Using DMARC For More Than Spoofing and Phishing

By now you’ve probably heard me talk about DMARC more than once here on EmailKarma.  You’ve maybe even seen one of the many reports I’ve written about it for 250ok, like this latest one ‘Multi-Industry DMARC Adoption 2018‘. But what if I also told you DMARC is more than just a tool for finding out if your brand is being phished or spoofed, or your authentication is broken?

DMARC can also be used to audit your brands sending inventory, if you have internal infrastructure not under your IT’s control. Understanding if there are abandoned automation tools running or if you have staff operating outside of your standard marketing channels is critical to truly understanding your sending practices. DMARC also helps with email delivery, reputation and overall marketing performance of email messaging.

DMARC reporting can also be used as a way to validate and audit your own mailings for compliance with anti-spam laws like Canada’s Anti-Spam Law (CASL) and GDPR. Knowing where all your email originates from is a great starting point to ensure your templates have all been upgraded to include the proper postal addresses, contact information and functional unsubscribe links.

See the example below from a recent event:

Turn on DMARC to see who really sends mail on your behalf. One client of @inboxpros thought they were using 3 ESPs, the DMARC reports showed that there were 18 ESPs sending for them. #foe2018— Mike Hillyer (@MikeHillyer) August 7, 2018

Part of your compliance efforts depend on documenting your legitimate behaviours and being able to distinguish them from illegitimate activities being carried on in your brand’s name. By implementing DMARC, reviewing and updating your authentication, segmenting your mail streams by subdomains and monitoring the activities you can stay ahead of compliance efforts. This is also a great way for compliance teams to understand the legitimate mailing patterns of a business and look for traffic that is abnormal of out of the ordinary in a proactive manner.

Disconnecting third party apps from your Gmail account

Over the last week there has been a lot of noise about Gmail and third parties reading your email, a ton of articles can now be found discussing this issue like; Slate, Mediapost twice, Newsweek, The Registrar and the site that broke the news the Wall Street Journal (paywall). This list goes on and on from here.

There are also a number of searches for people looking to unsubscribe or ‘disconnect’ these types of services from their mailboxes. Two of the most frequently noted in these articles are products called Boxbe and Unsubscriber, the following tutorial will show you how to disconnect these services from your Gmail account.

After logging into your Gmail find the ‘Google Account’ option in the top right corner – this will look like your initial or possibly a picture you have associated with your account.

This will direct you to your Google account manage tools. From here you can do a number of things like change your password, enable Two Factor Authentication (highly recommended) or look at the list of ‘Apps with Account Access’ (click this).

At this point you’ll see a list of services that have access to your account or parts of your account. Click on “Manage your Account” to proceed to the next step.

Now you will see a little more detail on what type of access these services have with relation to your Google Account. Click on the name of the service you want to review.

You should have an expanded window in front of you showing what the service accesses, where the services home page is and what it has given access to. To stop allowing access to this service click the “REMOVE ACCESS” button for each of the services. You may need to repeat the above steps for each service you want to disable.

After clicking remove you’ll get asked to confirm your desire to remove access to your account for each of the services.

And then you’re all done. You’ve successfully disconnected these services from accessing your inbox. Note that this will also stop the service from functioning further for you… so if you’re dependant on the functionality of this service you need to take a few minutes to weight the privacy implications of remaining connected to these services.

Email in times of emergency

On the July 4th holiday I sat at home watching my friend live-stream the fires in Colorado that were rapidly approaching her house. She was waiting to find out if they have to evacuate as the fires climb the hills near her house and head to a safer location for her and her family. They were lucky and everything is fine with their neighbourhood and they are home now.

This got me thinking about email and how it can help or hurt a brand when disaster strikes. Are you able to adjust your marketing plan to deal with it? Do you even have a plan in place?

Well there is nothing more embarrassing than having your company name dragged through the mud on social media for being oblivious to those in need. Aweber shared some horror stories just like this sent during Hurricane Sandy.

Do residents in the area impacted need to know about your local sales today or should they be looking for shelter and information on where they can go to find safety. Is using the current disaster for a catchy subject line or as a driver for your latest promotion tag line, you should probably stop and think again. More importantly consider if your subject line with a clever pun about the rain, wind, fire, smoke, etc… is truly in good taste and if the people receiving these messages will think it’s as funny as you or your team do.

Other subscribers might be looking for ways to help, and your organization might be in a place to offer just that. Things from organizing drop off centers at your retail locations or business offices, donation matching, or simply suppressing your regularly scheduled mailings for a period of time where people are not going to be focusing on them. What about when they are able to return home and the dangers have passed? Some people may have lost everything. How is your organization ready to help these individuals reclaim what they may have lost?

