SlideShare a Scribd company logo

Protecting Users from Fraud

Download as PPT, PDF
Barry Jones
Barry Jones

My experiences combatting phishing and fraud using DMARC and assorted other techniques in a large eBay-like platform for a niche market...when the site previously did everything over direct user email...for over a decade.

1 of 35
Download to read offline
Protecting Users from Fraud my experience combating phishing and fraud using DMARC… and assorted other techniques
First Up, What do I know? • Barry Jones • Software Architect for ACS Technologies, Inc • Previously – Director of Application Development for a 14 year old, high end electronics resale marketplace – Basically ebay for a niche market
Well, ebay if… everything worked via direct user email
Now imagine… • That the entire thing gets rebuilt without any of the previous security tools • And users want features that are missing • And phishers, fraudsters and spammers capitalize on the chaos • And you get hired to fix it
Good times So what were the methods of attack?
Phishing • Sending emails that appeared to be from us – Using our domain – Using variations of our domain • Linking to a fake login page hosted with a free company – Steal usernames and passwords – Login to the user’s account and change the contact info before they can reset the password • Launch these phishing sites at times when our staff was less likely to be available to request takedowns
Western Union Scam • Buy things in the marketplace…anything • Send a fake overpayment via Western Union • Discuss the problem and have the seller deposit the check and then wire back the excess amount • When the original check bounces, the seller is still out the amount wired back – And potentially the merchandise
Spam • Bombarding users through the system • Marketing sometimes • Others trying to bait somebody into a transaction
Fake Listings • Putting up appealing items at steep discounts • Paying for the listings with stolen credit cards • Payment gateway issues cost per chargeback fees when people challenge the transactions from stolen cards • Users fall for the fake listings and get ripped off
And when you close an account …they just make a new one
Users lose trust So how do you combat it?
Multipart Process • Secure YOUR domain’s email (with DMARC) • Make phishing more obvious • Identify compromised accounts • Bring dialog within the site to identify spam • Add more difficult user verification steps • Identify potentially fraudulent credit cards • Educate users • Don’t let the bad guys know they’re caught
DMARC Securing your domain’s email
Email Sender Verification SPF • Sender Policy Framework • DNS record – Identify where your domain email comes from • Easy to implement • Bus analogy – Only allow busses from Tulsa DKIM • DomainKeys Identified Mail • Public/Private Key in an Email • DNS Record • Header with Encrypted Key • More complicated, must control where email originates • Bus analogy – Verify each person on the bus came from Tulsa
DMARC • Mail servers have no idea how strictly you’ve implemented SPF or DKIM – So they guess • DMARC lets you remove the guess work – Declare what you’ve implemented – You decide how failures are handled • Flagged as spam (quarantine) • Discarded completely • Only implemented on a percentage of failures – Get reports on exactly what happened – Even get copies of emails that failed
DMARC Reports • Emailed zipped XML • You can parse them if you want but they’re easy enough to read • When setting up, all you care about is verifying YOUR email is passing checks <?xml version="1.0"?> <record> <row> <source_ip>207.126.144.129</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> </policy_evaluated> </row> <identities> <header_from>stefanomail.com</header_from> </identities> <auth_results> <dkim> <domain>stefanomail.com</domain> <result>pass</result> <human_result/> </dkim> <spf> <domain>stefanomail.com</domain> <result>pass</result> </spf> </auth_results> </record>
Sample DNS Records • SPF (TXT &&/|| SPF) – v=spf1 a mx include:mailgun.org include:spf.mtasv.net ~all • DKIM (TXT) – k=rsa; p=MIGfMA0<A HUGE HASH>aBc3 • DMARC (TXT) – v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com
Getting Setup • SPF – DNS Record • DKIM – Email senders must include DKIM • Gmail, Sendgrid, Postmark, Mailgun, etc – Will provide the DNS record for you • DMARC – DNS Record
Resources DMARC Understanding DMARC https://support.google.com/a/answer/2466580?hl=en DMARC Analyzer https://www.dmarcanalyzer.com/ Kitterman SPF Testing Tools http://www.kitterman.com/spf/validate.html dmarcian https://dmarcian.com/ Port25 check-auth@verifier.port25.com ========================================== Summary of Results ========================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham ========================================== Details: ========================================== HELO hostname: mail-yh0-x229.google.com Source IP: 2607:f8b0:4002:c01::229 mail-from: john@example.com
