Email Best Practices

Email Security Overview

David Maislin – Director, North American Sales EngineeringApril 12, 2023

2

Understanding Email

3

Understanding Email

CO

MP

OS

E

SEN

D

TR

AN

SP

OR

T

RO

UTE

DELIV

ER

REC

EIV

E

REA

D

ClientsOutlookNotes

GroupWiseWeb Email

OtherProtocolsSMTP: 25Proprietary

ServersExchangeDomino

GroupWiseAppleMailGateways

Other

ProtocolsDNS: 53

LDAP: 389SLDAP: 636

AD: 3268(S)AD: 3269SMTP: 25TLS: 25

RoutesMX Records

orStatic IPs

ServersExchangeDomino

GroupWiseAppleMailGateways

Other

ClientsOutlookNotes

GroupWiseWeb Email

OtherProtocolsPOP: 110IMAP: 143Proprietary

4

As organizations grow expertise is segregatedAs organizations grow expertise is segregated

S

1-2

Shared Knowledge

• Email Servers• LDAP / AD

Shared Knowledge

• Network• DNS• Firewall

Shared Knowledge

• Database

Internal

• Antispam• Consultant(s)• Web Servers

Outsource

M

3-6

Limited Sharing


Limited Sharing

• Network• DNS• Firewall

Knowledge Expert

• Database(s)

Internal

• Antispam• Programmer(s)• Consultant(s)• Web Servers• IT Management

Outsource

L

7-20

Knowledge Expert


Knowledge Expert

• Network• DNS• Firewall• Compliance

Knowledge Expert

• Database(s)

Internal

• Antispam• Programmer(s)• Consultant(s)• Web Servers• IT Management• Help Desk

Outsource

VS

IT Staff:

Outsourced

• Email Servers• LDAP / AD• Antispam• Network• DNS• Firewall• Database• Web Servers

Shared Knowledge

• Generalist

1

XL

20-100+

Knowledge Expert


Knowledge Expert

Knowledge Expert

• Database(s)

Internal

• Antispam• Programmer(s)• Consultant(s)• Web Servers• IT Management• Help Desk• Change Control

Outsource

• Network• DNS• Firewall• Compliance

Size Matters

5

Understanding Compliance

6

Understanding Major Security & Privacy Regulations

HIPAA: Health Insurance Portability & Accountability Act• Mandates specific technology standards and policies that healthcare

organizations must implement for compliance.

GLBA: Gramm-Leach-Bliley Act• Forces financial institutions to design, implement and maintain

necessary safeguards to protect consumers’ nonpublic personal information.

SOX: Sarbanes-Oxley Act• Requires public companies to automate their processes of building audit

trails and control procedures into their IT systems.

CA SB 1386: California Senate Bill 1386• A state regulation that requires companies to implement systems to

detect and prevent security breaches, as well as provide counter-measures and publicly report breaches

7

Other Regulations

SEC 17a-4 and NASD 3010• Requires public companies to keep records for auditing security

transactions, including review of brokers’ communications with the public

FDA 21 CFR Part 11• Controls the authenticity, integrity, non-repudiation and confidentiality

of electronic records

Payment Card Industry (PCI) Data Security Standard• Mandates the protection of credit cardholder and account information

across public networks

USA Patriot Act – Homeland Security• Requires companies to build and maintain an infrastructure that can

report details of information handled and stored online

8

EmailEmail

Email Filtering Compliance StrategyContent-Based Filtering

Sender

Receiver

Subject

Message

Attachment

Sender

Receiver

Subject

Message

Attachment

Message

Subject

ManualTrigger?

SendIn The Clear

Yes

No

Attachment

RegulatedContent?

Encrypt

Yes

No

Sender Receiver

Content-BasedFiltering Strategy

9

Email Filtering Compliance StrategyIdentity-Based Filtering

EmailEmail

Sender

Receiver

Subject

Message

Attachment

Sender

Receiver

Subject

Message

Attachment

Who is thesender?

Who is thereceiver?

Designated?

Authorized?

Encrypt

Content Filter

Yes

No

Encrypt

Content Filter

Yes

No

Sender Receiver

Identity-BasedFiltering Strategy

10

Understanding Email Encryption

11

Understanding Email Encryption

TLS encrypts the network: server to server encryption

S/MIME and PGP can encrypt or sign email: server to server, server to client, client to server, and client to client. Also for authentication purposes

Secure WebMail: Stores encrypted email on the server, retrieved by client

12

Email Encryption Methods - TLS

TLS: Transport Layer Security• Creates a secure connection between email gateways over

which any amount of data can be sent securely using SSL. Note: SSL encryption is only in effect when the email is in transit.

