Article

Snail Mail Beats Email Any Day:On Effective Operator Security Notifications in the Internet

Authors:

Marc-Pascal Clement,

Matthias HollickAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 11, Pages 1 - 13

https://doi.org/10.1145/3465481.3465743

Published: 17 August 2021 Publication History

Editorial Notes

Supplementary material for this paper is available on Zenodo: https://doi.org/10.5281/zenodo.4817463

Abstract

In the era of large-scale internet scanning, misconfigured websites are a frequent cause of data leaks and security incidents. Previous research has investigated sending automated email notifications to operators of insecure or compromised websites, but has often met with limited success due to challenges in address data quality, spam filtering, and operator distrust and disinterest. While several studies have investigated the design and phrasing of notification emails in a bid to increase their effectiveness, the use of other contact channels has remained almost completely unexplored due to the required effort and cost. In this paper, we investigate two methods to increase notification success: the use of letters as an alternative delivery medium, and the description of attack scenarios to incentivize remediation. We evaluate these factors as part of a notification campaign utilizing manually-collected address information from 1359 German website operators and focusing on unintentional information leaks from web servers. We find that manually collected addresses lead to large increases in delivery rates compared to previous work, and letters were markedly more effective than emails, increasing remediation rates by up to 25 percentage points. Counterintuitively, providing detailed descriptions of possible attacks can actually decrease remediation rates, highlighting the need for more research into how notifications are perceived by recipients.

References

[1]

Apache Software Foundation. 2020. mod_info - Apache HTTP Server Version 2.4. https://httpd.apache.org/docs/2.4/mod/mod_info.html

[2]

Apache Software Foundation. 2020. mod_status - Apache HTTP Server Version 2.4. https://httpd.apache.org/docs/2.4/mod/mod_status.html

[3]

Davide Canali, Davide Balzarotti, and Aurélien Francillon. 2013. The role of web hosting providers in detecting compromised websites. In Proceedings of the 22nd International Conference on World Wide Web – WWW ’13.

Digital Library

[4]

Orçun Çetin, Lisette Altena, Carlos Gañán, and Michel Van Eeten. 2018. Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens. In Proceedings of the 14th Symposium on Usable Privacy and Security – SOUPS ’18.

[5]

Orçun Çetin, Carlos Ganan, Lisette Altena, Samaneh Tajalizadehkhoob, and Michel van Eeten. 2019. Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks. In IEEE European Symposium on Security and Privacy 2019 – EuroS&P ’19.

[6]

Orçun Çetin, Carlos Ganan, Maciej Korczynski, and Michel van Eeten. 2017. Make Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning. In Proceedings of the 16th Annual Workshop on the Economics of Information Security – WEIS ’17.

[7]

Orçun Çetin, Mohammad Hanif Jhaveri, Carlos Gañán, Michel van Eeten, and Tyler Moore. 2016. Understanding the role of sender reputation in abuse reporting and cleanup. Journal of Cybersecurity 2, 1 (2016).

[8]

Dave Crocker. 1997. Mailbox Names for Common Services, Roles and Functions. RFC 2142. RFC Editor. https://www.rfc-editor.org/rfc/rfc2142.txt

[9]

Dan Goodin. 2017. Failure to patch two-month-old bug led to massive Equifax breach. https://arstechnica.com/?post_type=post&p=1166391

[10]

Serigne Mouhamadane Diop, Jema David Ndibwile, Doudou Fall, Shigeru Kashihara, and Youki Kadobayashi. 2019. To Coerce or Not to Coerce? A Quantitative Investigation on Cybersecurity and Cybercrime Legislations Towards Large-Scale Vulnerability Notifications. In International Conference on Software Reliability Engineering Workshops – ISSRE ’19 Workshops.

[11]

Zakir Durumeric, Mathias Payer, Vern Paxson, James Kasten, David Adrian, J Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, and Jethro Beekman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Internet Measurement Conference – IMC ’14.

Digital Library

[12]

Brad Efron. 1979. Bootstrap Methods: Another Look at the Jackknife. The Annals of Statistics 7, 1 (1979).

[13]

E. Foudil and Y. Shafranovich. 2020. A File Format to Aid in Security Vulnerability Disclosure. Internet-Draft draft-foudil-securitytxt-09. IETF Secretariat.

[14]

Internetwache.org. 2015. Don’t publicly expose .git or how we downloaded your website’s sourcecode - An analysis of Alexa’s 1M. https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/

[15]

Jeremy Orloff and Jonathan Bloom. 2014. 18.05 Introduction to Probability and Statistics—MIT OpenCourseWare. https://ocw.mit.edu/courses/mathematics/18-05-introduction-to-probability-and-statistics-spring-2014/

[16]

Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz. 2014. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. In 23th USENIX Security Symposium – USENIX Security ’14.

