Terry Zink: Security Talk

As a Program Manager of Antispam in Office 365, one of the questions I am frequently asked is “How many messages outbound are we permitted to send per minute? Per hour? Per day?”

When I use the term “Office 365” I mean both our existing Forefront Online Protection for Exchange (FOPE) service, and our newer Exchange Online Protection (EOP) service. The following description applies to both of these services.

We take managing outbound spam seriously because ours is a shared service; there are many customers behind a shared pool of resources. If one customer sends outbound spam, it can degrade the outbound IP reputation of the service. This affect the successful deliverability of email for other customers. It is unfair to Customer A if Customer B spams and various 3rd party IP blocklists list the IP address that it uses. The actions of one directly affect the other.

FOPE and EOP do the following to control outbound spam:

Segregation of outbound traffic into separate pools of IPs

Every message that customers send outbound through the service is scanned for spam. If the message is spam, it is routed through the Higher Risk Delivery pool. This IP pool contains non-deliverable status notifications and spam. Delivery to the intended recipient is not guaranteed as many third parties will not accept email because the quality of email it emits.

Splitting the traffic this way ensures that the lower quality email (spam, backscatter NDRs) does not drag down the reputation of the regular outbound email pools. The high risk pool typically has low reputation at many receivers around the Internet, although this is not universal.
Monitoring of IP reputation

Office 365 queries various 3rd party IP blocklists and generates alerts if any of our outbound IPs are listed on them. This allows us to react quickly when spam has caused our reputation to degrade. When an alert is generated, we have internal documentation outlying what steps to take to get delisted as well as troubleshooting steps to disable the spamming account that caused us to get listed in the first place.
Disabling of offending accounts when they send too much email marked as spam

Even though we segregate our spam and non-spam into two separate outbound IP pools, the email accounts cannot send spam indefinitely. We monitor which accounts are sending spam and if it exceeds a limit, the account is blocked from sending spam.

A single message marked as spam may be a misclassification by the spam engine. This is why we send it through the High Risk Pool. However, a large number of messages in a smaller time frame is indicative of a problem and when that occurs, we block the account from sending any more email.

There are different thresholds that exist for individual email accounts as well as in aggregate for the entire customer.
Disabling of offending accounts when they send too much email in too short a time frame

In addition to the limits above that look for a proportion of messages marked as spam, there are also limits that block accounts when they reach an overall limit regardless of whether or not the messages are marked as spam.

The reason this limit exists is because sometimes a compromised account sends zero-day spam that is missed by the spam filter. Because it is difficult, if not impossible, to sometimes tell the difference between a legitimate mass mailing campaign and a massive spam campaign, these limits activate to limit any potential damage.

There are different thresholds that exist for individual email accounts as well as in aggregate for the entire customer.

For both #3 and #4, we do not advertise the exact limits. This is for two reasons:

a) To prevent spammers from gaming the system

We do not want spammers to send (limit – 1) messages through the system. If they knew the limits, they would do this. We know they would do this because we have seen spammers figure it out using trial-and-error.

b) To ensure that we can change the limits when we need to

If we were to advertise the exact limits, customers would expect that these limits were always in place. Because outbound spam requires agility to react quickly, there are situations where we might decide to change the limits in a short period of time to stop spam. If customers knew the exact limits, they may expect to be warned in advance. We cannot do this because we must move quickly to contain possible damage. Therefore, we have avoided setting expectations.

For #4, the limits are high enough such that an average business user will never hit them. There is only so much email a person can physically type in a day. However, the limits are low enough that it contains most of the damage a spammer can do; it ends their spam campaign quicker than they intended.
Recommended workarounds for customers who want to send outbound bulk email through FOPE or EOP

It is difficult to strike a balance between customers who want to send much bulk email vs. protecting the service from compromised accounts and bulk emailers with poor list acquisition practices.

On the one hand, it is inconvenient for some customers to not being able to send as much email as they want through the service. On the other hand, the cost of an outbound IP landing on a 3rd party blocklist is higher than blocking a customer from sending outbound email. In the former case, it is a single customer that is affected but in the latter, it is multiple customers.

Using FOPE or EOP to send bulk email is not a recommended or supported use of the service. It is permitted on a “best-effort” basis. It may or may not work. For customers who do want to send bulk email, we recommend the following:

a) Send the bulk email through its own on-premise mail servers

This means that the customer will have to maintain its own email infrastructure for this type of email.

b) Use a 3rd party bulk emailer to send the mass communication

There are several 3rd party bulk emailers whose sole business it is to send bulk email. They can work with customers to ensure that they have good emailing practices and they have resources dedicated to enforcing it.

The Messaging, Mobile, Malware Anti-Abuse Working Group (MAAWG) publishes its membership roster here: http://www.maawg.org/about/roster

Several bulk email providers are on the list and are known to be responsible Internet citizens.
Notifications when an account is sending spam, or shut down

Administrators can get bcc’ed whenever a message is marked as outbound spam and sent through the High Risk Pool. By monitoring this mailbox, an admin can detect if they have a compromised account in their network, or if the spam filter is mistakenly marking their email as spam.

In addition, whenever #3 or #4 is executed above using an automated process, an email alert is sent to the Customer Support team who will contact the customer, informing them that we have shut down the account. However, an administrator can instead opt for an email notification directly that says that email account X has been blocked for sending outbound spam.

To find these settings in the EOP service, click on Admin drop down arrow –> protection –> outbound spam –> Edit –> outbound spam preferences:

Manually reviewing spam complaints from users at 3rd party email providers

The above #3 and #4 account shut downs are automated, however, we also have manual processes.

Many 3rd party email services like Hotmail, Yahoo and AOL provide a Feedback Loop wherein if any user in their service marks an email from our service as spam, the message is packaged up and sent back to us for review.

If any one of our spam analysts reviews these messages and finds a malicious spam message (phishing, lottery, pharmaceutical spam, malware), they will take steps to disable the account.

The notification process is slightly different than #6 and we are working to make it uniform for both automated and manual blocking.

The above is a summary of the most common controls we implement to reduce outbound spam.

One of the more common requests in the Forefront Online Protection for Exchange (FOPE) and Exchange Online Protection (EOP) services is “How do we get more aggressive bulk email filtering?”

In a previous blog post, New Features in Office 365, I discussed how we released a feature that allows administrators to mark bulk email as spam.

The way this feature works is the following:

We have a list of bulk senders that we identify by sending IP address (we are constantly updating this list). If an incoming IP is on this list, we stamp the message with SRV:BULK in the X-Forefront-Antispam-Report header.
There are also spam rules on the back end that look for patterns that commonly occur in bulk email messages. When one of these spam rules matches content within the message, we the message with SRV:BULK in the X-Forefront-Antispam-Report header.

The drawback of these two methods is many customers find these settings are not aggressive enough (#1) or they are too aggressive (#2). Because bulk email is so subjective (some people want it, others do not), it is difficult to strike a balance such that everyone is satisfied. In order to control false positives, we generally are less aggressive than we could be on bulk email.

Making Bulk Email Scanning More Aggressive in EOP

For customers who want more aggressive bulk email settings, there are ways to accomplish this with Exchange Transport Rules (ETR) in the EOP service.

There are several patterns that frequently occur in bulk email. Create an ETR (Admin –> mail flow –> rules –> Create new rule by clicking the + sign) that says “If the message includes these textpatterns in the message subject or body” and then start adding the following regular expressions:

If you are unable to view the content of this email\, please
\>unsubscribe( here)?\</a\>
If you do not wish to receive further communications like this\, please
\<img height\="?1"? width\="?1"? src\=.?http\://
If you would prefer not to receive e\-?mails from
To stop receiving these\s+emails\:http\://
To unsubscribe from \w+ (e\-?letter|e?-?mail|newsletter)
no longer (wish )?(to )?(be sent|receive) \w+ email
If you are unable to view the content of this email\, please click here
To ensure you receive (your daily deals|our e-?mails)\, add

In the above description, ensure that you choose text pattern and not “subject or body includes any of these words”. The patterns above are regular expressions that match on patterns of text, not exact matches of text.

This is not an exhaustive set of regular expressions; more can be added as appropriate and any can be removed as needed. However, it is a good starting point.

The action should be to modify the message properties and set the SCL to 5 or higher which will mark the message as spam.

When complete, the rule will look similar to the below.

A second ETR can be created that looks for exact matches and sets the SCL to 5. But whereas the above looks for text patterns, this one should look for “subject or body includes any of these words”. Below is a list of commonly used bulk email phrases:

to change your preferences or unsubscribe
Modify email preferences or unsubscribe
This is a promotional email
You are receiving this email because you requested a subscription
click here to unsubscribe
You have received this email because you are subscribed
If you no longer wish to receive our email newsletter
to unsubscribe from this newsletter
If you have trouble viewing this email
This is an advertisement
you would like to unsubscribe or change your
view this email as a webpage
You are receiving this email because you are subscribed

This second ETR goes beyond the scope of what is in the first one. Once again, this list is not exhaustive and more can be added as necessary, or removed as required. However, it is a good starting point.

Using both of these ETRs can help customers cut down on the amount of unwanted bulk email in EOP.

What about legitimate bulk email that some users want?

The above ETRs are aggressive and will most likely flag messages as spam that some users want. To work around this, customers have two options:

Use safe senders to override a spam verdict

Customers who use safe senders (in Outlook) and sync them to the EOP service will be able to get email from a sender even if the ETR marks the message as spam. In EOP, a user’s safe senders list overrides a spam verdict set by an ETR.

There is more information about how to use safe senders in this blog post:
How to use safe senders in EOP and FOPE
Narrow the scope of the ETR down to a more specific set of users

The above ETRs mark a message as spam for the entire organization. However, ETRs are very powerful and you can specify multiple conditions. By selecting the “Add Condition” option, customers can specify which recipients the rules should apply to.

This way, the aggressive bulk email filtering settings can apply to a few users who are highly targeted, while the rest of the user base (who mostly get the bulk email they signed up for) do not have their mail flow interrupted.