• Gateway to Gateway (company to company) encryption

Benefits:• Seamless partner to partner encryption• Completely transparent to the sender and receiver

Email Servers

Email Gateway

Email Servers

Email Gateway

Internet

13

Email Encryption Methods – S/MIME and PGP

S/MIME and PGP• Encrypts and decrypts the email body and attachments

S/MIME certificates• Gateway to Gateway (company to company)• Gateway to Client (from your company to an external

recipient)• Client to Gateway (from external sender to your

company)

Benefits:• Seamless partner to partner encryption• Completely transparent to the sender and receiver• Automatic harvesting of inbound signing/public

certificates• Generates proxy certificates for any internal employees

via email• Proxy encryption and signing• Proxy decryption

Email Servers

Email Gateway

Email Servers

Email Gateway

Internet

14

Email Encryption Methods – Secure WebMail

• Encrypts email and provides access through a secure web portal

• Gateway to client (from your company to any external recipient)• Universal (zero client side software requirements)• Online and offline secure email• Self registration, zero registration, and automated user

management• Very large email attachment support• Tracking by recipient, by message, and by attachment• Delivery profiles for message, inbox, and portal branding• Roles for message expiration, password requirements, domain

limits, message size, and message quotas.

Benefits:• No learning curve• No client side software Email

Servers

Internet Em

ail n

oti

fica

tio

n

SS

L

15

Employee to Employee Encryption• Protects sensitive internal messages to the desktop• Provides senders with a “Send Secure” button• Solves problems of enrollment, key distribution,

authentication• Uses S/MIME encryption standards• New users receive messages via Web system with links

for enrollment

Benefits:• Adds layer of protection for key internal users• External users receive Secure WebMail• No change to user paradigm• Removes the hassles of managing PKI-based

Email Encryption Methods – Desktop Messenger

Email Servers

Email Gateway

EnrollmentKey Mgt

Authentication

SensitiveInternal

Communication

Internet Em

ail n

oti

fica

tio

n

SS

L

16

File Messenger• Large files route around email servers

Benefits:• End users send files with email applications• Large files don’t waste space on email servers• Track by recipient and attachment• Completely secure• Uses existing standards based technologies• Supports digital signing and encryption using existing

email standards

Messaging Delivery Methods – File Messenger

Email Servers

Internet Em

ail n

oti

fica

tio

n

SS

L

Automaticallyroutes large

files

17

Hosted Solutions

• Hosted solutions present several issues

• Sensitivity of data

• Archive and recovery of sensitive email

• Who is liable if data is lost?

• Viability and volatility of hosting company

• Sender and recipient email addresses can be considered identifiers

• Recipient must sign up with external service to read their confidential data

• Service may use email address lists for other purposes

18

Steganography

• The art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message

• In contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. Quite often, steganography is hidden in pictures.

• Aren’t we trying to block image based spam already?

A GIF carrier file containing the airport mapOriginal message or attachment

19

Email Encryption – Best Delivery Approaches

Business-to-BusinessBusiness-to-Business

Business-to-ConsumerBusiness-to-Consumer

Employee-to-EmployeeEmployee-to-Employee

Desktopto

Desktop

Desktopto

Desktop

Gatewayto

Desktop

Gatewayto

Desktop

SecureWeb

Delivery

SecureWeb

Delivery

Gatewayto

Gateway

Gatewayto

Gateway

BestPractice

BestPractice

BestPractice

BestPractice

BestPractice

BestPractice

BestPractice

BestPractice

Who?

How?

Tips:• Seek encryption transparency• Select vendor solutions that support industry standards and interoperability• Look for vendor solutions that can provide transparency for both outbound and

inbound secure email• Look to automate the acceptance of customer/member/patient email messages

through a Web portal

20

Domain Key Identified Mail (DKIM)

• Authentication framework for email using public-key cryptography and key server technology to permit verification of the source and contents of messages by either Mail Transfer Agents (MTAs) or Mail User Agents (MUAs).

• The ultimate goal of this framework is to permit a signing domain to assert responsibility for a message, thus protecting message signer identity and the integrity of the messages they convey while retaining the functionality of Internet email as it is known today. Protection of email identity may assist in the global control of "spam" and "phishing".

21

Why Do Spammers Send Spam?

