Sorry….I didn’t hit “reply all” on my response to Mickey. 73, Barry, N1VXY From: Shelley, Barry, N1VXY (CEO) Sent: Wednesday, March 4, 2020 2:31 PM To: Mickey Baker <fishflorida@gmail.com> Subject: RE: [arrl-odv:29774] Re: Messages From "Arrl Message Center" ????? Mikey: It’s always the people you would least suspect that are the worst offenders. I understand that the topic of arrl.org email addresses for the volunteers was discussed in January but, quite honestly, not much progress has been made on investigating that. You’re right, switching people from the current “forwarding” system and an O365 account would be more costly and likely, given the broad knowledge base of our volunteers, require more staff support to maintain (no offense to anyone on the ODV reflector). As for operating our own infrastructure versus using a cloud based model, there is currently a committee of the Board looking at that as we speak. We already have applications in the cloud, including Office 365 and will be more when we implement the Personify application later this year. And you might be surprised at the pricing, all in, for cloud based technology. But again, the committee is doing their work so I would ask that you please stand by. 73, Barry, N1VXY From: Mickey Baker <fishflorida@gmail.com<mailto:fishflorida@gmail.com>> Sent: Wednesday, March 4, 2020 2:10 PM To: Shelley, Barry, N1VXY (CEO) <bshelley@arrl.org<mailto:bshelley@arrl.org>> Cc: arrl-odv <arrl-odv@arrl.org<mailto:arrl-odv@arrl.org>> Subject: Re: [arrl-odv:29774] Re: Messages From "Arrl Message Center" ????? I'm glad to hear this story, particularly the use of KnowB4 (a Florida Company!) for internal staff. Our police officers and our HR department at the City were the worse offenders. The bifurcation of the arrl.org<http://arrl.org> inside v. outside was something we spoke about briefly at the A&F committee meeting in January - I was a guest. This is tough, it requires a table to redirect addresses. Office 365, being paid for on a per mailbox basis, will get more and more expensive as people move out of positions and keep their arrl.org<http://arrl.org>, unless this bifurcation takes place in the data stream BEFORE messages go to the Office 365 server, so you won't be able to get rid of the pobox.com<http://pobox.com> (where I assume this filter is placed) or the reflector, and the associated management to onboard and off-board active roles. It's a big move from Exchange to Office 365. The easiest way to do it, in my opinion, is to use Quest migration manager. It is slow, but doesn't break anything. I recently moved a 24TB message store AND ARCHIVE and it took 3 months. But it was perfect, we never lost a message (that we know about, anyway!) In my opinion, the ARRL is too small to be operating our own infrastructure, given the economies available with Cloud offerings. Likely the cost in hardware maintenance (if the ARRL pays hardware maintenance!) and insurance can justify the cost of cloud-based infrastructure and eliminate site dependent issues. The umbrella of protection of cloud provided security tools, the ability to adjust performance with demand, and physical environment costs offer a compelling case. If I can help Mike's team in any way, let me know. I'm available as a volunteer. Mickey Baker, N4MB Palm Beach Gardens, FL “The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf On Tue, Mar 3, 2020 at 3:28 PM Shelley, Barry, N1VXY (CEO) <bshelley@arrl.org<mailto:bshelley@arrl.org>> wrote: Mickey: To give you some idea of the approach and methods we’re using here at HQ for email scanning, I’ll let Michael Keane, K1MK describe it: We need to distinguish between the email controls that are in place for just arrl.org<http://arrl.org> forwards (the Board) versus mail that is delivered to HQ We should also distinguish between emails which have virus or other malware payloads attached to the message and phishing attempts. Those are two different kinds of threats which are detected by different means. Phishing emails may appear as apparently benign as saying "please call this phone number" or "click on this link". This makes phising messages more difficult to detect programmatically without simultaneously generating a whole bunch of false positives -- valid messages being sent off to the spam folder. All mail inbound messages to arrl.org<http://arrl.org> addresses first passes through PoBox's anti-spam filtering and basic virus scanning. As part of their anti-spam filtering PoBox blocks messages that are sent from hosts on the real-time blacklist which contains known bad actors. PoBox blocks over 90% of the inbound traffic being sent to arrl.org<http://arrl.org> and arrl.net<http://arrl.net> address as spam or malware. The vast majority of the traffic through PoBox is for arrl.net<http://arrl.net>. "Zero days" in which phishy or spam-ish messages manage to leak through PoBox's filters can and do occur, and continue until PoBox can adjust their Bayesian filters in response. If the Board members are interested, they may forward examples of spam-ish messages that are delivered to their arrl.org<http://arrl.org> addresses that have managed to evade PoBox's filters onto Dave or Oscar who can help expedite closing the loop with PoBox to get leaks plugged more quickly. Once incoming messages hit our inbound Exchange server there is an additional level of spam filtering in place there. After final delivery to user endpoints -- desktops -- we are running McAffe Endpoint Security to protect the endpoints (computers) against possible virus/malware payloads. But all of the above is not sufficient to block all phishing attempts which by the very nature of their very design are intended to fly low under the radar of common safeguards and not to trigger a security response. To combat what is ultimately a human factors vulnerability, we have since 2018 required that all staff attend and successfully complete phishing security training. And to be tested and re-certified on a periodic basis. We employ KnowBe4 (<www.knowbe4.com<http://www.knowbe4.com>>) for staff phishing security training. --MK As you are well aware, this is a constant battle. And as Michael noted, we’re using technology and human training to combat the threats. 