Both of these options will help ensure that people can still get the bulk email they want to receive. Option 1 is disruptive for the general user base but allows individuals to self-service (they can add safe senders as required), whereas option 2 is less disruptive to the user base but forces the customer’s administrator to do a bit more work up front by collecting a list of highly targeted users, and creating a more complicated ETR.

What about FOPE?

The above ETRs can be created as Policy Rules in FOPE. However:

FOPE does not support the same level of regular expressions as EOP

EOP has a much richer set of regular expression support compared to FOPE. Some of the regular expressions can be rewritten, but some of them may not work.
Safe senders in FOPE do not override Policy Rules

In FOPE, a Policy rule to block spam can either Quarantine or Reject. It does not mark a message as spam. Therefore, if a user wants to receive email from a particular sender, a safe sender will not work if the Policy rule is scoped to the entire domain. The only workaround is to scope the original policy rule down to a smaller set of users, or create a second policy Allow rule from Sender A to Recipient B.

As you can see, FOPE is more limited than EOP. It will not be upgraded to support the same variations as EOP.

Summary

The above descriptions are the current workarounds for more aggressive bulk email filtering in the service – how to flag more of it as spam, how to allow users to receive the mail they want, and what the limitations in FOPE are (the older version of service).

Related Articles

I’ve been aware of password managers for years but I never used one – I was skeptical. While I understand their benefits, I always thought they would be too inconvenient to use.

I’m going to assume that you’re aware of what these things are – little pieces of software that keep track of all the passwords you use to login to various websites, and the only way to get at them is to enter in your one master password. So, instead of memorizing a ton of random passwords (which no one does), you only need to remember one. The password manager can even generate passwords for you if you want, and then you just need to reset your password on whatever website you log into with the one that was randomly generated.

I broke down this past week and decided to stop relying upon my brain to do my password management and instead use software. I did this for two reasons:

For security

I have quasi-uniqueness for many of my passwords, but I do reuse some of them for web sites I don’t care about that much.
Because my $WORK is making me

At work, I have to login to a bunch of different environments and it’s pretty much impossible to keep track of them. Furthermore, they rolled out a change this past month where you can’t pick your own password to login to these environments (excluding my PC logon), they generate them for you. Either I write them down or I use a password manager. The password manager won.

We had a security presentation a few weeks ago and the one thing I remember is that the recommended piece of software to use internally at the company is called… well, I’m not sure if I am supposed to advertise it so I will refer to it as ComboPass. I hope that doesn’t actually exist, I don’t look things up while I am blog-writing. This is a 3rd party tool and the reason the company recommends it is because it integrates with certain other tools we use like Windows Phone (I can’t recall if this is the real reason but I’m on a roll and can’t be bothered to stop typing).

First impressions

Anyhow, I downloaded the tool, installed it, and… nothing happened. Did it work properly? I started digging through the help guides and figured out that a little icon shows up in my Windows SysTray.

Oh. Right.

I double-clicked the icon and createdea new master password to unlock it. Now what? I looked at the screen and I couldn’t figure out what to do. This may seem obvious to all of you but I didn’t know what my next steps were. Weren’t these things supposed to be easy to use? In my mind, I envisioned that every website I used could easily integrate with this stuff.

Eventually, I figured out that I had to right-click and add a new entry. I guess that makes sense, looking at it in retrospect.

Well, first things first. The main reason I have resisted using a password manager is this – won’t I have to sync this across all my devices?

I have a Windows 8 PC, a Windows 7 PC, a Windows Phone, an Android tablet (which I got for free), an iPad 3, and an older iPad which I also got for free. My wife also has a Mac. I don’t use all of these devices at the same rate. But I do use them all once in a while. Was I going to have to install ComboPass on every single one of these?

I decided to start small. To begin with, I decided to save only my work environment passwords on my primary Windows 8 machine, but I made the mistake of saving the password file to the local hard drive. I generated some new passwords and stored them in ComboPass.

Now how do I use them?

Oh, I have to copy/paste them when I want to login. But first I have to unlock ComboPass every time using that new master password I generated for it and I don’t have it memorized yet.

Ugh. What an inconvenience. But at least those crazy work passwords are stored so I don’t have to remember them anymore.

Syncing to another device

Okay, well, since I have two main PCs – Windows 8 and Windows 7, I figured I better get ComboPass set up on Windows 7. I downloaded and installed it and then pointed the password file as SkyDrive Pro (Microsoft’s enterprise cloud storage solution). I copied my Windows 8 password file from the hard on that PC onto SkyDrive Pro where my Windows 7 machine could pick it up. So, now they’re sync’ed!

That was not going to end well, as we’ll see later.

Aside: I got my Windows 8 PC back in May and I do most of my work on it, but I retain my old Windows 7 PC for a couple of reasons:

I like the hardware better. The keyboard “clicks” better, and the mouse trackpad is more responsive.
I can’t figure out how to get certain connectivity to the corp network working in Windows 8 the way it works in for me in Windows 7. This is clearly user error. But this user’s workaround is to use Windows 7 instead of calling the IT department to fix it.

My website logins

Next up – my website logins. I am not thrilled about the possibility of having to copy/paste my password from ComboPass into Amazon, Mint, Netflix, my banks, etc. every time I want to login to them (I don’t save them in my browser, I retype them each time I login). So, I decided to experiment with a website I don’t care about as much – FutureAdvisor. This is a website that analyzes your stock portfolio and makes recommendations on the best way to balance them. Pretty cool, if I could get it to work. I reset my password for it and stored it in ComboPass.

At this point, I only have a few things stored in ComboPass. But then I realized something – my Windows 7 device pulls the password file from SkyDrive Pro, but my Windows 8 device pulls it from the local hard drive. That shouldn’t be; I copied it from the hard drive to SkyDrive Pro.

That was a mistake.

For you see, I wasn’t keeping things in sync (I know, it’s my fault), I overwrote the password file and I locked myself out of FutureAdvisor along with a couple of other websites.

Ugh!

And I can’t reset my password because FutureAdvisor’s password reset currently doesn’t work. Every time I click the “reset my password” which sends me an email, it tells me the link has expired. It is physically impossible to click it any faster than what I am doing.

I know it’s always possible to lock yourself out of your own accounts even using conventional password management. But this only happened because of me using a password manager and trying to sync it between only two devices.

My impressions so far

So far, my initial reactions are mixed. While I like the ability to not have to remember my passwords:

Remembering the new master password is inconvenient. I had to write it down and physically carry it with me on a piece of paper.
Copy/pasting from the password manager is inconvenient. I liked being able to logon to Amazon by typing in my username and password (I had it memorized and it is unique). It is now an extra step. Or at least it would be if I hooked it up to Amazon. I thought these things were supposed to auto-fill in web logins? Right?
Even though I know that locking myself out of FutureAdvisor was my fault, and it’s their fault the password reset doesn’t work, it feeds my paranoia that using a password manager adds too much complexity. I don’t mind adding accounts that I only access on two devices that sync with Skydrive Pro. But am I going to have to type in those super-long passwords on each of my Windows Phone, iPad 3, old iPad and Android?

So for now, I still memorize the passwords on websites that are important which I may log onto on multiple devices (which defeats the purpose of a password manager).
What happens if I ever cannot connect to SkyDrive Pro (e.g., I ever leave the company I work for)? Then I can’t log onto anything! I’d have to go and reset the password on every service and then update it on every device.

I prize convenience, and this adds a lot of risk.

I am probably whining about a lot of things that have already been solved. I readily admit that I have not climbed the learning curve that exists for changes in anything. While I find the password management useful in some cases, I’m not ready to make the full leap.

A couple of weeks ago, I wrote that I had started experimenting with a password manager. I thought I’d give an update on how it’s working for me so far.

Here’s what I do:

I use my Windows 8 laptop as my main machine at work. Most of the time when I want to save a new password, I add it to ComboPass (my fictional name for a real piece of software) on this machine.
However, I don’t always use my Windows 8 laptop, especially at home. I use my old Windows 7 laptop at home because I have my personal email sync’ed with Thunderbird on it (I am too lazy to copy over the email folders to the new machine) and because I have an extra power cable for it at home, whereas my Windows 8 machine I only have one power cable at the office. I don’t want to carry it home so I just use my Windows 7 machine at home.

On both machines, I have ComboPass set up and sync’ing the password file via SkyDrive Pro. This is the only corporate-approved mechanism of storing the database (I can’t use a personal one like SkyDrive regular since it is not encrypted, and SkyDrive Pro is).

As I was getting used to it, I thought to myself “Hey, this is pretty good! Maybe I should have done this years ago.” But as I started using it more, I got the feeling that I am doing something wrong.

This password combination with sync’ing seems more difficult than it needs to be. If I only ever add passwords while using my Windows 8 machine, it seems to work okay. And if I just read passwords from my Windows 7 machine, it works okay.

But heaven help me if I ever want to add passwords using my Windows 7 machine! Why? Because I keep getting upload failures:

When I try to resolve other files that similarly failed to upload:

The password file keeps failing to sync and upload. I think it’s a race condition – the file is being actively used on my Windows 8 machine and my Windows 7 machine, and SkyDrive Pro cannot upload and overwrite it if it is currently in use.

This file keeps failing to upload and I have to manually sync it (sometimes by transferring it with USB sticks). This happens on both machines. Isn’t this supposed to do it automatically? Why do my downloads keep failing? Why do I have to hack around it?

What’s more, I recently rebooted my Windows 8 machine and ComboPass wasn’t running when I restarted (it couldn’t find the file saved on SkyDrive Pro which wasn’t sync’ing). It took me a while (15 seconds) to figure out where I had stored it so I could get it up and running again – manually. I know this is a simple task, and it only took me a minute to figure it out. But isn’t it supposed to start running automatically when I reboot? The way it does on my Windows 7 machine? How am I supposed to recommend this to average people?

Yes, I know that there are workarounds. And yes, I know that this is all my fault due to how I installed it (probably). But I thought that this was supposed to make things easier for me. If I can barely get it to work on a PC, I’m not sure I want to take my chances using smartphones and tablets.

I feel like I’m too dumb to use a password manager.

I found the following cartoon today on Reason.

