As they stand today, the architectures of SMTP and other e-mail protocols are sorely lacking, mainly because of a dearth of baked-in security. Unlike Web sites, where vendors use SSL certificates and domains to authenticate themselves, there exists no universally deployed standard for doing the same thing with e-mail. It's still the Wild West out there.
One way those loose protocols work to our advantage, however, is the ease with which e-mail security services can be deployed. Simply change a DNS MX record, and all your mail will flow through a cloud-based service before being relayed to your server. Damage from outages is mitigated by the underlying protocols, which will automatically queue messages and retry missed connections, and the MX records themselves support multiple layers of redundancy to keep the mail flowing.
Current investments in security software and mail servers need not be tossed out the window, either. Rather, their life spans are extended significantly. A recent Trend Micro customer survey showed that 15% to 20% of its customers had experienced network outages or other problems caused by malicious payloads or the sheer volume of inbound e-mail. Using a hosted service means the vast majority of damaging and wasteful content is filtered before it even hits your network, letting you keep your existing hardware longer--sure to go over well in this economy. Finally, some vendors offer feature parity between their locally deployed security software and their cloud-based services, so there's no reason to lower your expectations on the level of control you have over your e-mail security.
On the inbound side, not only has the volume of bad stuff increased dramatically over the past decade, but so has the variety. The Messaging Anti-Abuse Working Group estimated that 72% of e-mail was spam in the fourth quarter of 2005. By 2008, spam was consistently above 90%. We've heard estimates from vendors placing the volume today at above 95%.
As for what's being thrown at us, it's not just run-of-the-mill commercial spam--yes, "buy our pills" still remains a lucrative business for those willing to incur the wrath of the Internet and, increasingly, law enforcement. We're also dealing with malicious attachments; random noise as spammers attempt to devalue and disrupt learning-based protection systems; direct mail connections from botnet-controlled endpoints; and URL-based attacks leveraging browser exploits or promiscuous users to execute malicious code without ever e-mailing a file. There's seemingly no end to the badness.
To read the rest of the article, download a free PDF