73, Barry, N1VXY From: arrl-odv <arrl-odv-bounces@reflector.arrl.org<mailto:arrl-odv-bounces@reflector.arrl.org>> On Behalf Of Mickey Baker Sent: Tuesday, March 3, 2020 11:12 AM To: Keane, Michael, K1MK <mkeane@arrl.org<mailto:mkeane@arrl.org>> Cc: arrl-odv <arrl-odv@arrl.org<mailto:arrl-odv@arrl.org>> Subject: [arrl-odv:29774] Re: Messages From "Arrl Message Center" ????? If we are using only rudimentary filtering in pobox.com<http://pobox.com>, we are headed for a problem. These type emails worry me. Please don't forward them to the rest of the group, which may defeat safeguards - now they're from a trusted source! Please don't click on anything you're not certain that is legitimate, ever! Phishing and "spear-phishing" (targeted email phishing) is one of the highest risk and most successful (for the bad guys) method of system penetration. It is a real problem. There have been some very high profile attacks on government agencies that have resulted in data loss and billions of dollars of damage. Outages at the Cities of Baltimore, Atlanta, Riviera Beach and Key Biscayne, Florida, were cause by activation of an internal employee clicking on a malware email. I've had number of FBI briefings on these outages - in each, a demand was made for ransom that was, curiously, just above the limits of the organization's insurance coverage. The FBI also said that the best antivirus will only detect 60% of viruses and penetration attempts at any given moment, so the scans and updates must be frequent and, if possible, continuous and in-line. From what I see in the message header, HQ probably (hopefully) scans emails when they arrive in-house, perhaps on ARRL workstations. Our emails come from a reflector that may scan for viruses or phishing attempts. Emails that we are getting are also being scanned by our individual email providers. Gmail, for example, as Ria explained, uses an excellent filter, which is why these messages end up in our spam folders. However, even if you're using GMail as an end client, you're going to want to use something that scans and quarantines emails. I get one for free for my home from my Internet Service Provider and run a security gateway as well as clients on each workstation. There's been discussion of the league going to Office 365. I have personally participated in three major migrations of Microsoft Exchange and it isn't easy, but there were complexities of scale, uptime and archive requirements that likely don't exist at ARRL. Microsoft by default does not supply email anti-virus with Office 365, but it is available from them and other providers. These products typically examine inbound emails and filter or quarantines them before sending them on to the email server. The key is to get an easy to manage, easy to install set of tools to manage this "front end" before the email is sent to Office365. Given all our external-facing systems, I hope that a penetration test is budgeted within IT and these systems are being examined by a security professional periodically. Mickey Baker, N4MB Palm Beach Gardens, FL “The servant-leader is servant first… It begins with the natural feeling that one wants to serve, to serve first. Then conscious choice brings one to aspire to lead." Robert K. Greenleaf On Tue, Mar 3, 2020 at 10:23 AM Mark J Tharp <kb7hdx@gmail.com<mailto:kb7hdx@gmail.com>> wrote: I checked and my GMail spam folder has 16 of these spoofy emails. And also includes Barrys email about it! Mark, HDX (GMail user since 2007) [image.png] On Tue, Mar 3, 2020 at 7:10 AM rjairam@gmail.com<mailto:rjairam@gmail.com> <rjairam@gmail.com<mailto:rjairam@gmail.com>> wrote: The reason you may have gotten them is because they did pass SPF checks and beyond that, Yahoo is pretty weak with spam filtering. SPF is Sender Policy Framework where the sending domain has a text record that says that only certain mail servers can send e-mail from that domain. It makes spoofing harder. Except where SPF passes for some reason. In this case it did. In the headers it is unclear as to whether or not PObox, our spam filtering service failed OR if the sender used a hijacked or rented email server. If it’s the former we should remedy this, but if it’s the latter there is nothing we can do. No spam filter is 100% effective but Google uses AI and ML (machine learning) with its neural network which is why it filters out nearly all spam. When in doubt, delete, hover over links and if it looks suspicious it probably is. 73 Ria, N2RJ (GMail user since 2004) On Mon, Mar 2, 2020 at 9:22 PM Richard Norton via arrl-odv <arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org>> wrote: Today I received seven messages, sent to n6aa@arrl.org<mailto:n6aa@arrl.org> , advising me that I have some number of "pending messages from your organization." Although the messages appear to come from something called "Arrl Message Center," they come from an address in Japan. The messages have a link that says "Review Messages to release or block them." I have not clicked on that link as this looks suspiciously like a scam that might infect my computer. Have any of the rest of you received them? Has anyone clicked on the link? Anything happen? 73, Dick, N6AA _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org<mailto:arrl-odv@reflector.arrl.org> https://reflector.arrl.org/mailman/listinfo/arrl-odv -- “Ends and beginnings—there are no such things. There are only middles.” Robert Frost