Email security is a very broad and in-depth subject. I won't attempt to cover every aspect here but rather provide a basic understanding of the issues and some practical solutions.
Why should we care-
Email systems, their protocols, transport mechanisms and even even the carbon based life forms that are the end target of such systems are ripe and furtile attack vectors for hackers, spammers and phishing attacks. In addition they are a major source of information disclosure and breaches of confidentiality.
Any email security policy must thought of in bidirection terms. Inbound email can contain viruses, executable code such as .exe files or macros, automatic HTML links and mailto links . Marketing companies will routinely send email with graphics that are fetched from an marketing server allowing them to confirm the validity of a email address and possible sending other valuable marketing information such as the contents of email address books and cookies. Email may request that a recipient perform or complete a action that could compromise your network. Outbound email can propagate viruses and worms, propogate or originate SPAM, contain profanity, pornography or abusive language exposing the company or agency to legal liabilities.
Courts have repeatedly upheld that employers must provide a safe work environment free of abuse and harassment. Employees have sued and won over reciept of abusive or pornagraphic email or accidental disclosure of private information. Another company could also sue you for loss of productivity, loss of reputation, mitigation and repair costs associated with malicious or damaging email originating from your domain.
What can be done-
Develop and enforce an email policy within your organization. That simple step will provide evidence of you attempting to control dangerous, malicious and abusive content. That alone could mitigate some of the legal liablitiy and damage awards as a result of a legal action. A written policy and evidence of enforcement is key here.
Install and maintain effective anit-virus and anti-spam solutions. Inspect outbound mail for companie secrets, customer lists, credit card numbers, drivers license numbers, social security numbers etcetera to prevent disclosure of sensitive or confidential information.
Stategies-
Don't include plain text lists of email addresses on your website. Addresses in the form of 'username@domainname.ext' can easialy be read by web spiders or 'bots' harvesting email addresses for use in unsolicited email campaiges. Use a script to build those addresses dynamically for display in an HTML page. If they can't harvest them they can use them.
Install an email policy device or engine configured to inspect all parts of an email inbound and outbound for threats such as viruses, worms, executables, attachments not complying with corporate policy, confidential information such as D/L, social security numbers, customer lists and other confidential information. The goal is to keep threats to your network out, confidential information in and enforce a corporate or agency policy.
Any such device should recursively disassemble an email in all it's parts and attachments and inspect each component. Multi level hueristic and lexical analysis against managed expression lists, realtime block lists and managed spam fingerprint or digital DNA lists should be performed. The device should have configurable actions for every policy. Reject RBL addresses and known spammer addresses, cure or delete virus and worms and quarantine executables, ebay emails and multimedia files according to policy. For ease of management the device or appliance should integrate with Active Directory or other LDAP directory to validate recipient addresses.
Validation of the sender domain is a valuable anti-spam strategy since spammer rarely use a valid domain to originate emails however, in my experience many email systems are not properly configured and reverse DNS lookup produce no results thereby blocking what might be valid email. To make matters worse, if you try to advise a sender that their sender domain cannot be validated, their email administrator will frequently advise you that it is your problem and that they don't have problems with other companies. Until email and security administrators understand RFC compliance and do their part in the overall scheme of email security you will be left with dealing with their mess and they will expose themselves to legal liability issues.
In short, ant-virus and anti-malware is not enough to prevent inbound threats and does nothing to mitigate liability issues.
Anecdotal story-
Recently, I installed and configured and tested a high end clustered email policy solution for a governmental agency. Shortly after the installation the helpdesk received a report of email being denied by the new appliance and the report was relayed to me.
I placed a call to the sender since the appliance logs had absolutely no mention of the rejected message. The sender's email administrator told me that the non delivery receipt (NDR) reported that the email had a spam signature. "That explains the lack of log file info as the system was configured to summarily reject spam", I explained to the admin. He advised me that the originator was a high profile public official, not a spammer; sending email to another high profile public official and that the email was in no way spam. They received the email through their ant-spam device and the sender didn't consider it spam. He wanted the recipient to have the infomation. The admin asked me to whitelist the sender.
I temporarily adjusted my policy to quarantine known spam instead of rejecting it and requested that the message be resent. About an hour later the message was quarantined in my system where I could take a look at it to see haw I needed to adjust my policy. Upon inspection I found a blatent email spam from a bookstore advertising a "143 page manual" with web links, a chapter summary, author's bio and a printable order form complete with instructions for purchasing by credit card.
This spam email had been propagated by the sender with a simple "FYI" added at the top. Seems that the appliance and my policy did what it was supposed to do! I put my "reject" policy back in place.
If the sender had sent a short comment with a web link or just cut and paste a summary from the original spam, it would have gone through or at worst been quarantined so an admin could review it and release as appropropriate.
There are several points to take from this story.