Combined that will ensure… • Real email – Gets through • Phishing email – Doesn’t But…there’s more •Fake other domains •Spelling variations •Shuffling interior letters But…at least this is easier for users to identify
To stop that you can… • Notify the owners of those domains – Have them setup SPF and DMARC • Contact registrars regarding the activity • Purchase the domains and setup an empty SPF record – indicates no email sent from the domain
Take down the endpoint • Phishing emails inevitably link back to a site – Take down the site, you eliminate the risk • Contact a host abuse team to notify them – Response times will vary by company • Have the user report the site to – Google – Microsoft – PhishTank (OpenDNS) – McAfee – US Government • Doesn’t hurt to use a honeypot either – Try to login with a fake user and password – Look for those fake credentials on login to spot the phisher using his list
Identify users who fell for it • Track login history by IP address – Record geolocation of IP • Nginx GeoIP • Maxmind database/services • Cloudflare – Identify logins by distance from normal center point • Lock the account • Notify the user of where the login came from • Give them a link to unlock it – disable the check if they’re travelling • If not, tell them they need to change their password • Users respond well to this, makes them feel safer because you’re looking out for them
Track email changes • Maintain an entire email change history per account • Notify users when their email address was changed and provide a link to reverse the change • If a user reverses the change – Invalidate all reversal links AFTER that email • but not before…so the original change is always valid – Otherwise a hacker will change the email multiple times and keep reversing it back
Verify Users • Trust scores for completed transactions – Aka – user ratings • Let new users verify themselves other ways – Text verification • Can be prone to fraud • Still harder to fake than email – Phone verification • APIs can identify TYPE of phone – Land line, cell, disposable cell, pay phone – Credit Card verification • Run a transaction • Use MaxMind minFraud service to flag risky cards • Consider verification steps in a trust formula – Degrade strictness based on activity and trust scores – Don’t hassle your good users
Bring Communication In House • Internal user message / dialog systems • Track targets and actions of flagged accounts • Identify patterns of bad behavior • Automate flagging based on those patterns
Use CAPTCHA • When users try to send a lot of messages – Define “a lot” by trust scores • Look for near identical messages – Levenshtein Distance Algorithm • Excellent for calculating string similarity • Adjust similarity thresholds by trust scores – Review stopped messages automatically • Typically spammers keep sending • The ones that didn’t are probably fine to deliver so a catch and release policy for “probably not spam” is a good idea
Fark that guy This is important
Fark’s Banning System • You’re banned… – But you don’t KNOW you’re banned – So you keep posting like an idiot • And nobody else can see it…
This is important and works • When you catch a spamming account • Banning it will just result in a NEW account – So don’t let them know – Let them keep manually filling out CAPTCHA • For hours… – And hours and hours and hours – Daily – Keep a dashboard of time wasted for your own amusement • Then every couple of weeks, ban them so they think you “caught” them
Educate your users Establish clear, simple guidelines of things you won’t ask for
Send emails with hashed links • Emails with a link to bypass login for one use • Gets users used to NOT entering their login – If clicking emails from your site never results in seeing a login screen, getting a login screen will seem strange • Phishing sites can’t fake an automated login
Evercookie • A virtually undeletable cookie – Track it with logins so you can trace multiple accounts and IPs back to a single computer – https://github.com/samyk/evercookie – http://samy.pl/evercookie/ • MaxMind’s IP Service will identify Tor/Proxies with great success – Don’t let people do important things from an anonymous connection – https://www.maxmind.com/en/geoip2-services-and-databases • Also track with etag/if-none-match headers – Every ad system trick out there works for tracking fraud – http://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
And of course… 2 Factor Authentication
Thanks!
Ad