22

Malicious Threats - Worldwide

23

Understanding Malicious Threats – Denials of Service Attacks

They start attacking from network, from all over the Internet…

Denial of Service Attack (DoS)

Too many connections from the one IP

addresses

Distributed Denialof Service Attack (DDoS)

Too many connections from the many IP

addresses (zombies)

Bounce Flood Attack(Smurf)

Attacks of networks using spoofed

domains, causing email bounces to the

intended victim domains

24

Bounce Address Tag Validation (BATV)

• Bounce Address Tag Validation (BATV) defines a framework for mechanisms that validate the value in the “mail from” command.

• Header policies can tag the “mail from” header for outbound email

• MAIL FROM: [email protected]

Is transformed to…

• MAIL FROM: [email protected]

Where =KEY123 is the Bounce Tag

• Only accept inbound email bounces with unique tag in “mail from” header

• Reports can be generated on all BATV violations

mailto:tag%3Ddavid.maislin%[email protected]

25

Understanding Malicious Threats – Directory Harvest Attacks

[email protected]@COMPANY.COM

[email protected]

Directory Harvest Attack(DHA)

550 Email Bounce

During a directory harvest attack, spammers use brute force against an email server to compile comprehensive lists of valid email addresses to use or sell.

Meantime, the plethora of probes overwhelms the email server, creating a denial of service from the vast amount of non-delivery reports the attack generates.

26

Understanding Spamming Techniques

27

Basic Email Network

• Enterprise threats are typically inbound

Out of Control Disk GrowthPerformance Degradation

Spam/Viruses inside networkNo Recipient Validation

EmailServer(s)

28

Basic ISP Email Network

• ISPs are completely different• Threats are inbound• Threats are outbound• Threats are domain to domain

Domain 2

Domain X

Domain 1

InternetInternet

29

Recipient Validation Issues

• Not all invalid recipient email is rejected by all Mail Servers• Mail servers can be part of the problem• Spam can still get through

From: "Kim Browne" [[email protected]]Sent: 11/26/2006 07:49 PMTo: [email protected]: Mississippi catfish Out-milton

are different things, though the words are often used synonymously. a person may be proud without"perhaps," said darcy, "i should have judged better, had i sought an introduction; but i am

Fuzzy logic sent this email to:

[email protected]

30

Some Spam is Hard to Detect

• Not all email is easily recognized as spam• Spammer techniques evolve to bypass filters

From: "Kim Browne" [[email protected]]Sent: 11/26/2006 07:49 PMTo: [email protected]: Mississippi catfish Out-milton

are different things, though the words are often used synonymously. a person may be proud without"perhaps," said darcy, "i should have judged better, had i sought an introduction; but i am

Random phrases containing

Nonsense and gibberish

31

FAKEREAL

Phishing Attacks

32

The Image Spam Problem

• Image spam presents a new challenge to spam filters

• Messages are sent as images instead of text• Gibberish text is inserted to fool content filters• Image files are randomized to avoid signature detection

• Spammers alter every possible file attribute to trick filters

• Changing image size, margins, color shades• Adding random noise, “dust” and “speckles”• Splitting or breaking images• Assembling multiple images into animated GIFs

• The impact has been significant• Spam rates have increased sharply as image spam

bypasses many legacy spam filters• Most vendors have lacked the ability to view or filter image

content 0%

5%

10%

15%

20%

25%

30%

35%

40%

2003 2004 2005 Q1 06 Q2 06 Q3 06

Growth in Image Spam QuantityTumbleweed Message Protection Lab, Nov. 2006

33

Image Spam Techniques

Gibberish text to fool Bayesian filters

Gibberish text to fool Bayesian filters

Obscure fonts to bypassOCR scanning

Obscure fonts to bypassOCR scanning

Randomized pixel “noise” stripes

Randomized pixel “noise” stripes

Random dots and“dust specks”

Random dots and“dust specks”

Changing background colors and patterns

Changing background colors and patterns

Shifting text heightand position to fool

OCR scanning

Shifting text heightand position to fool

OCR scanning

Altering text & backgroundcolors and textures

Altering text & backgroundcolors and textures

34

Adaptive Image Filtering

Use this image…

to identify this image ...

or this image.

35

Clever spamming techniques

Can you spot the difference between these two penguins?

