Seven Tips For Avoiding Insider E-Mail Threats
How to stop your users from, knowingly or unknowingly, propagating spam and software infections.
April 11, 2005
Enterprises are facing a new set of challenges in the war on spam because many of their own employees and end users are propagating -- knowingly or unknowingly -- large volumes of spam and other e-mail-borne threats. That means that serious viruses such as MyDoom or Mytob are launched and travel within the company's network.
Even when an organization implements anti-spam and other security technology at the gateway or employs outsourced services to filter incoming e-mail there is nothing to prevent end users from generating large volumes of outbound spam and other malware that can waste bandwidth and storage, and tie up valuable processor resources on the core mail servers. Because of the limitations of most of these solutions organizations need to implement some effective means of preventing spamming from occurring within their own networks.
These seven tips for 'best practices' and technology approaches should help you to prevent spam from originating within your own community of users. The focus here is on newer technologies, and assumes that your organization has already implemented base-level SMTP protections such as closed-relay mail systems.
SMTP Authentication
E-mail using organizations must require their end users to use SMTP Authentication (Auth) to be allowed to send outbound mail. This is probably the hardest recommendation to implement, but one of the most important in the prevention of outbound spamming.SMTP Auth prevents outbound e-mail from being sent without first identifying the sender using a username and password. This also helps the organization identify the sender of particular messages since the message-ID can be logged along with the actual username of the sender. If an end-user is caught spamming, the logs allow for easy identification in order to disable access to that end-user's account.
SMTP Auth alone is not sufficient to prevent outbound spam. While e-mails become traceable back to the original account that sent them, it's still possible for the sender to forge an outbound e-mail disguising it to the recipient. Additional technologies are necessary to prevent mail forgery and outbound spam.
(SMTP Auth is a standard that has been widely adopted by the Internet community that is defined by IETF RFC2554, and is broadly supported in almost all e-mail clients today.)
Sender Is Valid Recipient
A technique known as "Sender Is Valid Recipient" (SIVR), gives the enterprise more control over outbound e-mail and who the sender can claim to be. SIVR requires that the sender (the "From" address) of the e-mail must be a valid recipient in the organization's domain. Implementing SIVR together with SMTP Auth, the enterprise can force the sender to use their own true identity for outbound e-mail and accordingly reject delivery of any e-mail that appears to have a false return address -- in particular one that does not match the authenticated user name.
Securing The SMTP Connection
Even if you've implemented SMTP Auth and SIVR you have an additional concern remaining regarding the security of the SMTP connection. Usernames and passwords pass unencrypted in the SMTP Auth protocol. That means that any hacker monitoring the network can easily pick up usernames and passwords for malicious use.
That makes it crucial for you to implement STARTTLS encryption for encrypting the SMTP session for their end users. By enabling this Secure Socket Layer (SSL)-based encryption for the SMTP layer, the organization can require encrypted connections for all clients using SMTP Auth to protect the confidentiality of usernames and passwords during the SMTP session. SSL-based SMTP connection support is also fairly common in e-mail clients and should not pose a problem for the organization's end users. Requirements for SSL should be implemented at the same time as SMTP Auth in order to eliminate the migration issues associated with new features.
Masquerading The Sender
An alternative to rejecting e-mail messages that fail the SIVR test is to offer Sender Masquerading based on the authenticated end-user. Sender Masquerade allows the "From" address of outbound e-mail to be rewritten using the actual authenticated end-user's e-mail address. Sender Masquerading can prevent an end-user from using an alternate, or forged, e-mail address in the organization's mail system.Typically, this information can be retrieved from either an internal or external source, such as a Lightweight Directory Access Protocol (LDAP) -based directory server. By re-writing the "From" address, it would be easy to pinpoint the source of generated spam, as the "From" address will clearly identify the problem account, which can then either be disabled or reset with a new password in the case of a compromised account.
Connection Rate Limiting
Another technique organizations can use to help control outbound spam and virus-bearing messages is to limit the connection rates on their SMTP servers. Typical end users send only a few e-mails every few minutes, whereas spammers can churn out hundreds or thousands of e-mails in a minute. This commonly occurs when an infected desktop computer is being exploited for propagating virus messages and when enterprises implement a rate limiter that allows only a few SMTP connections per minute outbound spam traffic cannot get out and can be detected.
Outbound Spam And Virus Scanning
Outbound virus and spam scanning is an important way to help prevent outbreaks from emanating internally on your network. The best way to prevent theses threats from spreading in an organization's outbound e-mail traffic is to scan for spam and viruses both on the inbound and outbound SMTP gateway. In particular, spam scanning can be used by the e-mail administrator to identify trends, to monitor outbound patterns of e-mail by end users, and to quickly target problem end users.The spam-scanning engine should be used in a pass-through mode where it scans and identifies spam messages, but does not reject, discard, or tag them. This allows the system to retain logs and message information about the messages processed by the system.
Stripping Off Known Bad Attachments
As an added protection layer on the outbound SMTP layer, you may also want to strip attachments from e-mails when they are suspected or known to contain malicious content. This will help prevent the spread of new viruses before they are identified by virus scanning. Examples of file types that an enterprise should consider stripping from e-mails include vbs, pif, and scr, which are well-known as file types that have been used to transmit e-mail-borne viruses in the past.
Today's enterprise faces new challenges in the war on spam, but you have an opportunity to significantly reduce the volume of spam on the Internet from inside your company. The list presented here outlines seven easy techniques that enterprises can use to reduce the outbound spam and virus-bearing e-mail messages purposefully or inadvertently generated by their end user population.
By implementing these technology approaches, organizations can reduce virus transmission in the network, prevent the organization from being listed as a spam originator, as well as maintain complete accountability over their message network. Some e-mail security appliances can deliver an ideal solution for both inbound and outbound protection, as well as support for the key technologies outlined here that are important for outbound e-mail threat management.Jeff Brainard is Director of Marketing of Mirapoint, and e-mail technology company that makes the RazorGate e-mail security appliance solution, a product which implements the technologies covered here. For more information, visit www.mirapoint.com.
You May Also Like