Recommended

Getting startedwithdmarc5
Getting startedwithdmarc5 Getting startedwithdmarc5
Getting startedwithdmarc5
grafica_corella
 
Using DMARC to Improve Your Email Reputation
Using DMARC to Improve Your Email ReputationUsing DMARC to Improve Your Email Reputation
Using DMARC to Improve Your Email Reputation
Terry Zink
 
Protect your domain with DMARC
Protect your domain with DMARCProtect your domain with DMARC
Protect your domain with DMARC
Contactlab
 
How Cybercriminals Cheat Email Authentication
How Cybercriminals Cheat Email AuthenticationHow Cybercriminals Cheat Email Authentication
How Cybercriminals Cheat Email Authentication
Return Path
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARC
Kurt Andersen
 
What is dmarc
What is dmarcWhat is dmarc
What is dmarc
Godmarc
 
How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definiti...
How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definiti...How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definiti...
How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definiti...
Gangcai Lin
 
Infographic: How to Prevent Email Fraud with DMARC
Infographic: How to Prevent Email Fraud with DMARCInfographic: How to Prevent Email Fraud with DMARC
Infographic: How to Prevent Email Fraud with DMARC
Return Path
 
DMARC and mailing list
DMARC and mailing listDMARC and mailing list
DMARC and mailing list
APNIC
 
DMARC Implementation across all domains
DMARC Implementation across all domainsDMARC Implementation across all domains
DMARC Implementation across all domains
CTM360
 
DMARC360 Guide
DMARC360 GuideDMARC360 Guide
DMARC360 Guide
DMARC360
 
What is DMARC?
What is DMARC?What is DMARC?
What is DMARC?
Godmarc
 
Technical Guide to Great Delivery
Technical Guide to Great DeliveryTechnical Guide to Great Delivery
Technical Guide to Great Delivery
Copernica BV
 
How to Block NDR Spam
How to Block NDR SpamHow to Block NDR Spam
How to Block NDR Spam
GFI Software
 
How to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkHow to Keep Spam Off Your Network
How to Keep Spam Off Your Network
GFI Software
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
sankhadeep
 
Article on DMARC
Article on DMARCArticle on DMARC
Article on DMARC
fatima javaid
 
What is SPAM?
What is SPAM?What is SPAM?
What is SPAM?
Yavuz Adabalı
 
E Mail & Spam Presentation
E Mail & Spam PresentationE Mail & Spam Presentation
E Mail & Spam Presentation
newsan2001
 
How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works
Pinpointe On-Demand
 
Email basics
Email basicsEmail basics
Email basics
SeniorServices
 
Spamming
SpammingSpamming
Spamming
Yash Shrivastava
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web Security
GFI Software
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
The Path to the Inbox Part 2
The Path to the Inbox Part 2The Path to the Inbox Part 2
The Path to the Inbox Part 2
Infusionsoft
 
Your Customers Need A Hero - Save Them From Internet Villains With DMARC
Your Customers Need A Hero - Save Them From Internet Villains With DMARCYour Customers Need A Hero - Save Them From Internet Villains With DMARC
Your Customers Need A Hero - Save Them From Internet Villains With DMARC
Stephen Mitchell
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
sharmaakash1881
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the Inbox
B2BCamp
 
Ad

More Related Content

What's hot (18)

Infographic: How to Prevent Email Fraud with DMARC
Infographic: How to Prevent Email Fraud with DMARCInfographic: How to Prevent Email Fraud with DMARC
Infographic: How to Prevent Email Fraud with DMARC
Return Path
 
DMARC and mailing list
DMARC and mailing listDMARC and mailing list
DMARC and mailing list
APNIC
 
DMARC Implementation across all domains
DMARC Implementation across all domainsDMARC Implementation across all domains
DMARC Implementation across all domains
CTM360
 
DMARC360 Guide
DMARC360 GuideDMARC360 Guide
DMARC360 Guide
DMARC360
 
What is DMARC?
What is DMARC?What is DMARC?
What is DMARC?
Godmarc
 
Technical Guide to Great Delivery
Technical Guide to Great DeliveryTechnical Guide to Great Delivery
Technical Guide to Great Delivery
Copernica BV
 
