I’ve been running my own email server for almost as long as I’ve had an email address. And when you roll your own, you have to figure out your own answer to the onslaught of SPAM that hits you every single day. A quick poll says that my SPAM server (Postini) blocked over 200 emails addressed to me today, and over the last sixty minutes there have been more SPAM than legitimate emails for all of my users. This isn’t surprising. We’ve all been victim to the, “Didn’t you get my email?” question countered by, “Just found it in my SPAM folder.”
Postini is fantastic. It’s interface isn’t great (Google has done NOTHING with it), support is spotty, and frankly there are features that should be included like the ability to filter out anything that isn’t in a language you are literate in, but it has saved me tons of trouble by keeping unwanted emails out of my email box. But even Postini, like many other SPAM services, can be tricked. This morning I got an onslaught of strange payroll messages in my inbox. One thing I find is that when the bots figure out how to fool a SPAM system, they do it in volume. I received one, then three, then a total of ten messages within two hours. That alone should be a hint that it is SPAM. Of course, it is linking to compromised WordPress installations where I’m supposed to “verify” the transfer, or “review” my account.
It made me think, can we trust email at ALL anymore? We’ve always had to have a LITTLE bit of distrust of email, but with massively successful spear-phishing attacks combined with quite realistic general phishing emails (stupid fraudsters found spell check…), will this be the ultimate nail in the coffin? Do we start only accepting emails from people we know, and only after we run it through a barrage of checks to ensure it is somewhat safe? I feel like I am repeating a message that comes out with every email virus, and was a huge debate back in the late 90s. In fact, I feel like we’re back to “input validation” as the root of all technological evils (buffer overflows, XSS, SQL Injection, and the list goes on…), but in this case, we need input validation routines installed in our brains. We all have a number of tricks we use to try to keep ourselves safe, yet without fail, someone we know (and sometimes it’s us) falls victim to a very creative scam.
What kinds of tricks do you folks use? What works well? What doesn’t? Drop your ideas in the comments below!
Possibly Related Posts:
- Let’s Encrypt for non-webservers
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!