If you’re not familiar with the situation, the US government rolled out a website, healthcare.gov, where people can go to sign up for health insurance which is mandated for individuals before the end of 2013 (not sure if that still applies or the deadline has been extended). The government released it at the end of October and it crashed due to so many people signing up for it.

They gave themselves one month to fix it and the website now works better, albeit with some remaining performance issues still outstanding.

I am posting this cartoon because I don’t agree with the sentiment, here is my interpretation of what this cartoon represents:

The user sees a website that has been slapped with a bandaid. The message is that the website is not flawless but instead is held together with quick fixes and therefore is reflective of poor design right from the beginning. The service still has problems, what a disaster!

For one thing, Reason is anti-government and they disagree with almost everything the government says or does (this is tongue-in-cheek but not too far from the truth) outside of their own views of what government should do.

But for another thing, a bandaid solution is not reflective of bad design; instead, it’s how code works. Almost all code that is a very large project is held together with patches, that’s why it’s called a patch. If Reason is going to make fun of healthcare.gov because it’s just a bandaid solution, they could apply this criticism to nearly any large piece of software, both public and private.

Rather than being a legitimate criticism, this is an example of Confirmation Bias (look at that – the government can’t do anything right!).

You may not agree with my political interpretation, but this is what I think.

Via Dilbert.

I saw this a few months ago and meant to post it back then, so I am posting it now. Via XKCD.

Privacy Opinions

This is going to be a long post. Please read through the whole thing before you comment.

I have been following this NSA spy-story for several months now ever since Edward Snowden started revealing back in the summer that the US government was spying on everyone.

At the time, I wasn’t sure how I felt about it. Based upon what I was reading from security experts (and I am oversimplifying the discussion… sorry about that), I was supposed to (a) care a lot, and (b) be outraged.

When it comes to government accountability, I am not the most informed person. I do try to keep up with technology, policy and governance but I only have so much mental bandwidth. After work, I like to relax and rather than reading discussion forums and important articles, I frequently watch Netflix (I just made my way through Orange is the New Black, in case you are wondering). Sometimes I like to read books on my Kindle (I just finished You are now Less Dumb), or just doodle around on my iPad. I have read some stuff on spy-gate, but I don’t know all the nuances of the arguments for it on both sides.

Thus, when it comes to a complicated topic like NSA spying, I end up relying upon my gut instinct. This is a poor way to make decisions. But, in my defense, everyone uses gut instincts to make decisions most of the time. Us humans are subject to dozens and dozens of biases. Most of the time, we make snap decisions intuitively and then make up logic to rationalize why we think this way.

This is not how we think we make decisions but it is how we do it most of the time. And sometimes it works; back when the United States was talking about taking military action against Syria, I was strongly against it. I am not blasé about all things.

When I hear people in my local social circles – the ones outside of security and even a few inside of it – talk about the NSA, most of them are a little surprised by the scope of it but don’t really give it much thought. Many joke about it.

Many references to it in pop culture are equally dismissive. The South Park episode Let Go, Let Gov parodies people who actually do care. Eric Cartman is outraged at the NSA spying scandal, so he infiltrates the NSA and exposes all of their hacking. Yet immediately afterwards, he is shocked by the amount of nonchalance everyone around him has. Indeed, he starts crying to his mother because he exposed everything they were doing, yet no one cared. He tries to push the NSA into violating his constitutional rights, but they dismiss him as “fat an uninteresting.”

I’m tempted to take this thinking as most people don’t care about NSA spying but this would make me guilty of the availability bias – the belief that since my immediate social circles think a certain way, that everyone thinks this way. Maybe only those around me don’t give it much thought. Or maybe people who matter think this is a big deal (i.e., people on Intelligence committees).

Yet the other day on All Things D, an article entitled People are More Freaked Out by Hacking than Tracking shows the following:

75% of people surveyed were worried about hackers stealing their personal information. As if to underscore this, Target admitted it leaked 40 million credit and debit cards over the 2013 Thanksgiving weekend and now these are for sale on the black market.
54% of people are worried about their browsing history are being tracked by advertisers.
Only 15% reported the top threat is government accessing people’s information.

After reading the article, I ran through my own mental processes – the things which I worry about online the most are those three things, in that exact order. I’m just like everyone else.

I check my credit card statements looking for possible fraud and I get angry when my credit card is leaked and I have to change it. I keep my anti-virus up-to-date and I have started using more unique passwords.

I delete my cookies regularly, clean my cache and sometimes use private browsing. I have adjusted the privacy settings on some websites I visit and I sometimes read privacy policies (parts of them, anyway).

As you can see, the two things that I think matter the most to me I have taken action to lower my risk.

By contrast, ever since the NSA story broke, I have changed nothing about my habits. Not one thing. Furthermore, I don’t worry about the NSA spying on me because in the back of my mind, my gut instinct says “You’re too boring for the NSA to care about.” I don’t worry about them stealing my credit card information, searching my browser history or tracking my online behavior. Maybe I should be worried, but I’m not.

So how come I’m not?

Like I said, this is a gut instinct (in Daniel Kahneman’s book Thinking Fast and Slow, this is called System 1 thinking; for a full explanation, read the Wikipedia summary). The threat from hackers is clear to me: they might steal my identity and I can see the fall out – they could steal money from my financial accounts, or they could degrade my credit, or they could infect my computer with malware. These are all real and tangible and I can see a direct link between hackers and bad things that come as a result of being hacked.

Privacy is a little tougher but I can still see the issue – online retailers, browsers, and large corporations are tracking everything I do and sending data back to a central processing unit and then sending me something based upon what I do. This “something” is usually advertising. I’m not quite sure how I feel about that targeted advertising since I use the Internet to do things I enjoy, and now that’s being used “against” me by private corporations for their own profit. A bit more blurry, this one.

But when it comes to NSA tracking, I have a very hard time seeing the fallout and that’s the problem. The cost is hard to see.

Defenders of the NSA spying program say that if you’re not doing anything wrong, you have nothing to worry about. My System 2 thinking – the part of my brain that is logical, reasonable and analytical – knows that this is true on some level, but it also knows that we are entitled to privacy rights. Yet it also doesn’t fully understand the arguments. My System 1, on the other hand, happily accepts this argument:

“The NSA is looking for criminals and terrorists. Since I am not one, I have nothing to fear and there’s way too much data they are collecting for this to be a problem since I can hide in my own obscurity. This is different than companies tracking me and selling my information or targeting me with ads. They are browsing my legal, normal behavior looking for patterns, whereas the NSA is looking for people with malicious intent; they are looking for illegal behavior.”

And you know what? It’s probably true. The NSA isn’t targeting ordinary Americans.

My System 2 has to fight to overcome this belief. This is difficult because System 1 is nearly automatic, and System 2 is lazy (this is true in all humans, even you). It frequently just goes along with what System 1 says. Did you ever wonder why sometimes you are tired after a long day of thinking? Because System 2 drains a lot of your physical energy.

Last week, General Keith Alexander appear on the TV show 60 Minutes to defend the NSA program, and The Guardian posted a rebuttal. They have the best summary I have seen about why the NSA program is wrong:

Very few people think the NSA is staffed by mustache-twirling villains who view the law as an obstacle to be overcome. The real concern is two-fold.
First, even if NSA doesn’t mean to break the law, the way its data dragnets work in practice incline toward over collection. During a damage-control conference call in August, an anonymous US intelligence official told reporters that the technical problem bothering Bates in 2011 persists today. The NSA even conceded to Walton in 2009 that “from a technical standpoint, there was no single person who had a complete understanding” of the technical “architecture” of NSA’s phone data collection.

They haven’t succeeded yet in convincing me why this is a problem, not enough to override my System 1.

Second, there is a fundamental discrepancy in power between the Fisa court and the NSA. The court’s judges have lamented that they possess an inability to independently determine how the NSA’s programs work, and if they’re in compliance with the limits the judges secretly impose. That leaves them at the mercy of NSA, the director of national intelligence, and the Justice Department to self-report violations. When the facts of the collection and the querying are sufficiently divergent from what the court understands – something the court only learns about when it is told – that can become a matter of law.
In other words, it can be simultaneously true that NSA doesn’t intend to break the law and that NSA’s significant technical capabilities break the law anyway. Malice isn’t the real issue. Overbroad tools are.

And therein lies the problem; in the United States, the government is built on a system of checks-and-balances. It seems like the government sometimes can never get anything done, but that’s because it’s supposed to be hard to get things done. With the NSA system, the courts say they can do X but there’s no way to make sure that’s all they are doing. We have to trust them to do what they say they are doing.

So you see, intellectually, I understand the issue (or rather, I understand what The Guardian is saying the problem is; you readers might have other issues like the government should straight up not be reading your email, ever). But even though I understand it, I still have trouble really caring about it.

In order to do this, I have to make it more emotional. Here’s the way I do it – the whole situation reminds me of an episode of The Simpsons, back when the show was funny. A cat burglar has plagued the city of Springfield so Homer forms a vigilante group and sets out to stop crimes. While he does succeed in stopping some crimes, he ends up causing others. For example, while underage drinking is down, sack beating with doorknobs is up. Homer’s task force is popular with the people because he has taken the law into his own hands, but the trouble is the city now has unabridged power without the checks and balances.

Homer is basking in his glory when Lisa asks him a question: “Dad, don’t you see? If you’re the police, who will police the police?”

Homer shrugs and flippantly responds “I don’t know. Coast Guard?”

It’s a very funny moment and it is the only argument I can think of that makes me think that the problem is not so much that I personally have nothing to hide so who cares, but rather, that an entity with unconstrained power has the ability to spiral out of control. This is not a linear relationship the way malware and hacking is. The reason I don’t care as much is because it requires my System 2, and System 2 doesn’t like to work.

I think that’s how I feel about the NSA scandal. To those of you who think I’m too flippant, sorry about that.

But it’s better than not caring at all.

