their asses and try to pretend nothing happened are guilty of collaboration and cannot be trusted
oh wait these are marketers they cant be trusted anyway ha ha