How not to win friends and influence people

You might hope that companies involved in internet security, and anti-virus/anti-malware would be the first to actually follow good practices when it comes to the internet.

I just got off chasing Symantec//Norton for billing me for an automatic renewal for a product I no longer use.  Now I know companies get purchased by other companies as was the case with Norton and Symantec, but that was some time ago, so when I spent some time checking my email for the ‘renewal notice’ which I had missed I didn’t limit my search to just the expected email account.

Now, I get far too many emails to read all those ‘junk looking’ ones, and since I run my own mail server I do try to look after the White lists and Black lists on the domain names.  So, after looking I found why I hadn’t spotted the ‘renewal notice’

In total I had 5 email addresses from them – nothing wrong with that, but we are not just talking the first part of the address here as in say:-

  • sales@notron.com
  • support@norton.com
  • etc

Which would allow white listing *@norton.com

or even sub-domains as in

  • salesperson@sales.notron.com
  • supportperson@support.norton.com
  • etc

which would allow white listing *@*.norton.com

Oh no, I had email from:

Symantec <subscription@symantec.rsys2.com>
Norton Renewals <noreply_subscriptions@subscriptions.norton.com>
norton@symantec.com
Norton <norton@nortonfromsymantec.com>
Symantec Corporation <orders@mail.norton.com>

That’s 5 addresses from 4 domains and 2 sub-domains.

Now, to avoid ‘spoofing’ of email, companies and myself use several methods to check that the email is actually coming from where it say’s it is.

Reverse DNS check

check the IP address of the sender and check this against the domain – this is often where you catch spoofed email, since if the domain name isn’t a match, or if it is from a dynamic IP address and not a fixed IP  For example:

Mar 22 01:28:31 mail postfix/postscreen[10885]: NOQUEUE: reject: RCPT from [109.92.185.143]:2567: 450 4.3.2 Service currently unavailable; from=<ncudmore@telekom.rs>, to=<ncudmore@newashgreen.net>, proto=ESMTP, helo=<109-92-101-27.dynamic.isp.telekom.rs>

So this is coming from a rogue system.  This can be check further by checking the mx records for the domain (server to accept email for the domain)

mx:telekom.rs

Pref Hostname IP Address TTL
5 mail01.telekom.rs 212.200.252.1 60 min
10 irina.telekom.rs 195.178.37.4 60 min
20 gate.telekom.rs 195.178.37.20 60 min

Now, in some places where they get a lot of email inbound and outbound servers are different machines, so this isn’t a fool-proof check.

SPF records

This is the record in the domain’s DNS entry to state which servers can send email on behalf of the domain – SPF records have been around for some time now, but while useful, not all domains use them.

Public Blacklist

There are several public Blacklists which you can check, to see the reputation of the server

SMTP Banner

During the initial SMTP conversation the servers will announce who they are to one another, this should match the domain in the reverse DNS lookup.  In other words, the PTR for your server IP address (reverse lookup) should match the DNS name (forward lookup).

Now, this is all pretty standard stuff to check before you get down to the more complex checks…  In the case of encrypted email, is the certificate valid, is it signed by a verified source or self signed (this is the equivalent of a HPPS web connection’s certificate being valid or not).

Then there are internally kept Black-lists, blocked IP addresses to keep more junk/spam etc. out.

Now, my home server has just 6 people on it, yet in the last 7 days that was 10,360 messages, out of which 9,046 didn’t get back the filters – 8963 where rejected straight off – 14 viruses, 69 spam, only 1314 got passed by the mail filter and passed to the main email server.

Now, in the past I’ve worked on some big corporate email systems from 120,000+ users to one’s where they have hundreds of domain names.  However, those with huge numbers of domain names tend to use only a small fraction of those domains and tend to ‘own’ the additional one to stop people buying similar domain names and setting up sites which may affect the business of the legitimate company.

So, I really can’t explain why a company such as Symantec would choose to use  5 addresses from 4 domains and 2 sub-domains, all in support of a single product in this case.  A couple of thoughts do spring to mind….

Really just incompetent – maybe the email was set-up by a couple of interns? Maybe it’s one of those things where no one is actually in charge of the system, it just has a life of its own?

It can’t be legacy – because that would also smack of being incompetent – in the past where I’ve been working on systems where companies have merged/taken over, the new address format tends to be uniform and old addresses are only kept for incoming email and not used for outgoing email.

Just trying to make a quick buck?  Some dodgy practice of sending emails using loads of different addresses so email isn’t picked up, and they need to keep hiding the bills to get the turn-over?

Who knows?  When I asked their support I got the following –  ”Jinu: Neil, all the works are taken care of their specific departments. So the reason email addresses are different so that is tangled.” – I’ve no idea!  It must be an American thing…

All I know is it’s not exactly setting an example and going to win friends and influence people!

spacer