A couple of weeks ago, I read a blog post on the Wall Street Journal where they were commenting on comments made by Brad Smith, Microsoft’s top legal counsel. His comments were in response to latest revelations that the NSA sometimes sniffs network traffic between data centers:

Microsoft’s top lawyer compared the National Security Agency to elite hackers, and said the technology giant will encrypt customer information traveling between its data centers, according to a company blog post published Wednesday night.
That makes Microsoft the latest Internet company – following Google, Facebook and Yahoo – to say it is encrypting internal traffic in response to NSA snooping efforts. The agency sometimes siphons off customer information traveling on rented fiber optics cables between U.S. company data centers, former U.S. officials have said.
Brad Smith, Microsoft’s general counsel, said the NSA is circumventing the legal process if those assertions are accurate. Smith, of course, does not mention the NSA by name, but clearly alludes to them.
“If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications,” Smith said in the blog post. “Indeed, government snooping potentially now constitutes an ‘advanced persistent threat,’ alongside sophisticated malware and cyberattacks.”

In other words, Microsoft is not okay with unauthorized government collection of user data.

But a more interesting article is one in Wired entitled Clash of the Titans! Inside Microsoft’s Battle to Foil the NSA. The title sounds like a spy novel, and in it Wired talks with Microsoft Technical Fellow Mark Russinovich who is one of the lead architects in Azure.

I have never met Russinovich but I have heard his name and seen it in various articles and possibly on email threads. But the part I want to get to is Russinovich’s opinion on whether or not Microsoft collaborates with the US government on creating back doors into its systems:

Amid the Snowden revelations, many pundits have also wondered whether the Microsoft brain trust — the people who run the company — have actively worked with the NSA to provide access to data. More than a decade ago, privacy geeks questioned Microsoft’s relationship with the agency when a researcher discovered a variable called “_NSAKEY” buried in the Windows operating system. More recently, Snowden’s leaked documents reportedly show that Microsoft cooperated with the FBI to make sure the government — including the NSA — could access Outlook.com e-mail.
But Russinovich says the NSAKEY controversy was a red-herring, and he believes that Microsoft would only be hurting itself if it cozied up to the NSA. “I can’t say for sure that that hasn’t happened, but I will say that I’m really skeptical that it could. The risk to the business is monumental,” he says.“Without trust, there is no cloud. You’re asking customers to give you their data to manage, and if they don’t trust you, there’s no way they’re going to give it to you. You can screw up trust really easily. You can screw it up just by showing incompetence. But if you show intentional undermining of trust, your business is done.”

The way I interpret these comments is that Microsoft never knowingly puts in back doors into its software and gives them to any government. To say that he can’t say for sure means that there may be some secret program he is not aware of but it would be localized to a very small group of people and it would be difficult to keep secret given the amount of scrutiny code receives internally.

That’s my view, too, but I’m just a ham-and-egger here within the company. I’m not that far up the chain.

But this is not what I want to focus on, either. Instead, I want to look at a psychological phenomenon known as The Backfire Effect.

Many of us here are familiar with Confirmation Bias. This is when we, as people, look for things we agree with and ignore things we don’t agree with. For example, if you’re a staunch Republican you probably watch Fox News and read right-wing blogs. If you’re a die-hard, left-wing liberal you probably watch Rachel Maddow and read The Huffington Post.

Confirmation Bias has been studied many times and confirmed multiple times over and it’s not just politics. It is psychologically painful to be on one side of an issue and read or listen to the opposing side. Try it yourself sometime – if you’re a political left-winger, watch Fox News’ editorials for 20 minutes without changing the channel. If you're a political right-winger, watch Rachel Maddow for 20 minutes and not tune out. You will struggle to reach the end of that 20 minutes. It will feel like such a relief when you flip back to what you already agree with.

The Backfire Effect is related to Confirmation Bias. It occurs when you are given material that contradicts what you currently believe, you discard it and it then ends up actually reinforcing what you previously believed. It doesn’t change your beliefs, it makes you more secure in what you though previously.

From You Are Not So Smart:

In 2006, Brendan Nyhan and Jason Reifler at The University of Michigan and Georgia State University created fake newspaper articles about polarizing political issues. The articles were written in a way which would confirm a widespread misconception about certain ideas in American politics. As soon as a person read a fake article, researchers then handed over a true article which corrected the first. For instance, one article suggested the United States found weapons of mass destruction in Iraq. The next said the U.S. never found them, which was the truth. Those opposed to the war or who had strong liberal leanings tended to disagree with the original article and accept the second.

Those who supported the war and leaned more toward the conservative camp tended to agree with the first article and strongly disagree with the second. These reactions shouldn’t surprise you. What should give you pause though is how conservatives felt about the correction. After reading that there were no WMDs, they reported being even more certain than before there actually were WMDs and their original beliefs were correct.
They repeated the experiment with other wedge issues like stem cell research and tax reform, and once again, they found corrections tended to increase the strength of the participants’ misconceptions if those corrections contradicted their ideologies. People on opposing sides of the political spectrum read the same articles and then the same corrections, and when new evidence was interpreted as threatening to their beliefs, they doubled down. The corrections backfired.
Once something is added to your collection of beliefs, you protect it from harm. You do it instinctively and unconsciously when confronted with attitude-inconsistent information. Just as confirmation bias shields you when you actively seek information, the backfire effect defends you when the information seeks you, when it blindsides you.

When you read a negative comment, when someone dumps on what you love, when your beliefs are challenged, you pore over the data, picking it apart, searching for weakness. The cognitive dissonance locks up the gears of your mind until you deal with it. In the process you form more neural connections, build new memories and put out effort – once you finally move on, your original convictions are stronger than ever.

Via XKCD.

If you’re reading this, I hope you don’t feel too smug. I do this all the time. And so do you.

And that brings me back to the article in Wired. The gist of the article is this:

Microsoft was surprised by the scope of data collection by the US government
Microsoft is planning to encrypt all of its data
Microsoft does not insert any back doors into its software

Let’s now head to the comments of the article. An example of the Backfire Effect would be this: “Microsoft says they don’t insert back doors. Well, the fact that they deny it proves that they do it! Why else would they deny it!”

Do we see any examples like this in the comments? Yes, we do!

“Smokescreen. Microsoft regularly hands over encryption keys to governments such as India, Pakistan, UAE, China (and others), so they can monitor Skype and other programs.

As usual, follow the money. This is nothing more than a sophisticated PR campaign by the mega-corps”

And this:

yeah right, after MS being the first one to hop on the NSA bandwagon we now have to believe that they are fighting them, lipstick on the pig. I don't believe anything from a company who's business model was always about monopolizing and using their customers at any cost.

And this:

what's in it for Microsoft? you ask
GOVERNMENT CONTRACTS MONEY$$$$$$

And this:

Microsoft? The same company that altered Skype so that all calls go through a server that they control instead of directly between the two callers so it would be easy for the government to spy on them?
Yeah, this sounds like a puff piece of PR crap.

And this:

This M$ fluff piece is up there with 60 Minutes. Sad and tired, Wired.

Example after example of people discarding what the article said and re-iterating what they previously believed. This is a textbook example of the Backfire Effect. And here’s the thing – the more informed a person is about something, the more biased they are towards their own beliefs.

That’s part of the problem of an Internet-connected world with social media and news articles. Aren’t we supposed to live in an information utopia where we can learn everything, where right beliefs are only a few clicks away?

Yes, we do live there. But, our brains are not wired that way. For you see, millions of years of evolution have programmed us to protect our beliefs and shield our sense of selves from conflicting evidence. Rather than using the Internet to correct ourselves, we use it to reinforce what we believe. We quickly run to the sources that make our brains feel good and we express it online despite what anyone else says. From You Are Not So Smart:

When our bathroom scale delivers bad news, we hop off and then on again, just to make sure we didn’t misread the display or put too much pressure on one foot. [tzink – I do this] When our scale delivers good news, we smile and head for the shower. By uncritically accepting evidence when it pleases us, and insisting on more when it doesn’t, we subtly tip the scales in our favor.
- Psychologist Dan Gilbert in The New York Times

That is not to say Microsoft does or does not put in back doors (I don’t know but like Russinovich, I doubt it).

But I do know is this – I will interpret the evidence in a way that I already agree with. And so will you.

Don’t spammers know they are irritating the rest of us?

Lately, I have been thinking a little bit on why spammers spam. I have never conducted a large study of this, all of my research about their own explanations comes from my memory of articles I have read and videos I have seen of convicted spammers. They usually have a few explanations:

I did it for the money
I wasn’t annoying people
What I was (am) doing wasn’t illegal
You can always hit delete

I can understand the first motivation. It’s the middle two I want to examine. Many spammers think that they are providing a valuable service and that what they are doing isn’t that big a deal. Or, they minimize the irritation that they cause because the pursuit of money is more important.

Do spammers genuinely believe this? Or are they putting on an act? And if they do believe it, how can they possibly not know how annoying they are? And how much damage they are causing to the rest of the Internet? How can they possibly exist in the bubble that they do?

What can we learn from psychology?

I have a theory. I am going to try to explain it using psychology. This is only my theory, I am not trained in the psychological arts. Still, it’s my blog and I can write what I want.

One of the books I read this past summer was Steven Pinker’s The Better Angels of our Nature.

In the book, Pinker looks at historical trends regarding violence amongst humans (it has declined), why it has declined, explanations about why it occurs in the first place, and finally strategies for reducing it in the future.

The sample size of spammers amongst the human population is small, but all of us humans are prone to the same sorts of errors and biases. One of these is the Moralization Gap. Here’s an excerpt from Pinker’s book:

When psychologists are confronted with a timeless mystery, they run an experiment. They asked people to describe one incident in which someone angered them, and one incident in which they angered someone. The order of the two questions was randomly flipped form one participate to the next, and they were separated by a busywork task so that the participants would answer them in quick succession. Most people get angry at least once a week and nearly everyone gets angry at least once a month so there was no shortage of material. Both perpetrators and victims recounted plenty of lies, broken promises, violated rules and obligations, betrayed secrets, unfair acts, and conflicts over money.