How to Block NDR Spam
How to Block NDR SpamHow to Block NDR Spam
How to Block NDR Spam
GFI Software
 
How to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkHow to Keep Spam Off Your Network
How to Keep Spam Off Your Network
GFI Software
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
sankhadeep
 
Article on DMARC
Article on DMARCArticle on DMARC
Article on DMARC
fatima javaid
 
What is SPAM?
What is SPAM?What is SPAM?
What is SPAM?
Yavuz Adabalı
 
E Mail & Spam Presentation
E Mail & Spam PresentationE Mail & Spam Presentation
E Mail & Spam Presentation
newsan2001
 
How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works
Pinpointe On-Demand
 
Email basics
Email basicsEmail basics
Email basics
SeniorServices
 
Spamming
SpammingSpamming
Spamming
Yash Shrivastava
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web Security
GFI Software
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
The Path to the Inbox Part 2
The Path to the Inbox Part 2The Path to the Inbox Part 2
The Path to the Inbox Part 2
Infusionsoft
 
Infographic: How to Prevent Email Fraud with DMARC
Infographic: How to Prevent Email Fraud with DMARCInfographic: How to Prevent Email Fraud with DMARC
Infographic: How to Prevent Email Fraud with DMARC
Return Path
 
DMARC and mailing list
DMARC and mailing listDMARC and mailing list
DMARC and mailing list
APNIC
 
DMARC Implementation across all domains
DMARC Implementation across all domainsDMARC Implementation across all domains
DMARC Implementation across all domains
CTM360
 
DMARC360 Guide
DMARC360 GuideDMARC360 Guide
DMARC360 Guide
DMARC360
 
What is DMARC?
What is DMARC?What is DMARC?
What is DMARC?
Godmarc
 
Technical Guide to Great Delivery
Technical Guide to Great DeliveryTechnical Guide to Great Delivery
Technical Guide to Great Delivery
Copernica BV
 
How to Block NDR Spam
How to Block NDR SpamHow to Block NDR Spam
How to Block NDR Spam
GFI Software
 
How to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkHow to Keep Spam Off Your Network
How to Keep Spam Off Your Network
GFI Software
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
sankhadeep
 
Article on DMARC
Article on DMARCArticle on DMARC
Article on DMARC
fatima javaid
 
What is SPAM?
What is SPAM?What is SPAM?
What is SPAM?
Yavuz Adabalı
 
E Mail & Spam Presentation
E Mail & Spam PresentationE Mail & Spam Presentation
E Mail & Spam Presentation
newsan2001
 
How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works How an Enterprise SPAM Filter Works
How an Enterprise SPAM Filter Works
Pinpointe On-Demand
 
Email basics
Email basicsEmail basics
Email basics
SeniorServices
 
Spamming
SpammingSpamming
Spamming
Yash Shrivastava
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web Security
GFI Software
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
The Path to the Inbox Part 2
The Path to the Inbox Part 2The Path to the Inbox Part 2
The Path to the Inbox Part 2
Infusionsoft
 

Similar to Protecting Users from Fraud (20)

Your Customers Need A Hero - Save Them From Internet Villains With DMARC
Your Customers Need A Hero - Save Them From Internet Villains With DMARCYour Customers Need A Hero - Save Them From Internet Villains With DMARC
Your Customers Need A Hero - Save Them From Internet Villains With DMARC
Stephen Mitchell
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
sharmaakash1881
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the Inbox
B2BCamp
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation
The_IPA
 
Improving email reliability
Improving email reliabilityImproving email reliability
Improving email reliability
Antti Siiskonen
 
Email_Account_Compromise_VB_2023_Final 2.pdf
Email_Account_Compromise_VB_2023_Final 2.pdfEmail_Account_Compromise_VB_2023_Final 2.pdf
Email_Account_Compromise_VB_2023_Final 2.pdf
Fahim392515
 
Don't Get Phished!
Don't Get Phished!Don't Get Phished!
Don't Get Phished!
Peter Schmidt
 
