Email has become the world’s most important form of business communication. The low cost, high efficiency, and ubiquity of email makes us wonder what life was like before its widespread adoption. Today the question is no longer “do you have an email address?”, but rather “what’s your email address?”.

But email is a victim of its own success.The very attributes that make it so compelling for business communication, have also made it attractive to those who use it for illicit and illegal forms of marketing.

Today’s business email systems must contend with an ever growing volume of spam, viruses, fraudulent or “phishing” email, and (the latest scourge) email borne spyware. In addition to these inbound threats, companies are growing increasingly aware of the need to stop outbound threats— intellectual property leaving the company by email or outbound email subject to regulatory requirements.

Sagging under the weight of these unending threats, the infrastructure used to send and receive mail is entering a period of rapid change. New authentication protocols are being developed to attack the spam and virus problems at their core. Also, new techniques and standards are being developed for the handling of bounce messages, a huge headache for the entire Internet community.

This booklet will attempt to cover the basics needed for a modern email security solution:

1. Stopping Spam

2. Stopping Viruses

3. Protecting Your Identity

4. Outbound Scanning

5. Fixing Email

1. Stopping Spam

The first generation of email security solutions used a simple approach to stopping spam—keyword analysis. These early filters would look for words typically found in spam (words like “free”, “Viagra”, or other more spicy language). The filters would typically use a scoring algorithm—if the word “free” occurs next to “Viagra” than it’s probably spam.The problem with this approach was twofold. The first issue being that it would frequently trap legitimate messages—Viagra is actually a product used in business, and the word free is almost unavoidable in the business lexicon. The other drawback to keyword filtering is it is relatively easy for spammers to defeat by using a zero instead of the letter o (I L0ve Y0u) or adding blocks of text that would fool the filters.

Nearly all modern spam systems have moved to a two-layer defense.The outer layer is known as a reputation filter. A reputation filter asks the simple question, “who is sending this email?” before accepting it. By examining the reputation or sending history of a given sender, the vast majority of spam can be eliminated before it even enters the network.

2. Stopping Viruses

It may not be common knowledge, but spam and viruses are originated by the same people. 90 percent of the viruses in the past year have been designed to leave behind a small SMTP engine that is used to hijack an unsuspecting consumer PC and send out spam. So it’s ironic that the biggest sources of spam on the Internet might be the PC your mom or dad have connected to a cable modem, spewing out spam unbeknownst to them.

These “zombie” PCs have proven to be very effective tools to help spammers fool less sophisticated spam filters. So in order to keep their army of zombie PCs alive and growing, spammers need to create new viruses to infect unsuspecting PCs.

The traditional defense against viruses rely on a “signature” or a series of bits that identify malicious attachments. While signatures remain a critical component of any virus defense system, they have an inherent weakness. No matter how good the anti-virus signature vendor, it takes a finite amount of time—usually about 13 hours—to detect, isolate, characterize, and create a signature for a new virus outbreak. So the bad guys simply design new virus variants every few weeks and get them to spread rapidly in the window when signatures are being developed.This is why, despite the widespread use of signatures, email-borne viruses continue to be a major problem for IT teams.

3. Protecting Your Identity

There are two major email pitfalls that every IT manager needs to be aware of—bounce handling and outbound commercial mail.

Bounce handling refers to how a mail gateway responds to incoming mail that has an invalid address.There are two modes of response—conversational bounces and delayed bounces. A conversational bounce occurs during the SMTP conversation. This means that before the receiving mail server has acknowledged receipt, it checks a directory (such as Microsoft Active Directory) to make sure the address is valid. If the address is valid the receiving mail server responds with “OK I have it” or if the address is not valid the receiving mail server says “Sorry I can’t accept it”.The advantage of this approach is that the bounce message that is being delivered directly to the sending mail server using the same connection or “conversation” that the message arrived in, so the bounce message cannot be redirected or spoofed.

The disadvantage is that it effectively exposes the corporate directory to anyone. Spammers will routinely launch “dictionary attacks” where they guess at likely email addresses to see what gets through (e.g. bob@acme.com, charly@acme.com, etc.). Since a valid/invalid message is delivered in the conversation, in a matter of minutes a spammer can have a full list of valid email addresses at a corporation, which in turn can be sold on the internet for $50 or so, resulting in huge volumes of spam.

To protect their directories, most companies have chosen to issue delayed bounces.With a delayed bounce, the receiving mail server accepts all incoming mail.Then it checks for valid addresses. If the address is invalid, it will generate a separate email message back to the sender with a notification of why the message couldn’t be delivered. This separate email coming back is much harder for a spammer to use to automatically harvest a corporate directory, thus delayed bounces protect the corporate directory.