But that was all the perpetrators and victims agreed on. The psychologists pored over the narratives and coded features such as the time span of the events, the culpability of each side, the perpetrators' motive and the aftermath of the harm. If one were to weave a composite narrative out of their tallies, they might look something like this:

The Perpetrator’s Narrative:

The story begins with the harmful act. At the time I had good reasons for doing it. Perhaps I was responding to an immediate provocation. Or I was just reacting to the satiation in a way that any reasonable person would. I had a perfect right to do what I did and it’s unfair to blame me for it. The harm was minor, and easily repaired, and I apologized. Its time to get over it, put it behind us, let bygones be bygones.
The Victim’s narrative:

The story being long before the harmful act, which was just the latest incident in a long history of mistreatment. The perpetrator’s actions where incoherent, senseless, incomprehensible. Neither that or he was an abnormal sadist, motived only by a desired to see me suffer, though I was completely innocent. The harm he did is grievous and irreparable, with effects that will last forever. None of us should ever forget it.

The psychologists next had a follow up wherein they had people come in and read a fictional account of a college student help another with some coursework. The first student reneges on his promise and the second receives a poor grade, has to change their major and switch to another university. The psychologists had the volunteers retell the story – some from the perspective of the first student (perpetrator), some from the second student (victim) and some from a third party (neutral) viewpoint. Both the victims and the perpetrators distorted the story to the same extent but in opposite ways, either omitting details or embellishing points to make their own characters look more reasonable and the other one to look less so. And this was for a fictional story!

The Self Serving Bias

This set of events wherein we minimize the gravity of our own infractions, and emphasize the damage of infractions committed by others is called the Moralization Gap. It is part of a broader phenomenon known as the Self-Serving Bias. This is when we interpret events in ways that are favorable to ourselves, but do not extend the same courtesy to others. From Wikipedia:

A self-serving bias is any cognitive or perceptual process that is distorted by the need to maintain and enhance self esteem. When individuals reject the validity of negative feedback, focus on their strengths and achievements but overlook their faults and failures, or take more responsibility for their group's work than they give to other members, they are protecting the ego from threat and injury. These cognitive and perceptual tendencies perpetuate illusions and error, but they also serve the self's need for esteem.

This is also called the Lake Wobegon Effect. Lake Wobegon is a fictional town where everyone thinks that they are above average drivers. When they told everyone who said they are above average that everyone else said the same thing, they stuck to their guns, insisting that they were above average. When the surveyors explained that it wasn’t possible for everyone to be above average and that people inflated their own abilities, the respondents were firmly committed to their own positions – everyone else was inflating their own abilities but they themselves were perfectly capable of assessing their own superior driving ability.

The reason why we do this is because it’s an evolutionary adaptation, a survival technique. It is persistent in humans because it was useful to us to get to where we are today. We can see why everyone else is a hypocrite because it helps cuts others down to size. Back when we were still hunters on the African savannah for hundreds of thousands of years, social status was crucial (it still is). People higher up the social ladder had better reproductive odds and the ones that were higher up survived to pass on their genes. If you could fake it your higher status, so much the better!

Of course, if someone else was faking it, showing their status (and therefore odds of attracting a mate to reproduce) was better than your own, it was in your best interests to point out they were hypocrites and not of a higher social standing than you. Better to push them down and pass on your genes then let them go on faking it and you pass on into oblivion.

By contrast, faking it was in your best interest. If you could convince others that you were the best, the top of the ladder, then your odds of reproductive success and passing on your genes would increase. And even better: rather than you faking it, if you genuinely believed you really were better than anyone else, you could thereby convince others even more convincingly. You wouldn’t have the tell-tale signs of deception like fidgeting, sweating, or needing to keep your lies straight. Thus, it’s in your own best evolutionary interest to believe in your own greatness regardless of whether or not it is true, and point out the hypocrisy of others to prevent them from getting ahead.

And that’s why the Self-Serving Bias exists. We exonerate ourselves while not granting the same leeway to others.

And this brings us back to spammers. The reason they don’t see why they are so annoying is because of this Moralization Gap. They are minimizing the damage of the infractions they are committing and the Self-Serving Bias prevents them from seeing it.

The Perpetrator’s Narrative:

What we are doing isn’t such a big deal: We have good reasons for doing it, we are making money and being a productive member of society. The damage is minor (only a few email messages) and easily repaired (hit delete). Just get over it and let bygones be bygones.

That’s why I think spammers don’t know (or don’t care) why they are so annoying – at one point they got into it and now they rationalize it with a feature of the brain that worked well in our evolutionary history but is now being used for the wrong reason.

That’s my theory.

Unfortunately, there is a twist

But there’s one problem: the problem of self-deception has its limits and it’s difficult to show that it exists in all cases. To test this, psychologists had a group of volunteers to help them evaluate a study where half of the people would get a pleasant and easy task (looking at photographs for ten minutes) while the others would get a boring and difficult one (solving math problems for 45 minutes). They then allowed the participants to pick what task they wanted to do and give the other task to another paired off participant.

Most participants selected the easy task for themselves and gave the difficult task to the other participant (who was actually one of the researchers). When given a questionnaire afterwards, most of the participants said that their choice was fair. However, when describing these actions to another group of participants, most of them said it wasn’t fair at all.

Up to this point, this is all consistent with the self-serving bias.

The researchers probed deeper. Did the “selfish” participants they really, deep-down think their choice was fair? Did their unconscious mind know of their own hypocrisy?

They tested this by tying up the participants conscious minds by forcing some of them to keep seven digits in memory while they filled out the questionnaire indicating whether or not their choices were fair. The truth came out: the participants judged themselves as harshly as they judged other participants. The reality was there all along, it just took some coaxing to bring it out. Be careful though, in the absence of ridicule/argument/time, the default state is for people to misjudge the harmful acts they have committed.

So, perhaps there is hope for spammers after all. Deep down, perhaps they do know that what they are doing is irritating (and illegal) but it is repressed in their unconscious minds.

Perhaps the final justification for why they spam is a Freudian slip – “You can always just hit delete.” Is this a tacit confession that the “service” they provide is not a service that everyone wants? Maybe. Spammers do use antispam filters to keep their mailboxes clean, they themselves do not want to be annoyed so they are aware to some extent what they are doing.

If only there were some way to make them memorize seven digits the next time they send out a spam campaign.

Bulk email, sometimes referred to as grey mail, or gray mail, is a type of email that is difficult to classify for all users at a global level. Bulk or gray email is email that some users want but others consider spam. For example, some users want their email from Amazon Local’s Daily Deals or invitations to an upcoming conference on cyber security. Other users consider this email spam.

The reason that it is called gray mail is because it is not a spam/non-spam decision, it is a shade of gray:

If we decide that gray mail X is spam, the users that want it will complain and submit it as a false positive that was wrongly marked as spam
If we decide that gray mail X is non-spam, the users that don’t want it will complain and submit it as a missed spam message that wrongly arrived in their inbox

In other words, there is no solution that will satisfy all users.

To get around this problem, Office 365 has an option that allows tenant administrators to mark all messages that the service identifies as bulk as spam (see Advanced Spam Filtering Options). If an administrator selects this option, and users start seeing messages that they want in their junk mail folders, they can add bulk email that they want to their safe senders list. Alternatively, administrators can create Exchange Transport Rules (in Exchange Online) or Policy Rules (in FOPE) to allow certain types of messages at a global level for everyone.

To determine how Office 365 decides that sending IP addresses as Bulk emailers, we use the following criteria:

Sends promotional email in bulk

The sending IP belongs to a sender that is known to send promotional materials or are known (or suspected) email marketers. Email messages may or may not have an Unsubscribe link.
Not a “good” bulk emailer with good list management practices

The contents of the message are sent in bulk but Office 365 is unclear about the quality of its email list acquisition. This means that good bulk mailers can be exempted from the list because they practice good bulk email sending (double opt-in, etc.).

The reason they are exempted is because if these IPs were on the bulk senders list, the relative increase in user satisfaction (people who think their messages are spam) is overweighed by the decrease in user satisfaction from people who want these messages. Even though blocking these messages is optional, enough complaints are generated such that including them globally still causes a net negative effect on the user experience.

If customers still want to block email from bulk emailers that are not listed by Office 365, the following are workarounds:

a) For the administrator, add the sending IPs to a Block list or domains to a Transport rule:
Configure IP Block list properties
Create a Domain-Based Safe Sender or Blocked Sender List Using Transport Rules

b) For the end-user, if users’ blocked and safe senders are sync’ed with Office 365, the user should add the sender to their Blocked Senders list:
Safe Sender and Blocked Sender Lists FAQ

c) For the administrator, to more generically block bulk email, see the following article:
How to create more aggressive Bulk Email settings in Exchange Online
IP addresses are specific

IPs are usually added singly or by CIDR range. They are not typically added by reverse DNS but they can be.
Customers are not exempt

Office 365 customer IPs (i.e., IPs used to relay outbound email from customer on-premise mail servers through the service and out to the Internet) can be listed as bulk emails. Office 365 does not provide outbound bulk emailing services.

The above summary should provide all the information necessary to understand Bulk Email identification in Office 365.

In case you missed it, the other day news broke indicating that the NSA could spy on you using radio waves, that is, even if your computer was not connected to the Internet.

From CBS News:

The New York Times reported that the technology, used by the agency for several years, relies on radio waves that can be transmitted from tiny circuit boards and USB cards inserted covertly into the computers. The NSA calls the effort an "active defense" and has used the technology to monitor units of China's army, the Russian military, drug cartels, trade institutions inside the European Union, and sometime U.S. partners against terrorism like Saudi Arabia, India and Pakistan, the Times reported.

When I read this, I was impressed that they could do this; it’s a big technological achievement. Formerly, it was believed that if your computer was not online, you were safe because data could not be relayed back to anyone. It turns out this sense of security is misplaced.

At the same time, I was disconcerted that this technology actually did exist. I said to myself “Um… really?”

Via Reason.

One of the more powerful features in Exchange Online Protection (EOP) are Exchange Transport Rules, also known as ETRs. These have a variety of functionality but the one I want to focus on is how they operate on the sender of a message.

The following web pages describes the predicates of an ETR, that is, the parts of a message that you can conditionally look for:

Transport Rule Predicates

Transport Rule Actions

One of the predicate names is "The Sender Is" whose name in Powershell is "From." The description is "From matches messages sent by the specified mailboxes, mail-enabled users, or contacts."

