In short, an open relay is an email server that is configured to accept mail from any sender and deliver it to any recipient. This is an undesirable configuration because it can be exploited very easily by spammers and other malicious users.

A properly configured Exchange server will accept mail sent from outside senders to recipients that are “known” or “local” to that Exchange server. In Exchange Server 2007/2010 this is configured in the Accepted Domains settings for the organization.

In other words, it is normal and expected that senders outside the organization can send email to recipients inside the organization. That email should be accepted and delivered by the Exchange server (assuming the recipient actually exists).

This may be slightly different in the case of shared SMTP namespaces and External Relay domains, but for the sake of this article we’ll focus on this simple example.

In comparison, a server that is an open relay would allow a sender from outside of the organization to send (or “relay”) emails to recipients who are also outside of the organization.

Clearly this is bad because a malicious person could send spam, phishing emails or malware via your Exchange server.

The most obvious risk here is that your Exchange server is used by spammers to exploit others. Another concern is how much of your network and server resources this type of exploitation can consume.

But a more serious concern is that it can lead to other mail systems blocking mail that is sent from your server. This can happen in several ways, such as your server being listed on a blacklist such as Spamhaus, or other email systems performing an open relay test on your server and blocking it when it fails the test.

In their default configuration Exchange Server 2007/2010 are not open relays. However through operator error they could become an open relay. If you have any concerns about your Exchange server possibly being an open relay you can test it by going to Abuse.net and entering your Exchange server’s public IP address or DNS name (ie your MX record) and running the test.

I run this test multiple times on any Exchange server deployment that I’m involved in, or any time a change is made to internet-facing servers. If you’ve never run an open relay test on your own server this may be worth considering.

Related posts:

• Exchange 2010 FAQ: Are Wildcard SSL Certificates Supported?
• Avoiding Infinite Loops with Internal Relay Domains in Exchange 2007/2010
• Exchange SSL Certificate Management Survey
• Exchange 2010: How to Grant Send on Behalf Permissions for a Distribution Group
• Exchange 2010 Shared Calendar Permissions and Nested Groups

This article Email Fundamentals: What is an Open Relay? is © 2011 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

Epsilon is the largest permission-based email marketing services provider in the world. According to the company’s Web site, it sends more than 40 billion emails annually for more than 2,500 clients, including seven of the Fortune 10.

The data breach first came to widespread attention as major brands such as Hilton, Tivo and Dell began emailing their customers to warn them that their email addresses had been compromised.

This is nothing new in the world of email marketing, high profile data breaches have occurred in recent years with email providers such as iContact and Aweber (twice) and there is a longer history of them dating back to 2005 and 2002. And thats just a few of the ones we actually hear about.

It should come as no surprise that databases of active, verified email addresses are a rich target for data thieves, just as other targets such as the companies that issue SSL certificates or make security tokens are also highly targeted.

The thought of your email addresses being compromised in this way might alarm some customers. But what is the real impact? More spam?

As I explained to one of my customers, if you have an email address then there is a pretty good chance the spammers already have it. In this particular case an office of only 8 staff has close to 40,000 spam emails blocked each month. A few new spammers getting hold of those email addresses might increase the volume of spam a little.

But as long as that spam is still spam-like then it stands no greater chance of making it past the anti-spam protection our customers already have. In other words if the spam is still coming from untrusted IP addresses such as botnets, contains content that will be filtered, or links out to malicious URLs, then you can expect it to be blocked just like other spam.

The real risk is if the spammers are able to construct spam emails that make it past the anti-spam filters, which as we all know does happen from time to time. Depending on the extent of the Epsilon data breach the spammers may also be in possession of information that makes it easier to trick the receiver into believing it is a legitimate email.

For example of the spammer knows your email address and your real name and which companies you’ve done business with and therefore expect to receive email from, then they can craft a more personalized and relevant spam email to send to you.

So while most people would recognize an email from a bank that they aren’t a customer of as spam, if the same email appeared to come from the bank that they do use and addresses them by their real name then the phishing attempt may be more successful.

All of this places the weakest link (aside from the apparently flawed security of email service providers) at the same place it has always been – the end user and their awareness of issues around spam, social engineering, and phishing.

Unfortunately these are complex issues and as Laura Wise recently showed it can be hard enough for an expert in this field to tell real email from fake. Worse still some companies send legitimate email that easily fits the profile of a phishing attempt.

So what are you telling your customers about this?