1. All anti-spam engines are not equal.
2. Spam is spam no matter who sends it.
3. One persons treasure is another's spam.
4. Policies need to be flexible.
Email security white papers
Why should we care-
Email systems, their protocols, transport mechanisms and even even the carbon based life forms that are the end target of such systems are ripe and furtile attack vectors for hackers, spammers and phishing attacks. In addition they are a major source of information disclosure and breaches of confidentiality.
Any email security policy must thought of in bidirection terms. Inbound email can contain viruses, executable code such as .exe files or macros, automatic HTML links and mailto links . Marketing companies will routinely send email with graphics that are fetched from an marketing server allowing them to confirm the validity of a email address and possible sending other valuable marketing information such as the contents of email address books and cookies. Email may request that a recipient perform or complete a action that could compromise your network. Outbound email can propagate viruses and worms, propogate or originate SPAM, contain profanity, pornography or abusive language exposing the company or agency to legal liabilities.
Courts have repeatedly upheld that employers must provide a safe work environment free of abuse and harassment. Employees have sued and won over reciept of abusive or pornagraphic email or accidental disclosure of private information. Another company could also sue you for loss of productivity, loss of reputation, mitigation and repair costs associated with malicious or damaging email originating from your domain.
What can be done-
Develop and enforce an email policy within your organization. That simple step will provide evidence of you attempting to control dangerous, malicious and abusive content. That alone could mitigate some of the legal liablitiy and damage awards as a result of a legal action. A written policy and evidence of enforcement is key here.
Install and maintain effective anit-virus and anti-spam solutions. Inspect outbound mail for companie secrets, customer lists, credit card numbers, drivers license numbers, social security numbers etcetera to prevent disclosure of sensitive or confidential information.
Stategies-
Don't include plain text lists of email addresses on your website. Addresses in the form of 'username@domainname.ext' can easialy be read by web spiders or 'bots' harvesting email addresses for use in unsolicited email campaiges. Use a script to build those addresses dynamically for display in an HTML page. If they can't harvest them they can use them.
Install an email policy device or engine configured to inspect all parts of an email inbound and outbound for threats such as viruses, worms, executables, attachments not complying with corporate policy, confidential information such as D/L, social security numbers, customer lists and other confidential information. The goal is to keep threats to your network out, confidential information in and enforce a corporate or agency policy.
Any such device should recursively disassemble an email in all it's parts and attachments and inspect each component. Multi level hueristic and lexical analysis against managed expression lists, realtime block lists and managed spam fingerprint or digital DNA lists should be performed. The device should have configurable actions for every policy. Reject RBL addresses and known spammer addresses, cure or delete virus and worms and quarantine executables, ebay emails and multimedia files according to policy. For ease of management the device or appliance should integrate with Active Directory or other LDAP directory to validate recipient addresses.
Validation of the sender domain is a valuable anti-spam strategy since spammer rarely use a valid domain to originate emails however, in my experience many email systems are not properly configured and reverse DNS lookup produce no results thereby blocking what might be valid email. To make matters worse, if you try to advise a sender that their sender domain cannot be validated, their email administrator will frequently advise you that it is your problem and that they don't have problems with other companies. Until email and security administrators understand RFC compliance and do their part in the overall scheme of email security you will be left with dealing with their mess and they will expose themselves to legal liability issues.
In short, ant-virus and anti-malware is not enough to prevent inbound threats and does nothing to mitigate liability issues.
Anecdotal story-
Recently, I installed and configured and tested a high end clustered email policy solution for a governmental agency. Shortly after the installation the helpdesk received a report of email being denied by the new appliance and the report was relayed to me.
I placed a call to the sender since the appliance logs had absolutely no mention of the rejected message. The sender's email administrator told me that the non delivery receipt (NDR) reported that the email had a spam signature. "That explains the lack of log file info as the system was configured to summarily reject spam", I explained to the admin. He advised me that the originator was a high profile public official, not a spammer; sending email to another high profile public official and that the email was in no way spam. They received the email through their ant-spam device and the sender didn't consider it spam. He wanted the recipient to have the infomation. The admin asked me to whitelist the sender.
I temporarily adjusted my policy to quarantine known spam instead of rejecting it and requested that the message be resent. About an hour later the message was quarantined in my system where I could take a look at it to see haw I needed to adjust my policy. Upon inspection I found a blatent email spam from a bookstore advertising a "143 page manual" with web links, a chapter summary, author's bio and a printable order form complete with instructions for purchasing by credit card.
This spam email had been propagated by the sender with a simple "FYI" added at the top. Seems that the appliance and my policy did what it was supposed to do! I put my "reject" policy back in place.
If the sender had sent a short comment with a web link or just cut and paste a summary from the original spam, it would have gone through or at worst been quarantined so an admin could review it and release as appropropriate.
There are several points to take from this story.
1. All anti-spam engines are not equal.
2. Spam is spam no matter who sends it.
3. One persons treasure is another's spam.
4. Policies need to be flexible.
Email security white papers 
No comments:
Post a Comment