This can be a little confusing because in email, the message sender can refer to multiple things:

The sender in the 5321.MailFrom, sometimes referred to as the P1 From
The sender in the 5322.From, the one that shows up in your email client, sometimes referred to as the Display From:, or Message From:.
The Sender: header which is inserted when email is sent on behalf of another, depending on the email client
The Reply-To field, for when users click “Reply” the messages goes to this email address rather than any of the above ones

Give that there are so many possible “Senders”, which one does the “From” predicate match?

The answer is that it matches the 5322.From header.

It does not match either the 5321.MailFrom, the Sender: header or the Reply-To. This is different than user-level safe senders which match the 5321.MailFrom header. For more details on that, I go into more details in these two articles:

How to use safe senders in EOP and FOPE

Why do safe senders in EOP and FOPE operate on the 5321.MailFrom instead of the 5322.From address?

How do you write an ETR on the 5321.MailFrom? You write it on the Return-Path header. This header is stamped by the mail server when it receives a message and it is available for scanning in the Transport Rule engine.

To do this in Powershell:

New-TransportRule "Safe Sender ETR for Return-Path" -HeaderContainsMessageHeader "Return-Path" -HeaderContainsWords "user@example.com" -SetHeaderName "X-ETR-Safe-Sender-Return-Path" -SetHeaderValue "user@example.com" -SetSCL -1

To do this using the Exchange Admin Center, navigate to Admin –> Exchange –> mail flow –> rules –> create new rule (click the + sign):

What this does is bypass filtering if the 5321.MailFrom is user@example.com and stamps the header X-ETR-Safe-Sender-Return-Path: user@example.com for troubleshooting if someone ever gets spam from this sender. They will know that it was an ETR that acts as a safe sender on the Return-Path header. Adding this header is not necessary but I like to do it because I have a tendency to forget what ETRs I have created in the past.

The above is how ETRs operate on the From: address and how to operate on the 5321.MailFrom address.

This is going to be a long post.

How I spent my weekend

This weekend I took a quick glance at the World Economic Forum’s Global Risks for 2014 report. The WEF is a Swiss nonprofit foundation that describes itself as an international organization that is dedicated to improving the state of the world by engaging business, political, academic and others in society to shape global, regional and industry agendas (I pulled that description off of their Wikipedia entry). They bring together 2500 leaders and convene to compile a report of threats as well has how to combat them. The 2014 meeting, held late January, had the theme “The Reshaping of the World: Consequences for Society, Politics and Business.”

They face criticism; anti-globalization activists claim that capitalism and globalization increase poverty and destroy the environment (they are right in some ways, not wrong in others).

Anyhow, I was reading the report about the leading risks the world faces, and they divide them up into five categories:

Economic risks

Environmental risks

Geopolitical risks

Societal risks

Technological risks (purple in the chart below)

Within each category there are 6-8 specific problems except for technology where there are only 3. If you want more details I’d encourage you to read the report yourself (linked above).

What I want to focus are on how they rate the risks as per the below diagram:

The impact – how bad something would be if it happened – is plotted on the vertical axis and the likelihood – the probability of it occurring – is listed on the horizontal axis. The worse an event is, the further up and right it will be.

Looking at these, the acquisition (and presumably use) of weapons of mass destruction would cause a lot of damage but the odds of it occurring are small. On the other hand, mismanaged urban development is not nearly the impact of WMD’s but is much more likely to happen.

I looked at this table and I created another category – Expected Impact. To do that, I multiplied the Impact by the Likelihood to come up a third category that estimates how bad something is in objective(ish) numbers. The table above doesn’t have the number values, only the plots on the chart so I estimated their relative values by eyeballing them.

The Results

Of the 31 threats, Technology is responsible for 3 of them. Cyber attacks rate #7 and Data Fraud/Theft rate #8. The rest of the top 10:

Extreme weather events

Climate change

Income disparity

Unemployment and underemployment

Water crises

Fiscal crises

Cyber attacks

Data fraud/theft

Biodiversity loss and ecosystem collapse

Natural catastrophes

As someone who works in computer security fighting spam (among other things), it gives me a sense of pride to know that I work in an industry that the World Economic Forum considers my industry in the top 10 most important things that are facing humanity to address.

By that, I mean that cyberattacks (#7) are a serious issue, and working to enhance things like authentication (e.g., DKIM and DMARC) strengthen the Internet and make it more difficult for attackers to take it down. Reducing spam increases trust on the web and creating products that make software secure makes the risk of a cyber attack that much less. I play a small role in this; many others reading this are as well and we should take pride in it.

I won’t go into the full details about what the WEF means by this category, but the WEF defines cyber risks as crime, hacktivists, espionage and war. The worst case has been called “Cybergeddon” where the Internet would no longer be divided between attackers and defenders but between predators and prey. Because this would cause a loss of trust between people, they would rely upon the Internet less and less. The most transformative technology since the Gutenberg press would regress, to the loss of humanity.

It is a question of trust.

How this affects me

Part of my job is to create a more secure Internet; it’s what I do. My responsibilities at work are to help drive authentication in email. It’s my small part of the world and one thing where my abilities are useful in real life.

This is important to me. A few years ago, the wife and I looked into doing some sort of charitable work. After researching Doctors Without Borders, Engineers Without Borders, and a few other organizations, I realized that I have no useful skills in the developing world. I know nothing about medicine, I can’t build radios, and any physical strength I have is easily matched by anyone else (i.e., I provide no special benefit) and surpassed by people younger and stronger than me (plus, I have bad hips).

Large companies like Google and Facebook have made it their mission to help connect the developing world by providing them with Internet access. However, Microsoft founder and philanthropist Bill Gates has scoffed at this and said basic things like access to clean water, immunization against diseases and reduction in child mortality is far more important.

“I certainly love the IT thing,” Gates said in the interview. “But when we want to improve lives, you’ve got to deal with more basic things like child survival, child nutrition.”
He said that making it a "priority" for the whole world to be connected to the Internet was, "a joke."
“Take this malaria vaccine, [this] weird thing that I’m thinking of. Hmm, which is more important, connectivity or malaria vaccine? If you think connectivity is the key thing, that’s great. I don’t.”
Source: Vator.TV

Those are some tough words but he’s probably right.

As I have gotten older, I feel like I have become more cynical. I have started to be come more aware of the wealth gap that exists today, and this is highlighted in the #3 risk above – income disparity.

I feel weird sometimes being in an industry that pays me as well as it does and wonder if I’m doing the right thing. Am I making the world a better place? Should I be doing something different?

Last week, the Seattle Seahawks won the Superbowl and everyone around me was cheering. I was happy for them, too. The Seahawks were clearly the best team in the NFL this year.

I have watched football for nearly 25 years. But here’s the thing – as the press was writing glowing reviews about how the Seahawks worked hard to become champions, and how the owner of the Seahawks turned the franchise around and talked about him in glowing terms, and how so many fans were cheering, the following thought crossed my mind:

Middle class people who spent a lot of their income to watch the game are cheering for a bunch of millionaires and billionaires who will each be getting bonuses for one day’s work, the total of which is more than most of those cheerers make in a year.

I know that everyone on the team worked hard to get there and deserve the money they are paid, but it seemed weird to me that we would all cheer on the success of people who make more money than anyone else in the stands. It’s like “Hooray! You have more than I do! And now I congratulate you on getting even more!”

For the first time in my life, this puzzled me.

And this comes back to the the top 10 list above. There isn’t much I can do to fight climate change (outside of reducing my energy use but let’s face it – those of us in the developed world are responsible for most of this) and extreme weather events. I can give to charitable organizations to help reduce income disparity. But am I really making the world better?

I tell myself that at least I am making it not worse.

But with this report, with cyber attacks at #7, I can finally say that I am doing something worthwhile. This does not mean that I am correct in this belief. Instead, it means I can tell myself I am doing something worthwhile and that relieves my cognitive dissonance.

Perhaps I am helping the bottom line of the betterment of humanity after all.

That’s what I keep telling myself.

This will be another long post.

A couple of weeks ago, you may have read that the Syrian Electronic Army hacked into Forbes and posted a bunch of usernames and passwords. What you may not know is that Forbes has been fairly transparent in describing how it happened and how they plan to mitigate going forward. This is contained in a series of articles they posted on their website.

To make a long story short – they were phished.

From: How the Syrian Electronic Army Hacked Us: A Detailed Timeline of Events, all highlights are mine:

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.
Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.
In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”
In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

This is an effective strategy and it was part of a two pronged attack. Someone from Forbes got an email that is somewhat related to what they do, and they may have even received a link like this:

Hey, what do you think about this? Is it true?
http://www.article-to-some-important-new-site.com/article/cgi?=randomstuff

If you hover your mouse (if reading this on a laptop or desktop) you will see that the displayed http link is not the same as where the link actually takes you.

The linked page asks the user to enter their credentials. Being prompted to enter your credentials at work is so common that many people don’t think twice about it. This person was doing their job and so far everything more-or-less fits with their general work flow. It’s not exactly congruent, but close enough.

Once inside, the hackers used another effective tactic – they moved laterally. They sent spam from the compromised account to other users in an attempt to gain access to important data. While the spam filter didn’t work the first time because it came from the outside, it definitely wouldn’t work when sent from the inside because most environments assume that the inside is secure. People inherently know that it isn’t, but it’s close enough.

Until it isn’t.

In an interview with the attackers, Forbes posted a follow up article by Kashmir Hill about why they attacked Forbes. According to a representative not involved in the attacks but close to those who were:

He says that Forbes editorial content on Syria made it a target, pointing to recent articles about a hacker who claimed to find porn on Syrian secret police’s computers and an article decrying the SEA’s hack of the Marines’ website. “This is pure propaganda,” he said. “This is a message, we will not tolerate lies.”

In other words, this was an episode of hacktivism and resembles that 2007 DDOS attacks on the government of Estonia by Russian youth angered by the Estonian government taking down a Russian World War II memorial.

I want to make three points about this incident:

This was a well-executed social engineering attack.

When I say “well-executed”, what I mean is that all the pieces of the puzzle were done with minimal suspicion.