4. Outbound Scanning

There are two factors at work that are driving interest in outbound scanning—regulatory compliance and protection of intellectual property. Regulatory compliance can be put into three basic buckets—the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLB) and the Sarbanes-Oxley Act (SOX).

HIPAA requires that any entity dealing with personal healthcare information (PHI) put very specific safeguards in place to ensure this information is protected.The language around “safeguards” is open to interpretation, but in plain English it means any company that is transmitting patient health information such as doctor’s appointments, medical charts, etc., put in place encryption and access controls to make sure this information isn’t accidentally or intentionally exposed to unauthorized eyes. The intent of this act is to ensure that if an employee has a serious illness and leaves a job, they won’t be denied health coverage at their new employer.

For any company in the health care or insurance industry, this is a very significant regulation that requires a deep understanding of the act itself and a thorough review of enterprise wide workflow to ensure safeguards are in place, back to front. But, for small or medium sized business that are not specifically in the healthcare industry, there are still potential risks—especially since the HR team at a smaller enterprise may not have experience with the specifics of HIPAA. It’s not inconceivable that an HR generalist may email a patient’s history to an insurance provider—a clear HIPAA violation.

5. Fixing Email

Spam, viruses and fraudulent email have put a massive stress on email infrastructure. The root cause behind this scourge lies in the email protocol itself, SMTP. SMTP was developed in the late 1980’s when the Internet was primarily a tool used for technical people, such as university professors, to collaborate and share information over unreliable data links.To facilitate this, SMTP has provisions that allow an email message to be forwarded from one machine to another, hopping its way to a final destination. At the time this was a trusted network, there was never reason to believe that a message wasn’t actually being sent from the person it purports to be from. As a result, the protocol has no capability to validate a sender. So when a message arrives at a mail server at a company and says that it is from george.bush@whitehouse.gov, there is no way for that receiving mail server to know if it really is or isn’t from whitehouse.gov. This core weakness is what allows spam to come from a seemingly legitimate sender, or viruses appear to come from someone an end user knows, or fraudulent email to appear from a trusted bank or trading site.

Plugging this hole in the email protocol SMTP will go a long way towards attacking spam and viruses at their core. But it turns out that adding authentication into the email protocol is a relatively complex undertaking, mostly because there are more than 20 million email servers active on the Internet. The approach that the Internet community has been taking is to create an overlay protocol that sits on top of SMTP. The two leading proposals are called “Sender ID” and “DomainKeys”. These two proposals are very different and largely complimentary. But they are fundamentally changing the way email works.

Conclusion

Email security is an ongoing endeavor. Because spam, viruses and fraud are a profitable business, the resources and tactics employed by those who generate this scourge are ever changing. As a result, your email security vendor needs to be committed to innovation. IronPort Systems leads the industry in technical innovation—with the largest research and development team in the industry and the world’s most demanding networks as customers.There are five essential steps to safer email:

1. Use a leading edge spam filtering system that combines reputation and content analysis. A leading edge spam filter should be accurate enough to avoid the need for an end user quarantine or end user whitelist and blacklist controls. These end user facing features just create work for end users and tickets for the IT team.

2.Traditional signature based anti-virus systems are not sufficient. These systems are widely deployed and yet the world is still plagued by email viruses. The IT team should look for a solution that includes an outbreak control mechanism—it can pay for itself in one outbreak.

3. Scan outbound email. Healthcare and Financial Services companies have very specific email filtering requirements. All other industries have light requirements, but some safe guards need to be employed to stop good people from doing bad or dumb things.

4. Protect your identity and reputation. Conversational bounces expose the directory. Delayed bounces lead to blacklisting or DDoS

attacks. IronPort has a unique “secure bounce” solution that mitigates this problem. Segment outbound mail. Put commercial mail on one outbound IP, employee mail on another, delayed bounces on a third. This practice will protect your reputation on the Internet.

5. Look to the future and stay ahead of the game. Set up a Sender ID record for outbound mail, and look for a solution that supports outbound DomainKeys (DK) signing. Lack of authentication will look increasingly suspicious in the coming 12 months and will lead to disruptions in outbound mail delivery. Look for a vendor that has the R&D resources to stay ahead of email threats. Spam, viruses and fraud email is “good” business and is fueling innovation. Look for a vendor that can out innovate the “bad guys” and keep your email system running trouble free.