36

Original Image

Original Image HTML TableEach table cell represents a colored pixel

JPG Image2.97K

HTML Table273K

37

≈

Varying Image Spam

Sample

WaveletTransforms

WaveletTransforms

ђэьѓзщҒёҝѕ

Signature

Que

ry

Image Database

ђэьѓзщҒёҝѕЌχϋУέЫЄИдҖλЗςұпжўЫҝЎЉθξӘ

Image Signatures

New Spam

Adaptive Image Filtering Techniques

http://www.nps.gov/revwar/images/about_the_rev/george_washington.gif

38

New Breed of Viruses / Malware

Early days: Typical Viral propagation

0%

20%

40%

60%

80%

100%

0 hr Pea

k

: 6-10

hr

s20

hrs

Inte

ns

ity

Short Span attack

0%

20%

40%

60%

80%

100%

0 hr 3-

7

hrs

Inte

ns

ity

Now: Serial Variants Attack

0%

20%

40%

60%

80%

100%

V.1 V.2 V.3 V.4

Variants Release Timeline

Inte

ns

ity

Rapid spread by zombies and botnets

Signature-based approach not keeping up

10 hours to develop signatures vs. 3-7 hours for attacks to peak

39

Zero-Hour vs. Traditional Anti-Virus

Virus Outbreak Production complements Signature-based Antivirus products

Virus Outbreak Protection McAfee, Kaspersky signature-based AV

Response time Within 1-2 minutes Within 5-10 hours

Services protected Email only Email, Web, IM

Defend Yes Yes

Clean and Repair No Yes

Spyware Defense Block infection Scan after updates

Update mechanism Real-time pull Periodic update of signature pack

CPU Impact Lightweight Heavy load

Multi-wave attacks Catch them all Let some through

2 3 4

Content Filtering

• Lexical Analysis• Weighted Word lists• Regular Expressions• Signature/Hash

Content Filtering


Content Filtering


Behavioral Analysis

• Heuristics• Bayesian• Statistical Analysis• Message intent - AI

Behavioral Analysis


1998-2002 2002-2004 2005

Pattern Detection

• Edge Defense• Outbreak detection• Reputation • Recurrent Pattern

Content Filtering

Behavioral Analysis


Pattern Detection

• Edge Defense• Outbreak detection• IP Reputation • Recurrent Pattern


2007

5

Image Filtering

• Image Pattern Analysis • Adaptive Image Filtering• Dynamic Engine Update

The Continuing Fight Against Spammers

• Effective anti-spam requires expertise, constant adaptation, layering of new techniques

• Effective anti-spam requires expertise, constant adaptation, layering of new techniques

41

Common Architectural Deployment Mistakes

42

The Single Box Solution?

Spam Appliance 1

MX Record: mycompany.com215.23.3.130

EmailServer

192.168.1.125

Firewall

If it can fail, it will!

One box, no matter how amazing the architecture is still a single point of failure.

Networks can fail too.

Remember that email is the most important and ubiquitous application in your company.

192.168.1.130

43

The Single Box Solution?

Spam Appliance 1


EmailServer

192.168.1.125

Firewall

Plan for redundancy and failure around hardware and networks!

Start with the best hardware and work down, not the cheapest.

192.168.2.130

Spam Appliance 2

192.168.1.130

44

LDAP Mistakes

Spam Appliance 1

EmailServer

192.168.1.125

Firewall

Everything looks greatRedundancy is everywhere

What could go wrong?

192.168.2.130

Spam Appliance 2

192.168.1.110

LDAP 1

LDAP 2

ServiceAccount Bind

ServiceAccount Bind

192.168.1.130

192.168.1.111

45

LDAP Mistakes

Spam Appliance 1

EmailServer

192.168.1.125

Firewall

LDAP account gets locked outMoved LDAP user when bind DN was unique

Resetting password is pointless as it will automatically lock againCustomer perceives this is as a product issue

192.168.2.130

Spam Appliance 2

192.168.1.110

LDAP 1

LDAP 2

ServiceAccount Bind

ServiceAccount Bind

192.168.1.130

192.168.1.111

46

Network Mistakes

Spam Appliance 1

EmailServer

192.168.1.125

Firewall

Recipient validation stopped workingCustomer blames product

States nothing has changed

192.168.2.130

Spam Appliance 2

192.168.1.110

LDAP 1

LDAP 2

LDAP Bind

LDAP Bind

192.168.1.130

192.168.1.111

47

Network Mistakes

Spam Appliance 1

EmailServer

192.168.1.125

Firewall

The Firewall rules changedThe ISP changed

The DNS ChangedThey are using DNS names instead of IP Address

192.168.2.130

Spam Appliance 2

192.168.1.110

LDAP 1

LDAP 2

LDAP Bind

LDAP Bind

192.168.1.130

192.168.1.111

48

Incompetence - Spam Still Gets Through!