Atlanta Eloqua User Group - May 2016
Atlanta Eloqua User Group - May 2016Atlanta Eloqua User Group - May 2016
Atlanta Eloqua User Group - May 2016
Chris Arrendale
 
Deliverability
DeliverabilityDeliverability
Deliverability
HighRoad Solution
 
Data Migration Best Practices
Data Migration Best PracticesData Migration Best Practices
Data Migration Best Practices
Jennifer Soares
 
3 Best Practices for Email Marketing
3 Best Practices for Email Marketing3 Best Practices for Email Marketing
3 Best Practices for Email Marketing
Friday Explorer
 
Back to Basics - Email Deployments that Deliver
Back to Basics - Email Deployments that DeliverBack to Basics - Email Deployments that Deliver
Back to Basics - Email Deployments that Deliver
Pardot
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
Nishant Pahad
 
Think You Know Everything About Deliverability?
Think You Know Everything About Deliverability?Think You Know Everything About Deliverability?
Think You Know Everything About Deliverability?
SparkPost
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
Brian Pichman
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Brian Pichman
 
CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...
CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...
CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...
Affiliate Summit
 
Unit 5
Unit 5Unit 5
Unit 5
abhishek srivastav
 
Your Customers Need A Hero - Save Them From Internet Villains With DMARC
Your Customers Need A Hero - Save Them From Internet Villains With DMARCYour Customers Need A Hero - Save Them From Internet Villains With DMARC
Your Customers Need A Hero - Save Them From Internet Villains With DMARC
Stephen Mitchell
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
sharmaakash1881
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the Inbox
B2BCamp
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation"Being creative with data" 25th November - Neteffekt presentation
"Being creative with data" 25th November - Neteffekt presentation
The_IPA
 
Improving email reliability
Improving email reliabilityImproving email reliability
Improving email reliability
Antti Siiskonen
 
Email_Account_Compromise_VB_2023_Final 2.pdf
Email_Account_Compromise_VB_2023_Final 2.pdfEmail_Account_Compromise_VB_2023_Final 2.pdf
Email_Account_Compromise_VB_2023_Final 2.pdf
Fahim392515
 
Don't Get Phished!
Don't Get Phished!Don't Get Phished!
Don't Get Phished!
Peter Schmidt
 
Atlanta Eloqua User Group - May 2016
Atlanta Eloqua User Group - May 2016Atlanta Eloqua User Group - May 2016
Atlanta Eloqua User Group - May 2016
Chris Arrendale
 
Deliverability
DeliverabilityDeliverability
Deliverability
HighRoad Solution
 
Data Migration Best Practices
Data Migration Best PracticesData Migration Best Practices
Data Migration Best Practices
Jennifer Soares
 
3 Best Practices for Email Marketing
3 Best Practices for Email Marketing3 Best Practices for Email Marketing
3 Best Practices for Email Marketing
Friday Explorer
 
Back to Basics - Email Deployments that Deliver
Back to Basics - Email Deployments that DeliverBack to Basics - Email Deployments that Deliver
Back to Basics - Email Deployments that Deliver
Pardot
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
Nishant Pahad
 
Think You Know Everything About Deliverability?
Think You Know Everything About Deliverability?Think You Know Everything About Deliverability?
Think You Know Everything About Deliverability?
SparkPost
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
Brian Pichman
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Brian Pichman
 
CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...
CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...
CAN-SPAM Compliance, Your Reputation and Deliverability What Affiliate Market...
Affiliate Summit
 
Unit 5
Unit 5Unit 5
Unit 5
abhishek srivastav
 
Ad

More from Barry Jones (14)

Repeating History...On Purpose...with Elixir
Repeating History...On Purpose...with ElixirRepeating History...On Purpose...with Elixir
Repeating History...On Purpose...with Elixir
Barry Jones
 
Go from a PHP Perspective
Go from a PHP PerspectiveGo from a PHP Perspective
Go from a PHP Perspective
Barry Jones
 
Day 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application ArchitectureDay 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application Architecture
Barry Jones
 