Related posts:

• Email Fundamentals: What is an Open Relay?
• Email Spam and How Marketers Think You’re Stupid
• iPad Scam: Beware of the Beta Testing Inc Spam Address Harvester
• Exchange Server 2007 SP1 disables Exchange Anti-spam updates
• Exchange 2010 FAQ: Are Wildcard SSL Certificates Supported?

This article What Are You Telling Customers About the Epsilon Data Breach? is © 2011 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

I remember when a good spam filter was a list of just a few dozen keywords and maybe a handful of IP addresses and sending email addresses that you had explicitly blocked.  These days we’ve evolved to highly sophisticated email security systems based on combinations of block lists, signature-based content filter, heuristics-based content filtering, sender reputation, and other techniques to try and outwit the criminals that are behind the worst of the spam on the internet.

But there is also another type of spam email. This is the spam that is relatively harmless but falls into the “unsolicited commercial email” category.

The term “permission marketing” was originally coined to describe a philosophy of only marketing to those who agree to receive your message.  In email this is embodied as opt-in or double opt-in marketing, in which consumers explicitly signup to receive email from companies that they have interacted with.

In other words, when you want to know about the weekend special at your local pizza chain, you go to their website and fill out a form with your name, email address, and location, and they send you emails until you tell them to stop by unsubscribing.

But some marketers hate the idea that they need permission to enter your inbox.  They don’t say it in so many words.  They talk about “implied permission”, and their responsibility as marketers to anticipate consumer wants and deliver relevant emails to them without the recipient having to ask for them.  Relevant being a subjective term, because most marketers consider their message relevant to everyone who has ever done business with them.

In reality most consumers would not say that they expect to receive email from every business that they’ve ever bought from.

But the marketer insists on putting these words in the consumer’s mouth:

Since I already do business with you, I expect to see some emails that actually relate to what I’ve bought or maybe searched for or even read/reviewed on your site. But you can also send me random items… eventually something will be of interest. It’s your dime (or 0.025 cents or whatever you pay to send me an email).

<snip>

Of course, if you decide to waste my time by waiting for me to raise my hand and ask you to send me emails, I’ll do business with someone who has the guts to send me their best efforts instead of hiding behind silly arguments about the ethics of talking to me in a channel I use daily. For all I know, I already gave you my email address and permission. Or not. I don’t care either way.

As the article’s author goes on to elaborate in the comments:

Another way to look at it is that it’s a new high in the level of respect we should have for customers – not to waste their time after they’ve clearly established an interest in our products and services.

In other words, a business transaction is the same as permission.  Start sending emails!

So why can’t marketers just stick with explicit permission instead of looking for ways to assume permission was implied?  Because they think its too hard for people to work out how to opt-in to receive email.

Why are you assuming that every customer has enough interest in every organization that they do business with to make it a point to hunt down every single permissions page so they can sign up for emails? We don’t ask for the same level of interaction for direct mailings. That’s a huge level of disrespect for people’s time and effort. It takes far less time to unsubscribe than it does to subscribe (or to shred/toss the mail for that matter).

So its easier to just email people and let them (try to) opt-out than it is to put in place the simple, easy to use systems that capture opt-ins at the point of interaction (usually the sale).  Naked Pizza have worked it out.  Amazon had no trouble working it out.  Why can’t the rest of the marketing world work it out as well?

It is arrogant at best, and insulting at worst, for marketers to think that we consumers are too stupid to work out how to opt-in for email that we want.

Related posts:

• Email Fundamentals: What is an Open Relay?
• What Are You Telling Customers About the Epsilon Data Breach?
• Exchange Server AntiSpam: Review of SPAMFighter Exchange Module for Exchange Server 2010
• Exchange 2010 FAQ: Are Wildcard SSL Certificates Supported?
• Exchange SSL Certificate Management Survey

This article Email Spam and How Marketers Think You’re Stupid is © 2010 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

The premise of the scam is this – you get sent an iPad review unit for 2 months, after which you are free to keep it.  All you have to do is sign up and … give them access to one or more of your email address books or social network accounts so they can “invite” your contacts too.

If you do allow the spammers access to your contact list they send an email like this to each of your contacts:

Hello (your contact),

Your contact (your name) invites you to participate in an iPad review program.
Marketing research companies are looking for individuals who are interested in reviewing the new Apple iPad. The testing period lasts one month, after which reviewers can keep the device as a reward.
To see more details or to register to our program, follow the link below:

(link removed)

Thanks,

The Beta Testing Inc Group

By spoofing your email address when they send to your contacts the spammer hopes to avoid suspicion, raise the level of trust, and convert more victims.

