Detecting e-mail and mailing list compromises

Back when I was working as Web Manager for a publishing company we were sending out about a million e-mails a week to industries relating to IT certifications, Chief Executive Officers, and Human Resource (HR) departments and managers. We used an off-site list management service to maintain copies of our databases for advertising audit purposes. During transit we would encrypt the list from our end, but often the lists came back to us in plaintext only to be flushed by our firewall. At this point there were no filters on the e-mails of the people subscribing to our services, so our plaintext list contained phrases that were not safe for work.

Though I didn’t agree with having someone else externally manage our lists and preferred to keep them internal, our list management service had sold our president a line of marketing bull about being impenetrable due to their use of IBM AS/400 machines. They were under the impression that the machines were invincible because they weren't like the standard machines we were using in the office. The expense for the level of service they were providing was outrageous, so I had to agree to disagree (Pick your battles).

When we wanted to send out one of our many mail-blasts (aka e-mail marketing campaigns), we would send a specially crafted message to the list service telling them to pull a standard query on the database for a particular list. Their system would in turn automatically send back an e-mail list containing the people we were trying to target based on provided query parameters; demographics. This was the standard procedure before the management service had provided a CMS interface eventually (for extra money of course).

Because we had this external entity maintaining a copy of the lists, I would inject special e-mail addresses and list members into each individual list that only resided in the list management service’s database. Our company was liable for the information we were accepting. Upon receipt of a list back from the service, I had written a bash script that would scrub those special e-mails from the list we were going to send to. Additionally I had added other list members that would also be scrubbed on our end, just prior to send. That way I could tell if one of my employees had sold our targeted lists on the black market. In my experience with corporate systems security danger tends to lurk from within.

If the external list management service decided to send to these people because these were targeted lists, then I would immediately get a copy letting me know of the compromise of security of the lists. Also I could tell if we had an internal personnel issue, such as someone selling lists, someone misfiring a message, or burning a particular list with too many sends.

Additionally for each sending we would create custom e-mail addresses for each mailing that would alert us if anyone compromised the MTA we were using for the send. If we received a message to these addresses, not from us this would indicate the security issue because they only resided at the MTA level.

Present day

While I’m not working for that company anymore, I still do variations of this practice for my own systems. For each vendor where I have to sign-up for an account or in the event I need to register a piece of software, then I’ll setup a custom e-mail alias for that particular use. Each e-mail address is only used for that one specific account, ever.

This allows me to:

•       Check if someone has sold my name and e-mail address
•       See if someone’s mailing list has been compromised
•       Tell if someone is obeying the AntiSpam laws about subscriptions
•       Have a heads-up if my account information has been compromised during an attack
•       Stop e-mails from people who aren’t compliant
•       Change e-mail addresses for the account to stop the spam if a list has been compromised

Being able to filter on these particular accounts also greatly improves my productivity as my inbox only contains e-mails where I have a direct correspondence with a live person. I hope these tips help someone. This process was definitely helpful to me in finding leaks in our systems. It also cuts down on the amount of time my Bayesian spam recognition systems need to find an issue.