[17]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczynski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 2019 Network and Distributed System Security Symposium – NDSS ’19.

[18]

Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon Mccoy, Stefan Savage, and Vern Paxson. 2016. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications. In 25th USENIX Security Symposium – USENIX Security ’16.

[19]

Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. 2016. Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension. In Proceedings of the 25th International Conference on World Wide Web – WWW ’16.

Digital Library

[20]

Max Maass, Alina Stöver, Henning Pridöhl, Sebastian Bretthauer, Dominik Herrmann, Matthias Hollick, and Indra Spiecker. 2021. Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support. In 30th USENIX Security Symposium – USENIX Security ’21.

[21]

Max Maass, Pascal Wichmann, Henning Pridöhl, and Dominik Herrmann. 2017. PrivacyScore: Improving privacy and security via crowd-sourced benchmarks of websites. In Annual Privacy Forum.

[22]

Tobias Mueller, Matthias Marx, Henning Pridöhl, Pascal Wichmann, and Dominik Herrmann. 2018. Sicherheit und Privatheit auf deutschen Hochschulwebseiten: Eine Analyse mit PrivacyScore. 25. DFN-Konferenz “Sicherheit in vernetzten Systemen” (2018).

[23]

MySQL. 2020. MySQL Reference Manual: mysqldump - A Database Backup Program. https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html

[24]

Quirin Scheitle, Oliver Hohlfeld, Julien Gamba, Jonas Jelten, Torsten Zimmermann, Stephen D Strowes, and Narseo Vallina-Rodriguez. 2018. A Long Way to the Top: Significance, Structure and Stability of Internet Top Lists. In Proceedings of the 2018 Internet Measurement Conference – IMC ’18.

Digital Library

[25]

Ben Stock, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. 2018. Didn’t You Hear Me? Towards More Successful Web Vulnerability Notifications. In Proceedings of the 2018 Network and Distributed System Security Symposium – NDSS ’18.

[26]

Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In 25th USENIX Security Symposium – USENIX Security ’16.

[27]

The PHP Group. 2020. PHP: phpinfo - Manual. https://www.php.net/manual/en/function.phpinfo.php

[28]

Kami Vaniea and Yasmeen Rashidi. 2016. Tales of Software Updates: The process of updating software. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems.

Digital Library

[29]

Marie Vasek and Tyler Moore. 2012. Do Malware Reports Expedite Cleanup? An Experimental Study. In Workshop on Cyber Security Experimentation and Test.

[30]

Eric Zeng, Frank Li, Emily Stark, and Adrienne Porter Felt. 2019. Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications. In Proceedings of the 18th Annual Workshop on the Economics of Information Security – WEIS ’19.

Cited By

Sáez‐Ortuño LForgas‐Coll SHuertas‐Garcia RPuertas‐Prats E(2024)Chasing spammers: Using the Internet protocol address for detectionPsychology & Marketing10.1002/mar.2198541:6(1363-1382)Online publication date: 20-Feb-2024
https://doi.org/10.1002/mar.21985
Hennig ADietmann HLehr FMutter MVolkamer MMayer P(2022)“Your Cookie Disclaimer is Not in Line with the Ideas of the GDPR. Why?”Human Aspects of Information Security and Assurance10.1007/978-3-031-12172-2_17(218-227)Online publication date: 22-Jul-2022
https://doi.org/10.1007/978-3-031-12172-2_17

Recommendations

Analyzing Internet e-mail date-spoofing

Spammers and phishers constantly keep on changing spam structure to circumvent anti-spam procedures and target maximum recipients. Of late, it has been observed that spammers spoof date header of their spam e-mails to keep them on top in the recipient's ...
Internet E-Mail for Dummies
Real Snail Mail
CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Email both satisfies our cultural obsession with speed and sets the frenetic pace we obligingly follow. Our inboxes are bombarded by a torrent of messages arriving at the speed of light, demanding our urgent attention; making many of us feel trapped at ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
129
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)2

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sáez‐Ortuño LForgas‐Coll SHuertas‐Garcia RPuertas‐Prats E(2024)Chasing spammers: Using the Internet protocol address for detectionPsychology & Marketing10.1002/mar.2198541:6(1363-1382)Online publication date: 20-Feb-2024
https://doi.org/10.1002/mar.21985
Hennig ADietmann HLehr FMutter MVolkamer MMayer P(2022)“Your Cookie Disclaimer is Not in Line with the Ideas of the GDPR. Why?”Human Aspects of Information Security and Assurance10.1007/978-3-031-12172-2_17(218-227)Online publication date: 22-Jul-2022
https://doi.org/10.1007/978-3-031-12172-2_17

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents