No End in Sight to the Challenge of Email Deliverability

When it comes to e-mail communications in the B-to-B world, yet another study is underscoring just how challenging it is to reach corporate inboxes.

A new report by cyber-security firm FireEye, Inc. reveals that fewer than one-third of e-mails sent are actually making it into corporate inboxes. The FireEye analysis was based on tracking more than a half-billion e-mails sent between January and June of 2018.

The majority of those e-mails were deemed to be spam or malicious in their intent. Nearly 60% were blocked by threat intelligence and around 10% more were halted by attack prevention tactics such as URL inspection and attachment detonation.

E-mails were deemed suspicious because they triggered one or more of the following “red-light” cautions:

  • Malware-less impersonations
  • Malware viruses
  • Phishing attacks
  • Ransomware
  • Spyware
  • Trojan horses
  • Worms

Interestingly however, it turns out that only a small fraction of the e-mails actually had malicious intent, meaning that the super-strict filters being employed by companies are capturing a huge number of perfectly legitimate e-mail messages in their dragnet and rejecting them out of hand.

On the other hand, the FireEye analysis also determined that impersonation attacks have undergone a shift from domain name spoofing to “friendly” domain name scams – ones in which an e-mail address is manipulated to impersonate a trusted source.

As the study cautions:

“This shift in tactics may be driven by how easily cyber criminals can ‘spoof’ the display name and username potion of an e-mail header. Instead of having to go through the process of buying and registering a domain similar to – or one that sounds like – the recipient’s domain, they can simply change the display/user name.”

The FireEye analysis is a reminder that because of its sheer pervasiveness, e-mail communications are also the most popular conduit for potentially significant cyberattacks. No wonder companies have their guard up.

The problem is, clearly a whole lot of wheat is being thrown out with the chaff.  And that makes e-communications hardly the slam-dunk communications tactic that many people assume it to be.

The Ad Fraud Gravy Train Keeps Chugging Along — No Matter What …

xbnAd fraud is quite a large issue for online advertisers – and it’s been on many companies’ radar screens for a long time.

But even with the higher visibility and greater scrutiny of online ad fraud, it seems to be a problem that only gets bigger.

The most recent example of the phenomenon came to light a few weeks ago, when ad fraud prevention consulting firm Pixalate announced that a newly discovered botnet has been draining literally billions of dollars from advertisers’ MarComm coffers.

The botnet is dubbed Xindi – the same name as the hostile aliens in the Star Trek sci-fi TV series.

Xindi is making money for its creators by serving actual ads – but to simulated audiences.  It has spread via familiar methods such as phishing.

Pixalate estimates that just shy of 78 billion fake ad impressions have been racked up so far.  Even at low cost-per-impression revenue figures, the high volume amounts to several billions of dollars of illicit revenues siphoned (and counting).

What makes the Xindi botnet particularly nettlesome is that it’s designed to go after computers and networks at high-end organizations, enabling it to “mimic” desirable web traffic (i.e. affluent consumers).

xbotAccording to Pixalate, already there could be as many as 8 million computers compromised in more than 5,000 networks, including a goodly number of Fortune 500 companies as well as university and governmental networks.

Such desirable locations and ad audiences translate into lucrative online ad pricing (CPMs of $200 or more).

In the event, advertisers are paying high prices … for nothing.

To counteract Xindi, Pixalate recommends that the Internet Advertising Bureau update its protocols to factor in the pace of ad requests, so that impression generated after a certain time period cannot be accepted as valid — and hence would be non-billable.

Whether this or other remedies will actually happen is up in the air at the moment (the IAB isn’t onboard with the recommendations).

Either way, what seems clear is that whatever the remedial actions that are taken, burgeoning ad fraud activity is bound to continue.

The question is, can it ever be contained, or will it just continue to grow and grow?  If you have any thoughts or ideas on the challenge, please share them with other readers.