Day 8 - jRuby
Day 8 - jRubyDay 8 - jRuby
Day 8 - jRuby
Barry Jones
 
Day 7 - Make it Fast
Day 7 - Make it FastDay 7 - Make it Fast
Day 7 - Make it Fast
Barry Jones
 
Day 6 - PostGIS
Day 6 - PostGISDay 6 - PostGIS
Day 6 - PostGIS
Barry Jones
 
Day 4 - Models
Day 4 - ModelsDay 4 - Models
Day 4 - Models
Barry Jones
 
Day 2 - Intro to Rails
Day 2 - Intro to RailsDay 2 - Intro to Rails
Day 2 - Intro to Rails
Barry Jones
 
Day 1 - Intro to Ruby
Day 1 - Intro to RubyDay 1 - Intro to Ruby
Day 1 - Intro to Ruby
Barry Jones
 
AWS re:Invent 2013 Recap
AWS re:Invent 2013 RecapAWS re:Invent 2013 Recap
AWS re:Invent 2013 Recap
Barry Jones
 
Pair Programming - the lightning talk
Pair Programming - the lightning talkPair Programming - the lightning talk
Pair Programming - the lightning talk
Barry Jones
 
What's the "right" PHP Framework?
What's the "right" PHP Framework?What's the "right" PHP Framework?
What's the "right" PHP Framework?
Barry Jones
 
Exploring Ruby on Rails and PostgreSQL
Exploring Ruby on Rails and PostgreSQLExploring Ruby on Rails and PostgreSQL
Exploring Ruby on Rails and PostgreSQL
Barry Jones
 
PostgreSQL - It's kind've a nifty database
PostgreSQL - It's kind've a nifty databasePostgreSQL - It's kind've a nifty database
PostgreSQL - It's kind've a nifty database
Barry Jones
 
Repeating History...On Purpose...with Elixir
Repeating History...On Purpose...with ElixirRepeating History...On Purpose...with Elixir
Repeating History...On Purpose...with Elixir
Barry Jones
 
Go from a PHP Perspective
Go from a PHP PerspectiveGo from a PHP Perspective
Go from a PHP Perspective
Barry Jones
 
Day 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application ArchitectureDay 9 - PostgreSQL Application Architecture
Day 9 - PostgreSQL Application Architecture
Barry Jones
 
Day 8 - jRuby
Day 8 - jRubyDay 8 - jRuby
Day 8 - jRuby
Barry Jones
 
Day 7 - Make it Fast
Day 7 - Make it FastDay 7 - Make it Fast
Day 7 - Make it Fast
Barry Jones
 
Day 6 - PostGIS
Day 6 - PostGISDay 6 - PostGIS
Day 6 - PostGIS
Barry Jones
 
Day 4 - Models
Day 4 - ModelsDay 4 - Models
Day 4 - Models
Barry Jones
 
Day 2 - Intro to Rails
Day 2 - Intro to RailsDay 2 - Intro to Rails
Day 2 - Intro to Rails
Barry Jones
 
Day 1 - Intro to Ruby
Day 1 - Intro to RubyDay 1 - Intro to Ruby
Day 1 - Intro to Ruby
Barry Jones
 
AWS re:Invent 2013 Recap
AWS re:Invent 2013 RecapAWS re:Invent 2013 Recap
AWS re:Invent 2013 Recap
Barry Jones
 
Pair Programming - the lightning talk
Pair Programming - the lightning talkPair Programming - the lightning talk
Pair Programming - the lightning talk
Barry Jones
 
What's the "right" PHP Framework?
What's the "right" PHP Framework?What's the "right" PHP Framework?
What's the "right" PHP Framework?
Barry Jones
 
Exploring Ruby on Rails and PostgreSQL
Exploring Ruby on Rails and PostgreSQLExploring Ruby on Rails and PostgreSQL
Exploring Ruby on Rails and PostgreSQL
Barry Jones
 
PostgreSQL - It's kind've a nifty database
PostgreSQL - It's kind've a nifty databasePostgreSQL - It's kind've a nifty database
PostgreSQL - It's kind've a nifty database
Barry Jones
 