- The web page where the user entered their credentials looked like a valid login page
- The phishing email didn’t contain suspicious language (i.e., grammatically correct)
- The phishing email was relevant to the target
- The landing page was hosted on a compromised server
- The phishing email was sent from a compromised server that had not previously sent high volumes of abusive content

In other words, there was great deal of care taken by the attacker to disguise their tracks, and it would be difficult for the average consumer of email to detect this without a high level of vigilance (i.e., working in the security industry, receive lots of education, etc.)
People in the security industry are very smug about their own non-susceptibility to fall for scams relative to others, but shouldn't be

This is the point that prompted me to write this post. Forbes is not the first company to have something like this happen to them. People are targeted all the time. Yet there are people in the security industry – people I have personally talked to – who say that the people who clicked the link and entered their credentials are “idiots.” When I challenged them on this point, they dug in their heels and reiterated “Nope, they’re idiots.”

The idea is that only an “idiot” would fall for something so obvious and do something so careless like entering their credentials on a web page that looks like their regular corporate login page.

This strongly irritates me because the average consumer is not overly security aware but they do have a basic awareness. People know about bad passwords and poor security habits, they just don’t always follow them. In the Forbes case, the user was aware but made a poor judgment. The problem is that the average consumer does not have computer security awareness drilled into them over and over again to internalize these behaviors.

What irritates me is that while we in the security industry complain about consumers’ poor security habits despite a lack of education, but what does it say about us when we ourselves have poor health habits? For example:

* We all know too much sugar is bad for us. It makes us gain weight and is bad for our teeth. This is reinforced almost every day. How many of us eat too much sugar? And junk food in general?

* We all know that an inactive lifestyle is very bad for us. Yet how many take steps to ensure we get our 10,000 walking steps per day? Or try to alleviate sitting for 6-8 hours per day like the typical office worker?

* We all know that staring at computer screens is bad for our posture, our muscles, and our eyes. Yet we do it anyway in spite of health advice that tells us not to.

* We all know that we consume too much energy in the first world. Yet how many of us make sacrifices to reduce our energy consumption without prompting from anyone?

In other words, the average consumer makes mistakes in a very narrow set of circumstances. Yet the same people who call consumers “idiots” for making a bad choice in spite of their lack of knowledge make bad choices every single day in their own lives in spite of an abundance of knowledge.

And that bothers me because it is a double-standard and we should know better.
Criticizing others for falling for scams makes a Fundamental Attribution Error – not accounting for the situation

From Wikipedia:

”The fundamental attribution error is people's tendency to place an undue emphasis on internal characteristics to explain someone else's behavior in a given situation, rather than considering external factors.

For example, consider a situation where Alice, a driver, is about to pass through an intersection. Her light turns green and she begins to accelerate, but another car drives through the red light and crosses in front of her. The fundamental attribution error may lead her to think that the driver of the other car was an unskilled or reckless driver. This will be an error if the other driver had a good reason for running the light, such as rushing a patient to the hospital. If this is the case and Alice had been driving the other car, she would have understood that the situation called for speed at the cost of safety, but when seeing it from the outside she was inclined to believe that the behavior of the other driver reflected their fundamental nature (having poor driving skills or a reckless attitude).”

Thus, from my point #1, this was a well-executed phishing attack. Saying other people are “idiots” fails to consider the circumstances in which this person clicked the link:

- She was an editor who is asked to comment on articles like this regularly
- She got an article and was asked to comment
- She has to login to pages regularly
- She doesn’t normally see spam in her inbox
- She is used to obvious spam like “Get your free Viagra” or something similar

Security professionals have what I call an “empathy gap” where they are unable to see the situation from the average user’s perspective. It is obvious to us but it is not obvious to others.

However, in my own life, there are many things that are not obvious to me:

- I don’t know exactly how my furnace heater works (I paid a professional $800 to fix it this morning)
- I don’t know exactly how the plumbing in my house works
- I don’t understand the medical billing system or what many of the words mean when a doctor explains to me what is wrong with me
- I don’t fully understand exactly how all the parts of my car work together

When I look at myself, I am an expert in almost nothing in life. Because of this, I need to empathize with the average computer user who has as little expertise as I do in almost everything as they do in my field. Were they really careless? Or am I misjudging them due to cognitive bias?

Anyhow, those are my thoughts on consumers getting hacked. I’m not picking on Forbes because it could happen to anyone. According to some sources, it has happened to every organization in the Fortune 500.

Business Insider recently posted a slide deck about the next big thing: The Internet of Everything. This is basically about how all of our devices will soon be connected to the Internet. You can watch the slide deck here (one scrolling continuous page, easy to read): Internet of Everything: 2014 [Slide Deck].

It makes for an interesting read and I won’t spoil the surprise but there is one thing I will call attention to – the biggest barrier to the Internet of Things is this slide:

In case you can’t read it, the number one disadvantage is Cybersecurity – Threats to physical security.

While it may be great for your toaster to be able to talk to your refrigerator which syncs up to your car, the downside may be that your toaster is sending spam while your refrigerator is hosting malware and simultaneously your car acts as a name server resolver for both.

Where there is potential for great advances in technology there is potential for its abuse. I guess I am in an industry where my skills will continuously be in demand.

Well, at least for the next 10 years or so.

You can call me cynical but the latest digital revolution – putting your life in the cloud where you interact with it using devices – seems overrated to me.

You know what I mean; if you’re a member of the tech industry, the latest major trend is cloud computing. This is where all of your data is stored in various companies’ cloud computing database and you interact with it through devices like tablets, smart phones and PCs (laptops/desktops, not necessarily Microsoft OS’es). I am exaggerating, but the hype surrounding it makes it sound like this is going to be greatest thing in the history of the computer! Get ready for it! It’s going to be amazing!

I’m not going into a lot of detail here, but you’re smart readers. You know what I mean. I’ve saving time to get to my real point.

All this talk about life in the cloud… I have real doubts that it in real life it will live up to its greatness.

Why do I say this?

Last week, my wife and I visited her family in Taiwan. She lives here in the US and speaks English but speaks Taiwanese with her parents who can also speak English. They speak English with me, but Taiwanese with each other. Last fall, they retired and moved back to Taiwan where it is cheaper (outside of Taipei where the housing costs are worse than most of the US).

I’ve tried learning a little Taiwanese but it is very difficult. I was also learning Mandarin for a few weeks before I left (also difficult). The problem is:

Unless you spend a lot of time in the country where it is the native language, you will never pick it up well enough to converse.

They say that for English speakers, Chinese, Japanese and Korean are the hardest languages to learn and it could take around two years.
There are not a lot of resources to learn it.

This is important: Taiwanese != Mandarin. They are not the same language and they are not mutually intelligible. Even though Mandarin is the official language of Taiwan, most of the population also speaks Taiwanese. There are a lot of resources (books, learning apps on my tablets, translation sites) available for Mandarin, but not for Taiwanese. The population of Taiwanese speakers is perhaps 20 million which is why there isn’t that much.
Mainland China’s writing system is Simplified Chinese which is what I was learning (I was also trying to learn Mandarin). By contrast, Taiwan uses Traditional Chinese.

In the 1950’s, mainland China converted Traditional Chinese to Simplified Chinese in order to make it easier for the population to learn. However, Taiwan did not. While some characters are the same, many are different. Thus much of the time I spent learning Simplified Chinese did not help that much in Taiwan.

My wife, in-laws and other members of her extended family were nice enough to speak English to me, but with each other they spoke Taiwanese.

They say that communication is 7% verbal and 93% non-verbal (part body language and part tone-of-voice). Well, let me tell you, that’s completely false. I am good at observing body language and when my relatives were talking to each other I absolutely did not understand 93% of what was going on.

Perhaps if you are observing others this quote is true, but once you are part of the conversation and seated at the table, that 7% verbal communication is the most important part by far! I could follow basically nothing of what was being said. Sure, I can tell the emotions of what’s going on – sometimes funny, sometimes concern, sometimes curiosity. But that’s a far cry from taking part in a conversation. I know that most of the chatting is about regular family things – who’s working where, who’s neglecting what, who’s being irresponsible (you know, gossip – the thing we all do yet all say we revile), but I was not apart of what was being discussed. I could only sit and watch.

Out on the streets, I could tell what things were:

I could tell what food stores were
I could tell the street signs
I understood the food vendors

But in terms of advertisements and exact messages, I could read almost nothing. All of the symbols in Mandarin I knew already didn’t show up often except for water, 水 (that sign was everywhere and I never figured out why); fish, 魚; beef, 牛; meat, 肉; man, 男; woman, 女; and good, 好. But this amounted to 1% of all the symbols I saw. Imagine reading this blog post and understanding only 1% of all the words.

And therein lies my disconnect.

I expected to be able to understand very little conversation or read very little. Yet I had this vague hope in my mind that technology would help me. Why did I think this? Because somehow I had the idea that life in the cloud changed everything! Why would I think that? It’s not a conscious decision, it’s something I had to have picked up somewhere and it must be from advertising and the reinforced message of having lived and worked in tech for 10 years.

Yet technology was basically useless.

For one thing, my phone’s data plan works in the United States only. If I try to use data overseas, I get charged a ridiculous amount. Can I afford it? Yes. Will I pay for it? NO!

For you see, even though it’s not logical, I am psychologically averse to going through the trouble of getting additional communication devices (phones) for something I use so infrequently (going overseas). I know there are ways around this, but there are deep seated cognitive “defects” in my brain for loss-aversion that prevent me from doing it or trying to work around it.

It seems that technology’s “Life in the cloud is great” belief assumes you have Internet connectivity everywhere. Well, I don’t. And if you don’t, then what?

Secondly, even if you have a translation app like I did on my phone that works offline, it isn’t very good for east-Asian languages. Using the translator app on my phone it has Norwegian, Russian, Swedish, Dutch, Portuguese, Spanish, French, Italian, German and Simplified Chinese available for download. As I explained above, Simplified Chinese != Traditional Chinese. I tried using it anyways and the result was worthless. There wasn’t a single instance of me pointing my phone at a line of text and having it translate something intelligible back to me. It was all a bunch of gobble-de-gook.

Every. Single. Time.