Spam Appliance 1

EmailServer


192.168.1.125192.168.1.130

Spam Appliance 2

192.168.1.131

Spam Appliance 3

192.168.1.132

Firewall

49

Solutions Work…. The Email Architecture Does Not

Spam Appliance 1

EmailServer

MX Record 1: mycompany.com215.23.3.130

192.168.1.125192.168.1.130

Spam Appliance 2

192.168.1.131

Spam Appliance 3

192.168.1.132

MX Record 2: mycompany.com215.23.3.125

MX Record 3: isp.mycompany.com220.1.23.5

WebMail: webmail.mycompany.com215.23.3.131

ISP Mail Server

Examine All MX Records!

Examine All WebMail Ports!

Firewall

50

The Case of the Nasty NAT

Firewall

EmailServer

&WebMail


Firewall NATs215.23.3.120 to192.168.1.125

192.168.1.125

DNS Record: webmail.mycompany.com215.23.3.120

51

The Case of the Nasty NAT: What Happens to WebMail?

Firewall

Spam ApplianceEmailServer

&WebMail


Firewall now NATs215.23.3.120 to192.168.1.130

192.168.1.125


192.168.1.130

52

The Case of the Nasty NAT: Add Public IP & NAT to WebMail

Firewall

Spam ApplianceEmailServer

&WebMail


Firewall now NATs215.23.3.120 to192.168.1.130

192.168.1.125


192.168.1.130

It is not always a drop-in appliance solution.

It is a consultative approach to solving real world problems

53

Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail ServersMail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers


Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway

Internet

Internet

Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers

SMTP1 SMTP2 SMTP3 SMTP4 SMTP5 SMTP6 SMTP7 SMTP8

Email Architecture Issues

• Tiered MX records can cause performance issues• Uneven distribution of inbound and outbound email• Email queues can backup during email peak periods

MX 1030%

MX 2020%

MX 3010%

MX 405%

MX 505%

MX 605%

MX 7010%

MX 8015%

Datacenter 1 Datacenter 2

54





SMTP1 SMTP2 SMTP3 SMTP4

Load Balancers Deployed, but No Recipient Validation

• No recipient validation passes mail to email server• Some email servers use closest match and some spam makes it through• Emails bounce and are processed many times causing extra network traffic, slow

performance, quarantining of invalid email, and backup of invalid email

MX1050%

MX1050%

Load Balancer Load Balancer

Internet

InternetDatacenter 1 Datacenter 2

55





SMTP1 SMTP2 SMTP3 SMTP4 SMTP5 SMTP6 SMTP7 SMTP8

Load Balancers and Recipient Validation Deployed

• Recipient validation allows email in for valid recipients only• 100% of invalid recipient email dropped at gateway• No more email bounces• Improved mail server performance, no more quarantining invalid email

MX1050%

MX1050%

Load Balancer Load Balancer

LDAP2 LDAP4LDAP3LDAP1

Internet

InternetDatacenter 1 Datacenter 2

56

Trends by Content and IP

57

Trends by DNS Black List and IP

58

Trends by Denial of Server and IP

59

Trending Produces Results

60

IP Layer Blocking

• Trends occur by IP address• Permanently block ranges of IP addresses at the network layer• No need to ever scan content when a connection can’t be made• Spammers can’t circumvent IP blocks

61

Spam, phishing, viruses, DoS, and DHA attacks sent from all over the Internet.

Inbound Email Best Practices – Before

No recipient verification causes email bounces. These emails clog up queues on some relays while leaving others completely idle.

With no redundancy and no load balancing, hardware failures will result in considerable downtime

Spam bounces cause queues to build up with useless NDR bounced emails

End user and email administrator time is wasted with unwanted emails and countless help desk calls.

62

Spammers are identified at the source and blocked by real-time messaging technologies and reputation filters.

Server-based clustering and load balancing guarantees that both inbound and outbound email routes are protected

Offensive emails disappear, encryption options are numerous, and compliance is transparent.

Recipient verification, reverse DNS lookups, anti-spam technologies and trend analysis put an end to spam.

Gateway based clustering and load balancing ensures uptime

Inbound Email Best Practices – After

63

Questions?

Email Best Practices

Documents

Transcript of Email Best Practices