Ad

Recently uploaded (19)

IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 

Protecting Users from Fraud

  • 1. Protecting Users from Fraud my experience combating phishing and fraud using DMARC… and assorted other techniques
  • 2. First Up, What do I know? • Barry Jones • Software Architect for ACS Technologies, Inc • Previously – Director of Application Development for a 14 year old, high end electronics resale marketplace – Basically ebay for a niche market
  • 3. Well, ebay if… everything worked via direct user email
  • 4. Now imagine… • That the entire thing gets rebuilt without any of the previous security tools • And users want features that are missing • And phishers, fraudsters and spammers capitalize on the chaos • And you get hired to fix it
  • 5. Good times So what were the methods of attack?
  • 6. Phishing • Sending emails that appeared to be from us – Using our domain – Using variations of our domain • Linking to a fake login page hosted with a free company – Steal usernames and passwords – Login to the user’s account and change the contact info before they can reset the password • Launch these phishing sites at times when our staff was less likely to be available to request takedowns
  • 7. Western Union Scam • Buy things in the marketplace…anything • Send a fake overpayment via Western Union • Discuss the problem and have the seller deposit the check and then wire back the excess amount • When the original check bounces, the seller is still out the amount wired back – And potentially the merchandise
  • 8. Spam • Bombarding users through the system • Marketing sometimes • Others trying to bait somebody into a transaction
  • 9. Fake Listings • Putting up appealing items at steep discounts • Paying for the listings with stolen credit cards • Payment gateway issues cost per chargeback fees when people challenge the transactions from stolen cards • Users fall for the fake listings and get ripped off
  • 10. And when you close an account …they just make a new one
  • 11. Users lose trust So how do you combat it?
  • 12. Multipart Process • Secure YOUR domain’s email (with DMARC) • Make phishing more obvious • Identify compromised accounts • Bring dialog within the site to identify spam • Add more difficult user verification steps • Identify potentially fraudulent credit cards • Educate users • Don’t let the bad guys know they’re caught
  • 14. Email Sender Verification SPF • Sender Policy Framework • DNS record – Identify where your domain email comes from • Easy to implement • Bus analogy – Only allow busses from Tulsa DKIM • DomainKeys Identified Mail • Public/Private Key in an Email • DNS Record • Header with Encrypted Key • More complicated, must control where email originates • Bus analogy – Verify each person on the bus came from Tulsa
  • 15. DMARC • Mail servers have no idea how strictly you’ve implemented SPF or DKIM – So they guess • DMARC lets you remove the guess work – Declare what you’ve implemented – You decide how failures are handled • Flagged as spam (quarantine) • Discarded completely • Only implemented on a percentage of failures – Get reports on exactly what happened – Even get copies of emails that failed
  • 16. DMARC Reports • Emailed zipped XML • You can parse them if you want but they’re easy enough to read • When setting up, all you care about is verifying YOUR email is passing checks <?xml version="1.0"?> <record> <row> <source_ip>207.126.144.129</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> </policy_evaluated> </row> <identities> <header_from>stefanomail.com</header_from> </identities> <auth_results> <dkim> <domain>stefanomail.com</domain> <result>pass</result> <human_result/> </dkim> <spf> <domain>stefanomail.com</domain> <result>pass</result> </spf> </auth_results> </record>
  • 17. Sample DNS Records • SPF (TXT &&/|| SPF) – v=spf1 a mx include:mailgun.org include:spf.mtasv.net ~all • DKIM (TXT) – k=rsa; p=MIGfMA0<A HUGE HASH>aBc3 • DMARC (TXT) – v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com
  • 18. Getting Setup • SPF – DNS Record • DKIM – Email senders must include DKIM • Gmail, Sendgrid, Postmark, Mailgun, etc – Will provide the DNS record for you • DMARC – DNS Record
  • 19. Resources DMARC Understanding DMARC https://support.google.com/a/answer/2466580?hl=en DMARC Analyzer https://www.dmarcanalyzer.com/ Kitterman SPF Testing Tools http://www.kitterman.com/spf/validate.html dmarcian https://dmarcian.com/ Port25 [email protected] ========================================== Summary of Results ========================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham ========================================== Details: ========================================== HELO hostname: mail-yh0-x229.google.com Source IP: 2607:f8b0:4002:c01::229 mail-from: [email protected]
