Advice for Email Providers

Common Threat Types - What Lists Work Best?

Bots, Bots and Bots

The most common attacker that uses resources on your server, is all the attacks from bots. They get bigger and more sophisticated all the time. There are 10's of millions of compromised home users, CPE equipment, cameras, and wifi routers active at any moment. Fortunately, out of the approximately 4 billion IPs out there, only a couple million of those legitimately need to send email.

... there is an estimated 20 Billion IoT devices on the Internet, and 10's of millions infected ...

And fortunately, several RBL's can quickly reject IPs that are NOT designed to send email. RATS-NOPTR and RATS-DYNA are designed to stop most unexpected email traffic from home style, shared, or dynamic IP addresses. These lists should be used as EARLY in your SMTP processes as possible, to reduce overhead.

Open Proxies

Real Email servers should NEVER be sending through open proxies of course, so you should use this like you would the above lists, as early as possible on port 25. However, you can also use this for port 465, 587, and even your Webmail login processes. Should anyone be anonymously logging in to your servers? There are several known threat actors using this technique, including State Affiliated Actors, trying to bypass country restrictions, or hide their source. Of course, you don't want to block your customers private VPN's or proxies, so you don't want this to be absolute, eg you need to be able to exempt any private proxy IPs, to bypass this policy.

... never Allow logins from Open Proxies ...

Of course, there are also many open proxies that hackers set up on real servers, default server installations that include them, and home users who set them up to watch geo fenced media content etc. which is why you need an RBL which is constantly updating. And of course, there are good and bad proxy operators. RATS-PROXY and RATS-NULL are usually included in our RATS-SPAM as proxies are not usually email servers.

Compromised Email Accounts - How this happens

The bane of all email providers, compromised accounts. Compromises can come in all forms. And while we tend to think of this as caused by password guessing and brute force attempts, in reality that is no longer the main reason, and those can be defended against with rate limiters and weak password restrictions. The real problems?

... compromised accounts are the MOST dangerous of threats ...

Allowing Insecure Protocols

Old fashioned POP and SMTP were designed for a different world, before hackers started making money. Now, POP and SMTP all should happen only over secure channels like TLS and SSL. Did you know that your compromise rate can drop up to 90% simply by turning off POP 110? Seems like almost every coffee shop wireless has been hacked, and used to 'sniff' the traffic for plain text passwords

... turning off POP 110 can reduce compromises by 90% ...

Password Reuse

Let's face it.. end users WANT to use the same password everywhere, something easy to remember, like my birthday or cats name. The only problem is if for instance their favourite online store gets compromised, now the hackers have their email and password. Billions of user records are out there on the darkweb, and trust us.. the hackers are using them. There are ways to mitigate this, and while the best methods use some form of 2FA, customers don't always like using it. Restricting where customers can authenticate from can really reduce the damage.

... hackers want to hide .. WHERE they use the password is important ...

Browser Vulnerabilities

As good as modern browsers are, programmers make mistakes and hackers are quick to find them. Of course end users are not great at keeping software updated. And too often they fall for installing the latest 'plugin' from untrusted sources. It doesn't matter what the cause, hackers love sending email or instant messaging or social media with links to a 'cool website'. All it takes is one visit and the hackers can 'exfil' the data the browsers know, and sometimes even data from the computer or device. They let the browser 'remember' their passwords.

... is your login to your DNS/Domain registrar stored in your browser ...

Phishing

Our users are humans, and in general, overly trusting and not that tech savvy. So when they get an email from their 'ISP' or email provider that they need to 'update' or 'confirm' their accounts or passwords.. they think it is normal and happily follow the instructions at a page made to look like their ISP's, and presto.. the hacker has the password. That's why you also like to use RBL's in your edge routers and DNS servers, so customers can't click on links hosted on some of the worst parts of the Internet.

... don't let hackers use your accounts for Phishing.. you could end up on an RBL ...

DNS Manipulation

Remember those router hacks? Some of the world's largest security and technology companies with millions of devices have fallen prey to hackers. CPE Equipment with hardcoded logins, or hardcoded backdoors. And any of these devices can intercept DNS traffic, DNS Requests, and simply change 'www.mybank.com' to point to 2.2.2.2 instead of 1.1.1.1. And there is 100 other different ways, hackers can intercept or change where a user is directed to. Who is going to notice that they are at www.my-bank.com instead of www.mybank.com?

... DNS over HTTP (DoH) is NOT more safe ...

Social Engineering

This is still a big problem at some ISP's where the weakest link can actually be your own staff members. A great idea for your staff is everyone should read Kevin Mitnick's book Ghost in the Wires. Make sure that you have 'trust factors' in place to make sure that it REALLY is your customer calling for a password reset.

... NEVER use default passwords when setting up accounts, users won't change them ...

SIM Card Swapping, Stolen devices, BlueTooth, and More..

