Our News

FST Key to Hot FBI Cyber-Terror Issue

Comments by FBI Cyber Crimes Assistant Director Shawn Henry made last October to reporters centered on a noticeable rise in cyber-terrorism and specifically cited "spear phishing" as a rapidly rising threat.

ISR's Forensic Sender Test™ helps UCE control systems combat all types of email identity crimes. Providing FST service in your mail system component or service not only brings tremendous value to your customers, but also affords an opportunity to show initiative on a “hot button” issue.

Contact us to learn more.

How It Works

General Description

The Forensic Sender Test™ in most basic terms is a skeptical algorithm that starts by assuming the presented IP address does not have the right to send email on behalf of the presented domain and then looks for evidence indicating the domain owner has “granted” authority to send mail through the computer at the IP address.

A simple and obvious sub-test performed by the FST requires no special systems to complete: If the IP address is the A record of the MX record of the domain, the result is “valid”. This simple test would not produce a valid result for any mail system configuration that was more than completely basic because things like edge-service MTA's, load balancers, global load balancing, egress archival compliance servers, redundant services, and dozens of other factors tend to make it either unlikely or entirely impossible. Indeed, if that simple DNS-based test would solve the problem, there wouldn't be a half dozen serious proposals for protocol additions or entirely new protocols being entertained in the RFC's.

The Forensic Sender Test™ is actually a lengthy series of tests that collectively discover any of the dozens of ways a domain may expose its intention to move email through a certain IP address. In order to complete the test battery in a timely fashion, the FST employs an extensive array of performance enhancing technologies including highly optimized low-level coding; distributed processing; extensive data warehousing; caching and cache updating algorithms; high-speed, high-volume internal data paths; and high-speed, high-volume access to multiple Tier 1 NSP's.

The FST quality of service monitoring system is almost as complex as the FST itself. The inputs and results are dropped into a no-wait queuing system. As the queue is de-spooled, public registration databases are cross-referenced to spot and aggregate potential anomalies which are then presented for further human analysis. In addition, dozens of ISP's and hundreds of businesses participate in quality of service reporting programs. The end result is an internal network reputation system which disqualifies irresponsible or clandestine networks from qualifying for various short-circuit test branches used to further improve performance.

Result Quality

The Forensic Sender Test underwent three years of structured testing that started in August of 2004 and included the movement of over 1 billion real email messages for the subscribers of over 70 ISPs and thousands of employees of hundreds of small to medium businesses. Throughout the test period (and to date), 100% of all phishing messages were correctly identified and 100% of legitimate messages from the targets of phishing attacks were correctly identified as valid.

A small number of factors may cause unexpected (but accurate) "fail" results. Some major ISPs employ transparent SMTP intercepts as part of their security systems causing legitimate email to become spoofs. (Most hosting companies now make an alternate port available to email users for authenticated SMTP to avoid this problem.) Another instance of legitimate email becoming a spoof is through the use of certain Internet acceleration software packages that employ similar transparent intercepts.

Unexpected (but accurate) "valid" results are considerably less likely. Although we have never had a case presented by a user nor observed a case in our monitoring system, a breach in email system security could obviously allow a malicious party to send unauthentic email with the complete appearance of authenticity. In other words, if a hacker took over a computer at Acme Finance (a fictitious credit company) and then started sending out fake email as if they were actually from Acme Finance, our system would not detect the breach. But on the other hand, some responsibility has to be placed on Acme for its own security practices and policies.

Live Data

As mentioned above, an extensive quality of service monitoring system captures, cross-references, aggregates, and presents data for human inspection. Two of the running reports stand out as both anonymous enough to present no privacy violations and interesting enough to make public.

Domain Activity Search

ISR provides access to this live data on a per appointment basis due to the sensitive nature of the data shown. Even though ISR does not believe there are any privacy concerns, providing an anonymously viewable catalog of email sources and domains could provide information to phishers or other abusers. To obtain access to our live data please contact us.

Once granted access, you will be provided with a facility to search a nearly-real-time database of FST inputs and results cross-referenced with IP owner data from ARIN, LACNIC, RIPE, AfriNIC, and APNIC. As you scroll down from “valid” results to “invalid” results in the result list, you can watch the network owners turn from (usually) recognizably acceptable to recognizably unacceptable.

Top Worm Subjects

Background

In the course of testing the Forensic Sender Test's viability as a front defensive line, we started tracking the subjects of email that flunked. This list makes a definite point about the kind of protection the FST offers when used in this manner. Although we went ahead and accepted the data for these virus-riddled, fraud-laden, resource-devouring messages so we could track and analyze them, you can use the FST to simply ignore them.

Live Data

This list shows the top 200 subjects of emails from the last 168 hours where the FST reported a spoof. It's sampled once per hour and changes very slowly over time. It may or may not be different in an hour, but it will probably be different in 24 hours and will almost certainly be different in 7 days.

Bibliography

Background

When development of the Forensic Sender Test™ began in 2004, there was an overruling directive for the project that any means employed MUST use existing standards and practices. While our use of "practices" was derived from experimentation with and the observation of live mail systems, the "standards" guiding our development were much easier to obtain. We've compiled a brief listing of the most relevant documents here for your convenience.

Note: These abstracts are from the search results at rfc-editor.org. Although we try to keep this page updated with current versions, there are constantly new versions being recorded. Always check rfc-editor.org to be certain that a particular document has not been "obsoleted" or "updated".