  • 20. Combined that will ensure… • Real email – Gets through • Phishing email – Doesn’t But…there’s more •Fake other domains •Spelling variations •Shuffling interior letters But…at least this is easier for users to identify
  • 21. To stop that you can… • Notify the owners of those domains – Have them setup SPF and DMARC • Contact registrars regarding the activity • Purchase the domains and setup an empty SPF record – indicates no email sent from the domain
  • 22. Take down the endpoint • Phishing emails inevitably link back to a site – Take down the site, you eliminate the risk • Contact a host abuse team to notify them – Response times will vary by company • Have the user report the site to – Google – Microsoft – PhishTank (OpenDNS) – McAfee – US Government • Doesn’t hurt to use a honeypot either – Try to login with a fake user and password – Look for those fake credentials on login to spot the phisher using his list
  • 23. Identify users who fell for it • Track login history by IP address – Record geolocation of IP • Nginx GeoIP • Maxmind database/services • Cloudflare – Identify logins by distance from normal center point • Lock the account • Notify the user of where the login came from • Give them a link to unlock it – disable the check if they’re travelling • If not, tell them they need to change their password • Users respond well to this, makes them feel safer because you’re looking out for them
  • 24. Track email changes • Maintain an entire email change history per account • Notify users when their email address was changed and provide a link to reverse the change • If a user reverses the change – Invalidate all reversal links AFTER that email • but not before…so the original change is always valid – Otherwise a hacker will change the email multiple times and keep reversing it back
  • 25. Verify Users • Trust scores for completed transactions – Aka – user ratings • Let new users verify themselves other ways – Text verification • Can be prone to fraud • Still harder to fake than email – Phone verification • APIs can identify TYPE of phone – Land line, cell, disposable cell, pay phone – Credit Card verification • Run a transaction • Use MaxMind minFraud service to flag risky cards • Consider verification steps in a trust formula – Degrade strictness based on activity and trust scores – Don’t hassle your good users
  • 26. Bring Communication In House • Internal user message / dialog systems • Track targets and actions of flagged accounts • Identify patterns of bad behavior • Automate flagging based on those patterns
  • 27. Use CAPTCHA • When users try to send a lot of messages – Define “a lot” by trust scores • Look for near identical messages – Levenshtein Distance Algorithm • Excellent for calculating string similarity • Adjust similarity thresholds by trust scores – Review stopped messages automatically • Typically spammers keep sending • The ones that didn’t are probably fine to deliver so a catch and release policy for “probably not spam” is a good idea
  • 28. Fark that guy This is important
  • 29. Fark’s Banning System • You’re banned… – But you don’t KNOW you’re banned – So you keep posting like an idiot • And nobody else can see it…
  • 30. This is important and works • When you catch a spamming account • Banning it will just result in a NEW account – So don’t let them know – Let them keep manually filling out CAPTCHA • For hours… – And hours and hours and hours – Daily – Keep a dashboard of time wasted for your own amusement • Then every couple of weeks, ban them so they think you “caught” them
  • 31. Educate your users Establish clear, simple guidelines of things you won’t ask for
  • 32. Send emails with hashed links • Emails with a link to bypass login for one use • Gets users used to NOT entering their login – If clicking emails from your site never results in seeing a login screen, getting a login screen will seem strange • Phishing sites can’t fake an automated login
  • 33. Evercookie • A virtually undeletable cookie – Track it with logins so you can trace multiple accounts and IPs back to a single computer – https://github.com/samyk/evercookie – http://samy.pl/evercookie/ • MaxMind’s IP Service will identify Tor/Proxies with great success – Don’t let people do important things from an anonymous connection – https://www.maxmind.com/en/geoip2-services-and-databases • Also track with etag/if-none-match headers – Every ad system trick out there works for tracking fraud – http://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
  • 34. And of course… 2 Factor Authentication