Using “Account-free” Email Services to Combat Phishing,

Brand Infringement, and Other Online Threats

Qi-fense LLC © 2009

Sebastian Holstsebastian@qi-

fense.com+1 440 484 2243

This presentation highlights the specific tactical and regulatory advantages that can be gained by

tapping information and activity managed by “account-free” email service providers.

The removal of constraints imposed by privacy regulations simplifies existing anti-spam and anti-

phishing techniques and enables entirely new strategies as well.

Classic Email

• User creates account with authentication• User creates one or mail mailboxes

Mailbox creation

Account-free email

Account-free Email

• Creates mailbox for incoming email• Mailbox is “owned” by service – there are no accounts

Mailbox creation

Qi-fense LLC © 2009

Use cases

End-user◦ Newsletter subscriptions◦ Online account credential requests◦ Transaction confirmations

Enterprise ◦ Quality Assurance for testing applications that send

email◦ A forwarding destination from other domains◦ Enterprise disposable email

Spam diversion Reduced record-retention

Spam examples

6-Sep 7-Sep 8-Sep 9-Sep 10-Sep 11-Sep 12-Sep

Obama 1479 1513 1604 2970 2250 1714 2663

McCain 996 829 2113 2659 1590 1701 1856

Palin 1367 873 1880 2218 1547 932 1904

Biden 338 132 234 347 179 177 336

250

750

1250

1750

2250

2750

3250

PRESIDENTIAL SPAM-CAIGN 2008S

PA

M P

ER

DA

Y

ObamaMc-

Cain Palin

Biden

Plausible deniability

Obama McCain Palin Biden

-80.00%

-60.00%

-40.00%

-20.00%

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

Decline on Sept 11

Increase on Sept 12

VishingPhishingBrand monitoringGrey marketMule trafficIllicit trafficMalware

Account-free email

Account-free Email Service

Classic email

servers

Domains

Send email

Forward email

Manual

reading

Early

Pa

rsing &

C

aptu

re

Extended retention and

indexing

Redire

ction

& R

eportin

g

Usage Profiling

Qi-fense LLC © 2009

Both Unsolicited & Solicited content

Access to all server functions (receipt, read, delete)

Unrestricted access and distribution rights

Account-free Email

Account-free email

Qi-fense LLC © 2009

Account-free email applications

Anti-phishingAnti-spamMalware captureBrand monitoringProsecutorial toolEducational contentEnterprise anti-spam control

Sample Implementation

Q

Q

Q

Mature Account-

free Email Services

Real-time

Alerts

Real-time

Alerts

Real-time

Alerts

Client Admin

Reporting

Repository

Online Discovery

Qi-fense Portal

Filter AdministrationActivity query

requestStatistics

aggregation

Filter logicData collection

Message aggregation

Alert distribution

Activity Reports

SamplesAlerts

ReportsSearch Sliver

Extract reference URLs

Same URL attacking

multiple banks

Time stampTrue IP address

Header information

True reference URL

Time, IP, subject, from, reference URL…

Observations A novel source

◦ No precedents inside law enforcement, federal agencies, financial institutions, technology suppliers

◦ Difficult to develop “artificial” sources

Organizational mismatch◦ Take-down, anti-spam, prosecution, education, malware forensics, etc. are

rarely in the same organization

Fresh◦ Heavy use ensures that these email addresses will continue to proliferate

◦ Intelligence and applications are still being identified – more work be done!

Vulnerable to exclusion◦ Although domains and IP addresses can shift almost as quickly as with the

bad guys

◦ Enterprise sub-domains would permanently eliminate this risk

Qi-fense LLC © 2009

Q & AThank you