We could go on and on about how clever and devious attackers are, Bluetooth drivebys, fake Cell Towers and Wifi, Social Engineering, if a hacker REALLY wants your password, most people are ill equipped to stop them from getting it. Fortunately, the really good hackers are far an few between. Most are 'script kiddies' using the easiest methods, because frankly they work. The rest prefer using methods that can 'scale' so they can attacks hundreds of thousands of people in an automated fashion. Not only criminals and state actors, it's even kids playing around. And with modern tools like ChatGPT, almost anyone can be a hacker. The worst problem, is a compromised email doesn't just mean inconvenience, it's the number one method that leads to a lot more serious crimes, like stealing personal information, crypto theft, banking information.. it can lead to the loss of a live savings, or lead to ransomware and bring entire corporations down.

... assume email accounts CAN get hacked.. IP Reputation can reduce the risk ...

Dealing with Stolen Passwords

While there is no perfect way to protect against this, email providers do have tools at their disposal. Convincing users to use two factor authentication helps. But AUTH restrictions are also very important. Most hackers are NOT going to use their personal computer for hacking, they need to hide their identity. They use stolen or cheap VPS servers, hacked servers and devices, transparent VPN's and Proxies, and bullet proof hosting companies. But often that can work against them. Country AUTH restrictions are helpful, but usually they use devices in your own country. Make sure your AUTHentication layer also uses IP Reputation. RATS-NULL, RATS-PROXY, and more important RATS-AUTH should be in your tool chest. And the noise of all the millions of compromised bots' hitting your server, can make it hard to find real attackers. AUTH rate limiters are your friend, but sometimes you just don't need to see the noise. Custom RBL's can help. Example, if you NEVER have customers that travel to China for instance, RATS-CHINATELECOM can reduce the noise of hundreds of millions hackers servers and devices, and IoT (TV's, Cameras, Refrigerators). And if you only service 'people'.. Usually that isn't a 'CLOUD' server. Hundreds of these servers are not very securely maintained, or operated by threat actors, are detected every day from Cloud Machines.RATS-CLOUD or more specific huge cloud operators in your region, eg RATS-ALIBABA or RATS-GCLOUD can be very powerful as well.

Hacked Servers

Unfortunately, this is all too easy. Many servers never get updated regularly. Users install unsafe plugins. Fortunately, IP reputation comes in very handy here. RATS-SPAM is your number one protection. Compromised serves are added in near realtime when they are detected. But for most email providers, hacked servers are used to setup open proxies, or perform authentication attacks. RATS-AUTH is critical, but also you can rule out large swathes of IPs that should not normally be authenticating against your user accounts. You KNOW you customers are not on Alibaba cloud, they are using IPs used for network access. Consider using RATS-CLOUD as a tool to protect against those hackers.

Malicious Actors

It's often amazing how hackers, and foreign state actors get IP space. Often, the so called operator is complicit in this. You often hear about 'bullet proof' hosting providers, who advertise that they will not monitor traffic, logs, or kick anyone off their network. This simply invites criminals, but often the network operator uses this as a smoke screen to hid their involvement. This is what DROP LISTS are for. Use whatever reputation drop lists you can find including RATS-NULL but use it as early as you can in your network stack. Most routers can handle data in RBL format now, but there are ways for your BGP to reject traffic. Remember, you want to stop both in AND out traffic. But if your can't do that, you should look at kernel level network blocking. Final resort, block all services with these RBL's.. period

Bad Network Operators

This is a separate class, that simply don't operate according to best practices. Often their 'whois' information is out of date, their DNS servers aren't working correctly, they don't give proper reverse DNS, but worst of all. They don't monitor their networks. And often, their routers are compromised, without them noticing. Or, they don't take down known offenders when they are detected, or don't have proper abuse contacts. This makes it difficult to report offenders, or stop bad actors. If they don't deal with threat actors on their network, they quickly get on RATS-SPAM Worst Offenders lists, representing not only past offenders, but getting ahead of the next outbreak. Unfortunately, there are some bad actors that represent even the largest organizations, the 'Too Big to Block'. They don't usually get on the main RBL's, but there are custom RBL's that can help you. This won't stop spam from Gmail or Hotmail of course, you do need backup filtering, but you can use some of our data sets to help 'score' traffic from bad operators.

Free or Discount VPS Operators

It's simple... if you are renting VPS servers out for $.99/month, renting them out by the day, hour, or minute even.. you attract spammers. As well, you don't make enough revenue for proper network monitoring or abuse teams, take a long time with takedown requests, or the threat actor is long gone before the operator notices, and all the damage is done. This also will quickly get that operator listed on RBL's, but often they don't even have teams that can help you when your server is hacked, or your IP gets flagged by an RBL. You get what you pay for. Fortunately, our threat detection systems pick them up VERY fast. RATS-SPAM has ways to detect typical spamming activity, and patterns of negligence or in-action can quickly get these operators on RATS-SPAM Worst Offenders to prevent you from the next IP to be used on those networks ahead of time.