There was a time when I thought that the major languages like the ones that are available for offline download were the most important ones. I still think that, but the smaller languages are also still very important for two reasons:

Communication– not everybody can speak the major languages.
Cultural preservation– I don’t think it’s a good thing to be losing smaller languages. Cultures are important, language is one of those things that preserves it and losing them loses a cultural identity. I don’t think that people moving to the main languages of a couple dozen worldwide is a good thing.

Basically, if I want to learn a foreign language and culture, then I need to learn the language and culture. I can take a class, buy some books, learn on the web, buy software like Rosetta Stone, download some apps, and converse with native speakers. There’s really no way around it (short of having a translator). In other words, I need to do this the old fashioned way.

But here’s the point – I don’t need my life in the cloud for that. Sure, the cloud helps. I downloaded a bunch of apps onto my iPad from the Cloud. There are ways to use Skype to help practice with native speakers. I can browse Amazon book reviews to see which ones are the best ones for learning languages.

But all of that stuff existed before the “life in the cloud revolution” took place. And now that it’s being sold as the next big thing, I didn’t find that it helped me in my real life for something new. This causes me a lot of cognitive dissonance and personal conflict because I work in an industry that is trying to get everyone to move to the Cloud, and I am paid to sell that vision.

I guess that’s the disconnect I’m having a hard time articulating. It’s true that maybe I’m probably doing things wrong. Sometimes I feel like I’m too dumb to use technology the most efficient way possible.

I wonder if anyone else feels the same way?

As I mentioned in my previous post, I recently went to Taiwan with my wife to visit her parents and extended family. And as I said in my previous post, I was really underwhelmed by the promise of “life in the cloud”.

However, there is one big advantage – when I take pictures with my phone, it syncs it to my OneDrive (formerly SkyDrive) automatically; that is, whenever there is an internet connection nearby. My phone does not take pictures as good as a digital camera but I really like that it syncs without me having to transfer from the digital card.

So, here are 10 of pictures from Taiwan from my phone:

1. Me outside Din Tai Fung, one of the best dumpling places in the world. I’ve been to the one in Seattle (Bellevue) and now I can say I’ve been to the one in Taipei. If M³AAWG ever has a session in Taipei, someone should sponsor a night-out here!

2. The fruit in Asia is better than anything in North America. This is Shakya and it is amazing!

3. In Taitung on the southeast corner of Taiwan is a Museum of Prehistory. It is one of the best natural history museums I have been to. They used to have elephants in Taiwan, something I never knew!

4. One of the computers I saw running Windows XP with Internet Explorer 6.

5. One of the theories about the origins of the people populating Austronesia – the islands stretching as far west as Madagascar and as far east as Easter Island, but excluding New Guinea and Australia – is that they originally descended from Taiwan. This large head is not native to Taiwan but instead pays tribute to the Easter Islanders who may be descendants of the Taiwanese.

6. Did you ever wonder how they grow rice? Below is a rice field. They’re all like this – slightly flooded.

7. The Pacific coast of Taiwan.

8. A busy street in Taichung on the west side of the island.

9. Checking out some of the street markets in Taichung.

10. Finally, can anyone translate what this says? The app on my phone says it means “F**k capitalism.” Is that true?

That’s all for now, thanks for viewing.

This morning, I discovered that I had received an email “from” Apple informing me that I had recently updated my credit card with Apple:

The screenshot above is from my Thunderbird email client but that’s not where I originally checked it – I originally checked it on my phone.

The first thing I thought when I got this email was “That’s odd; I don’t remember updating my credit card.”
The second thing I thought was that it was strange that Apple wrote the date I changed my credit card was Day/Month/Year. Apple is an American company and they would either write a date as Month-Day-Year, or Year-Month-Day. The format used is something that Europeans typically do, not Americans.
The third thing that went through my mind was that this was most likely a phishing message. I decided to click the link to see where it would go. I was reasonably confident that since I was checking it on a Windows phone that there was no drive-by download malware designed for my particular phone and I also had no plans to enter in my credentials. The link never actually loaded.

When checking it on my phone it loses a lot of the rendering. That’s part of the problem. Above, you can see that the images fail to load. But on my phone there was no indication that there were any images at all. The lack of loading images in Thunderbird along with no option to load them would make me immediately suspicious but because there was no indication of this on my phone, no suspicions were raised.

Furthermore, the only link in the above phishing message that actually went anywhere was the one to iforgot.apple.com. All the other ones didn’t point anywhere if I hovered my mouse over them. However, on my phone, there is no option to hover over a link. The only way to verify it is to click and see where it goes (which is why I clicked on it above).

Finally, in Thunderbird I can easily open up the headers of the message and take a look where the message came from, thus confirming it as a phish. There’s no way to view the raw source of a message on my phone.

And this illustrates the conundrum of mobile mail clients: yes, they are convenient but it’s difficult for users to inspect the message when it is suspicious using the heuristics I just described above. You can do it on a desktop client, but not on a mobile one. I would think that would make it easier for phishers to trick users since there’s no way for them to investigate further (assuming, of course, that they even did this to begin with).

Sometimes, spammers and malware writers create malware that passes through our service and arrives in customer inboxes. This is known as zero-day malware. The anti-malware engines that we use have not yet created signatures for them, and sometimes the spam rules do not catch them because the small amount of content has nothing for the spam rules to detect without causing false positives.

One solution to block this is to use an Exchange Transport Rule to block executable content. This will catch malware that uses commonly used malware mechanisms – content that executes automatically.

To do this using the Exchange Admin Center:

Login to the Exchange Admin Center and navigate to Admin–> Exchange –> mailflow –> rules.

Create a new Transport rule using the instructions below

Create a new rule entitled “Block executable content”
* Apply this rule if… Any attachment has executable content
* Do the following… Delete the message without notifying anyone

This will ensure that any message with executable content will not make it to the end user similar to how malware is treated today in the service (i.e., it is deleted).

Alternatively, if you don’t want to delete the message because you may receive false positives:

Create a new rule entitled “Block executable content”
* Apply this rule if… Any attachment has executable content
* Do the following… Set the Spam Confidence Level to 9 and Prepend the subject of the message with [POSSIBLE MALWARE]

(The red text is added by me for emphasis in this blog post)

This will route messages using the High Confidence Spam Action your organization has selected (Spam Quarantine, x-header modification, or move to Junk Mail Folder). However, it will also modify the message subject to give a visual indicator to users that it may contain possible malware so if they go through their Junk Folder or Spam Quarantine, they will see why the message was sent there.

Both of these options do not reject or bounce the message back to the sender. You should not pick this option because if the sender is spoofed, they will receive your rejection notice even though they did not send it.

To do this using Powershell instead:

a) Connect to Exchange Online using Powershell
http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

Or, connect to Exchange Online Protection using Powershell
http://technet.microsoft.com/en-us/library/dn621036(v=exchg.150).aspx

b) To delete the message without notifying anyone:

New-TransportRule -Name "Block executable content" -AttachmentHasExecutableContent $true -DeleteMessage $true

To set the SCL to 9 and modify the message subject:

New-TransportRule -Name "Block executable content" -SetSCL 9 -PrependSubject "[POSSIBLE MALWARE]"

The following table lists how executable content is determined:

Extension	Description
.rar	Self-extracting archive file created with the WinRAR archiver
.dll	32-bit Windows executable file with dynamic link library extension
.exe	Self-extracting executable program file
.jar	Java archive file
exe	Un-installation executable file
.exe	Program shortcut file
.obj	Compiled source code file or 3D object file or sequence file
.exe	32-bit Windows executable file
.vxd	Microsoft Vizio XML drawing file
.os2	OS/2 operating system file
.w16	16-bit Windows executable file
.dos	Disk-operating system file
.com	European Institute for Computer Antivirus Research standard anti-virus test file
.pif	Windows program information file
.exe	Windows executable program file

The transport engine does not rely solely upon the extension to detect if it is an executable. Instead, it scans the content to determine what type of file it is.

Submit malware to Microsoft through the reporting portal

Microsoft has a web portal to submit missed spam. If you are an Office 365 customer and the message with the attachment lands in your inbox, please submit it here:

https://www.microsoft.com/security/portal/submission/submit.aspx

Microsoft and Office 365 use these samples to update our anti-malware engines.

The above instructions will help catch zero-day malware. However, they should not be considered the definitive solution:

Keep your local antivirus software up-to-date

Malware can be, and is, delivered in other formats other than the above.
Ensure the other software you are running is up-to-date

It is important to run the latest version of all your software (e.g., Windows OS, Internet browser, etc.). For Internet browsers, you can use https://browsercheck.qualys.com to ensure your browser plugins are running the latest version.
You may get false positives

To send files that require you have the above extensions:

Use a zip program to package files before you attach them to your e-mail message and password-protect it. In the message, you can include instructions that explain how to extract the files from the zipped package. Some email clients will block these, however.
Post the files to a secure network share. Most Internet service providers (ISPs) offer paying subscribers a space where they can post files, e.g., OneDrive. Give your recipients access to them and in your message to the recipients, you can include a link to the share.

Related Articles

Understanding outbound spam controls in Office 365

How to create more aggressive Bulk email settings in Exchange Online

I am finally experimenting with a password manager. Here are the results so far.

How is my password manager experiment working so far?

Humorous, or not-so-humorous, cartoon on the roll-out of healthcare.gov

Humor–NSA spying

Humor–Opinions on Internet Privacy

I worry more about being hacked than being tracked, and I am in the majority

Microsoft, the NSA, the Backfire Effect and how we all make bad decisions

Why do spammers spam? I try to explain it using the Moralization Gap

Understanding identification of Bulk Email in Office 365

It turns out that the NSA can “jump the air gap”

Understanding how Exchange Transport Rules work on the Sender

According to the World Economic Forum, I am helping to fight the seventh most dangerous global risk

Let’s not be too smug when others are hacked because we all do things we shouldn’t

The Internet of Everything: Why I will never be out of a job

Life in the cloud seems… overrated

One advantage of life in the cloud

I received a pretty good Apple phish this morning

Blocking executable content in Office 365 for more aggressive anti-malware protection