For example in this email from AARP they offer their members a way to donate money, matched by their supporting partner, the Miami Dolphins, in an attempt to deal with getting people back on their feet.

AAPR Disaster email example image

Having a response plan in place will help you decided on the proper course of action for your individual business.

Here are a few tips to consider:

  • Monitor the media for disasters, and identify subscribers in the impacted areas. Use store level data or information available from your local postal service (i.e. the USPS)
  • Build a plan to message these individuals separately, even if that includes suppressing them for a period of time. This includes email communications, automated posts and social sharing
  • Communicate with your customers in impacted areas and consider options such as, holding shipping packages until after the dangers have passed, offer alternative shipping locations that customers can easily access, or discounts on out of town services where they can reach safety in times of evacuation
  • Consider your social response to these disasters and if there is opportunity for your business to make a difference
  • Engage your action team to build the proper messaging and look for support opportunities

It might take a little bit of work and effort, but being compassionate in times of disaster will make your brand a disaster hero and not the disaster zero.

Malicious advertising catches two business under CASL

On July 11, 2018 the Canadian Radio-Television and telecommunications Commission (CRTC) issued a notice ad summary of their most recent actions under CASL. Allegations against Datablocks Inc and Sunlight Media Inc focus on the violations committed under sections 8 and 9 of the act.

According to the summary written about this case the Angler malware was distributed via the Datablocks Real-Time Bidding (RTB) solution and the Sunlight Media Ad network. What makes the Angler malware dangerous is that it acts as a backdoor to install further malware on an already infected computer such as cryptolocker (ransomware), key-loggers to steal sensitive passwords or information, and other types of popular malware.

As a quick refresher section 8 deals with the installation of computer programs on an individual’s computer without their consent, in this case the allegations refer to malware served via an ad network being installed on a computer located in Canada. Section 9 deal with the concept of ‘aiding and abetting‘ in a violation of section 6 through 8.

The companies allegedly violated Canada’s anti-spam law in the following ways:

  • Sunlight Media accepted unverified, anonymous clients who used their services to distribute malware.
  • Datablocks provided Sunlight Media’s clients with the necessary infrastructure and software to compete in real-time for the placement of their ads, which contained malware.
  • Neither Datablocks nor Sunlight had:
    • written contracts in place with their clients that would bind them to comply with Canada’s anti-spam law
    • monitoring measures in place governing how their clients use their service, or
    • written corporate compliance policies or procedures in place to ensure compliance with Canada’s anti-spam law.
  • After being alerted in 2015 to reports by cybersecurity researchers, and made aware in 2016 by the CRTC, neither company implemented basic safeguards, which are well known to the industry.

Steven Harroun, Chief Compliance and Enforcement Officer, CRTC had this to say “As a result of Datablocks and Sunlight Media’s failure to implement basic safeguards, simply viewing certain online ads may have led to the installation of unwanted and malicious software. Our enforcement actions send a clear message to companies whose business models may enable these types of activities. Businesses must ensure their commercial activities do not jeopardize Canadians’ online safety.

Datablocks and Sunlight Media are required to pay $100,000 and $150,000, respectively, in penalties and have 30 days to file formal written responses to the CRTC or pay the penalties associated with the report.

Lessons from this finding include:

  • Your network is responsible for the actions that occur on it
  • Failure to action on information showing that there is a warning potentially grounds for aiding in the illicit activity
  • Having a plan in place and following it when you identify or are made away of an ongoing violation could cause a violation of your own

Oath Migration update

On June 21st the OATH product team provided an update on system migration and the current status of AOL, Yahoo and Verizon new infrastructure. In this update they mentioned that all mail is now running through their new OATH infrastructure and that mailboxes for AOL users are now migrating to this new common hosting.

The top things you should know include:

  • All mail sent to OATH mail brands (ex: Y!, Verizon and AOL) is now handled by OATH MTAs. This also appears to cover partner brands like Rogers.com
  • Consistent treatment of subscribers by OATH filters and rate limits
  • DMARC reports now coming from single source (noreply _at_ dmarc.yahoo.com), covering all OATH and partner domains
  • Migration of AOL mailboxes to common OATH infrastructure underway
  • AOL FBL volume will decrease while Y! FBL volume will rise. Sign up your domains for Y! FBL/CFL if you have not done so already. (DKIM signing is required)
  • Support requests for AOL and Yahoo still go to their respective support sites, these will be merged in the future to a single Oath support page

Ongoing changes at Oath are still under way, stay tuned for for further updates.

Hat tip to @AnthonyChiulli for the inspiration to post this list.