Reaching out to companies spoofed by spam

bad security comic

I got an email today from someone whose email shows that they are at a public school. Now of course that is probably a lie, but if it is the truth I’d want to know about it as the IT admin of that school.

I reached out to the IT department but they only had a voicemail. I left a voice mail and explained the situation. I would send them the email if it would help them track down the problem, and at the very least they would know that it wasn’t coming from them.

However, in truth, I don’t expect they will respond to me. In the past, I used to report to ISP hackers who illegally violated their terms of service by trying to hack the company I worked for. I showed them evidence in the logs and make it very simple for the ISP to take action. I sent thousands of warnings to ISPs about the illegal behavior going on in their network. Guess how many responses I got? Zero. No ISP seemed interested to know that they were harboring criminals doing illegal behavior.

Then when companies get hacked they say things like “More should be done to protect companies from hackers.” Hello? IT people are begging decision-makers at companies to take security seriously and invest in tools and processes to make this happen. It is beyond ridiculous how little prepared most companies are to be hacked. They think it won’t happen to them and when it happens to them it often puts them out of business.

Why respond to companies that don’t seem to care? For this simple reason. If we get hacked, and I can show that I warned the ISP of the person hacking us we have much more leverage in a court to get paid. Also if your boss says “Why didn’t we do anything?” you can show them the email you send and that at the time you did everything you could to stop it.

See also  Happiness is a chair and a bed

It’s not a question if a company will be hacked, its just a matter of when.