The Beta Testing Inc Website

I’ll do my best to avoid any active hyperlinks to the site, but the URL in the invite email I received was betaincgroup.com, which forwarded me to betatestinginc.com.

The website is quite polished looking and gives a good first impression with a slick design that doesn’t immediately scream “scam!” at you like some sites do.

There is enough content and links on the site to look well established, but what they’re really hoping is that you will see the iPad offer and rush to take it up.

The Email Address Harvest

The spammer cleverly seeks to harvest email addresses by tricking you into giving them up willingly.  First you’re asked for your email address (they’ve already harvested one of them when your friends invited you, and they’re hoping you’ll perhaps submit a different one in the signup process netting them two active addresses in the process).

In step 2 you’re asked to give them access to your email or social networks so that your friends can also be invited.  A long list of webmail providers is available, as well as LinkedIn and Youtube.

Next you can complete your “registration”.  Its worth pointing out that this step can be done without either step 1 or 2 being actually completed.  They haven’t bothered coding in any logic to require you to complete the first two steps.  And I’ll show you why.

The “Complete Registration” button points to a .php file on the local domain, which is a redirect to a new website.  The new website is a simple mobile phone continuity scam disguised as a quiz. Whether you completed step 1 and 2 or didn’t, they want iPad-hungry suckers to land on this website and fall for the next scam.  This is the spammer’s second bite of the cherry.

This iPad giveaway masks your standard mobile phone subscription service scam.  I use the term “scam” quite willingly despite the following terms and conditions (which victims never read, and thats what they’re banking on).

“Subscription service: 2 msgs/wk $5/msg + $5 to join”

“This service operates according to the Australian code of conduct for SMS services.”

“Subscription: $5 once off joining fee + $10/wk to download mobile content”

No doubt this redirect is geo-located to send each potential victim to an offer in their own country.

Signs of the Scam

Despite the obvious signs I’ve already demonstrated there are plenty of other signals that should tell people this is all an elaborate scam if they were to look closely.  The website cleverly distracts from most of its written content with imagery and a strong call to action, but on closer inspection the tell tale signs are there.

Exhibit A: They say a phone number is required for the confirmation process, but the signup form doesn’t ask for one.

Exhibit B: Numerous typos and grammatical errors (above and below).

Exhibit C: Efforts to get you spamming as many of your friends as possible.

Exhibit D: Non-functioning links in the footer.  Amusingly, the Contact link in the footer doesn’t work but the one in the top nav menu does, and offers a standard contact form that is yet another way they can harvest your email address.

Exhibit E: A non-functioning link to a Twitter profile, and my favourite of all, the “no spam” phone number.

Who is Behind It?

Naturally the spammers are hiding behind private WHOIS details and domain names registered in the Bahamas.

The mobile subscription service I was redirected to had a different WHOIS and was registered in Amsterdam.  They seem to be a generic “mobile entertainment” business running out of multiple countries, and not related to the iPad spammer themselves who appears to be an affiliate of the mobile company rather than directly associated.

Whether that service is legal in the countries it operates is irrelevant to me, I still consider it a scam and anyone who signs up to it be a victim.

From the Spammer’s Point of View

This is probably a decent earner for them.  As long as some of the invites slip past spam filters and trick a few people into opening their email contacts the spammer gets:

• Usernames and passwords to email and social network accounts
• Valid email addresses for future spam
  • At least 1 and sometimes 2 email addresses from the first victim
  • All of the email addresses that the person has in their email or social network account
• Some affiliate commissions from the mobile subscription services they are redirecting victims to

And because of the invite system being used, after an initial push the scam could simply go viral and spread itself without any further effort.

Too Good to be True…

The old saying applies here.  Really, 5000 free iPads?  Sounds too good to be true doesn’t it?

Spammers are basically malicious marketers, and like any marketer will seek to exploit trends.  Valentine’s Day, Christmas, new US presidents, natural disasters, and yes even new Apple products.  There are all instant triggers for spam campaigns that try to take advantage of the things that are most relevant to people at the time.

A final note, if you did fall for this scam I strongly recommend you change your passwords now.

Related posts:

• What Are You Telling Customers About the Epsilon Data Breach?
• Email Fundamentals: What is an Open Relay?
• Email Spam and How Marketers Think You’re Stupid
• Some Recent Articles
• Spamhaus RBL Changes

This article iPad Scam: Beware of the Beta Testing Inc Spam Address Harvester is © 2010 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

What if You Never Backed Up Your Exchange Server Again?

A look at how the new replication and retention features of Exchange Server 2010 can be used so that you never need to back up your Exchange Server (though you probably still will ).  Read more…

What if You Never Backed Up Your Exchange Server Again? (Part 2)

Follow up to the previous post describing the use of lagged database copies to enable point in time recovery in case of logical corruption.  Read more…

Understanding Exchange Server Accepted Domains

Describes the concept of Accepted Domains and how each of the domain types (Authoritative, Internal Relay, and External Relay) can be used in difference scenarios.  Read more…

Protecting Distribution Groups with Exchange Server 2010 Email Moderation

Exchange Server 2007 was not very flexible when it came to protecting email distribution groups from misuse, but the new Moderated Transport feature of Exchange Server 2010 solves the problem.  Read more…

Designing an Exchange Server Database Layout

I’ve been working on database layouts for big Exchange environments lately so this topic has been on my mind a lot.  Read more…

Exchange Server 2007 Availability Service Explained

One of the more misunderstood implications of Exchange Server 2007 and 2010 is the movement away from Public Folders for storing schedule free/busy information for users of Outlook 2007 and beyond.  Read more…

9 Benefits of Hosted Antispam Services

A look at some of the benefits of choosing a hosted antispam service over on-premises solutions.  Read more…

Related posts:

• Exchange 2010: Are Passive Database Copies Included in Backups of DAG Members?
• Review: Exchange Server 2010 Backup and Recovery Training
• PowerShell Script: Check Exchange Mailbox Database Last Backup Time
• Exchange Server 2007 Backup and Recovery
• Get-MailboxReport.ps1 – PowerShell Script to Generate Mailbox Reports

This article Some Recent Articles is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

It’s come to our attention recently that Spamhaus has phased out the old SBL-XBL list, which has now been replaced by the ZEN list (named after a guard dog).

If you’ve got Spamhaus configured in your Exchange connection filtering you will want to be sure you are not using one of the discontinued services.  Short story is that sbl.spamhaus.org and xbl.spamhaus.org are no longer in service, and users should switch to zen.spamhaus.org.  See the Spamhaus website for more details.

Related posts:

• Email Fundamentals: What is an Open Relay?
• What Are You Telling Customers About the Epsilon Data Breach?
• Email Spam and How Marketers Think You’re Stupid
• iPad Scam: Beware of the Beta Testing Inc Spam Address Harvester
• Some Recent Articles

This article Spamhaus RBL Changes is © 2009 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

In many Exchange Server 2007 environments incoming email is received directly by an internet-facing Hub Transport server. By default the transport server will use recipient lookups to notify the connecting host whether an email address is valid or not. When an inbound email is addressed to a recipient that does not exist a “550 5.1.1 User unknown” SMTP response is sent to the connecting host. When an email is addressed to a valid recipient a “250 2.1.5 Recipient OK” SMTP response is sent.

Though it is useful and important to provide this recipient lookup feedback to sending email servers this is also exactly the behaviour that enables a Directory Harvest Attack to occur.

Read the full article here.

Related posts:

• Some Recent Articles
• Get-MailboxReport.ps1 – PowerShell Script to Generate Mailbox Reports
• Update Rollup 6 for Exchange 2007 SP3 Released
• Error: Outlook Was Unable to Recover Some or All of the Items in this Folder
• Using Test-Mailflow with Exchange 2003 Servers

This article Exchange Server 2007 and Directory Harvesting Attacks is © 2008 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

 

The closure of a web hosting firm that is believed to have had spam gangs as clients has led to a drastic reduction in junk mail.

Two US internet service providers have pulled the plug on the firm McColo following an investigation by the Washington Post newspaper.

Anti-spam firm Ironport has seen junk mail levels drop by 70% since McColo was taken offline on 11 November.

But, it warned, it will be a temporary respite from the menace of spam.

Read the full article here.

Related posts:

• Email Fundamentals: What is an Open Relay?
• What Are You Telling Customers About the Epsilon Data Breach?
• Email Spam and How Marketers Think You’re Stupid
• iPad Scam: Beware of the Beta Testing Inc Spam Address Harvester
• Some Recent Articles

This article Web host closure leads to 70% drop in global spam is © 2008 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com