By Lawrence C. Miller, Peter H. Gregory

Email has emerged as one of the most important communication mediums in our global economy, with over 50 billion email messages sent worldwide every day. Unfortunately, spam accounts for as much as 85 percent of that email volume. Spam is more than a minor nuisance — it’s a serious security threat to all organizations worldwide.

The Simple Mail Transfer Protocol (SMTP) is used to send and receive email across the Internet. It operates on TCP/UDP port 25 and contains many well-known vulnerabilities. Most SMTP mail servers are configured by default to forward (or relay) all mail, regardless of whether the sender’s or recipient’s address is valid.

Failing to secure your organization’s mail servers may allow spammers to misuse your servers and bandwidth as an open relay to propagate their spam. The bad news is that you’ll eventually (it usually doesn’t take more than a few days) get blacklisted by a large number of organizations that maintain real-time blackhole lists (RBLs) against open relays, effectively preventing most (if not all) email communications from your organization reaching their intended recipients. It usually takes several months to get removed from those RBLs after you’ve been blacklisted, and it does significant damage to your organization’s communications infrastructure and credibility.

Using RBLs is only one method to combat spam, and it’s generally not even the most effective or reliable method, at that. The organizations that maintain these massive lists aren’t perfect and do make mistakes. If a mistake is made with your domain or IP addresses, you’ll curse their existence — it’s a case in which the cure is sometimes worse than the disease.

Failure to make a reasonable effort towards spam prevention in your organization is a failure of due diligence. An organization that fails to implement appropriate countermeasures may find itself a defendant in a sexual harassment lawsuit from an employee inundated with pornographic emails sent by a spammer to his or her corporate email address.

Other risks associated with spam email include

  • Missing or deleting important emails: Your boss might inadvertently delete that email authorizing your promotion and pay raise because her inbox is flooded with spam and she gets trigger-happy with the Delete button — at least it’s a convenient excuse!
  • Viruses and other mail-icious code: Although you seem to hear less about viruses in recent years, they’re still prevalent, and email remains the favored medium for propagating them.
  • Phishing and pharming scams: Phishing and pharming attacks, in which victims are lured to an apparently legitimate website (typically online banking or auctions) ostensibly to validate their personal account information, are usually perpetrated through mass mailings. It’s a complex scam increasingly perpetrated by organized criminals. Ultimately, phishing and pharming scams cost the victim his or her moolah — and possibly his or her identity.

Countering these threats requires an arsenal of technical solutions and user-awareness efforts and is — at least, for now — a never-ending battle. Begin by securing your servers and client PCs. Mail servers should always be placed in a DMZ, and unnecessary or unused services should be disabled — and change that default relay setting! Most other servers, and almost all client PCs, should have port 25 disabled. Implement a spam filter or other secure mail gateway. Also, consider the following user-awareness tips:

  • Never unsubscribe or reply to spam email. Unsubscribe links in spam emails are often used to confirm the legitimacy of your email address, which can then be added to mass-mailing lists that are sold to other spammers. And, as tempting as it is to tell a spammer what you really think of his or her irresistible offer to enhance your social life or improve your financial portfolio, most spammers don’t actually read your replies and (unfortunately) aren’t likely to follow your suggestion that they jump off a cliff.

Although legitimate offers from well-known retailers or newsletters from professional organizations may be thought of as spam by many people, it’s likely that, at some point, a recipient of such a mass mailing actually signed up for that stuff — so it’s technically not spam. Everyone seems to want your email address whenever you fill out an application for something, and providing your email address often translates to an open invitation for them to tell you about every sale from here to eternity. In such cases, senders are required by U.S. law to provide an Unsubscribe hyperlink in their mass mailings, and clicking it does remove the recipient from future mailings.

  • Don’t send auto-reply messages to Internet email addresses (if possible). Mail servers can be configured not to send auto-reply messages (such as out-of-office messages) to Internet email addresses. However, this setting may not be (and probably isn’t) practical in your organization. Be aware of the implications — auto-reply rules don’t discriminate against spammers, so the spammers know when you’re on vacation, too!
  • Get a firewall for your home computer before you connect it to the Internet. This admonishment is particularly true if you’re using a high-speed cable or DSL modem. Typically, a home computer that has high-speed access will be scanned within minutes of being connected to the Internet. And if it isn’t protected by a firewall, this computer will almost certainly be compromised and become an unsuspecting zombie in some spammer’s bot-net army (over 250,000 new zombies are added to the Internet every day!). Then, you’ll become part of the problem because your home computer and Internet bandwidth are used to send spam and phishing emails to thousands of other victims around the world, and you’ll be left wondering why your brand-new state-of-the-art home computer is suddenly so slow and your blazing new high-speed Internet connection isn’t so high-speed just two weeks after you got it.

Your end users don’t have to be CISSP-certified to secure their home computers. A simple firewall software package that has a basic configuration is usually enough to deter the majority of today’s hackers — most are using automated tools to scan the Internet and don’t bother to slow down for a computer that presents even the slightest challenge. Size matters in these bot-net armies, and far too many unprotected computers are out there to waste time (even a few minutes) defeating your firewall.

Spam is only the tip of the iceberg. Get ready for emerging threats such as SPIM (spam over instant messaging) and SPIT (spam over Internet telephony) that will up the ante in the battle for messaging security.

Other email security considerations include malicious code contained in attachments, lack of privacy, and lack of authentication. These considerations can be countered by implementing antivirus scanning software, encryption, and digital signatures, respectively.

Several applications employing various cryptographic techniques have been developed to provide confidentiality, integrity, authentication, non-repudiation, and access control for email communications.

  • Secure Multipurpose Internet Mail Extensions (S/MIME): S/MIME is a secure method of sending email incorporated into several popular browsers and email applications. S/MIME provides confidentiality and authentication by using the RSA asymmetric key system, digital signatures, and X.509 digital certificates. S/MIME complies with the Public Key Cryptography Standard (PKCS) #7 format, and an Internet Engineering Task Force (IETF) specification.
  • MIME Object Security Services (MOSS): MOSS provides confidentiality, integrity, identification and authentication, and non-repudiation by using MD2 or MD5, RSA asymmetric keys, and DES. MOSS has never been widely implemented or used, primarily because of the popularity of PGP.
  • Privacy Enhanced Mail (PEM): PEM was proposed as a PKCS-compliant standard by the IETF, but has never been widely implemented or used. It provides confidentiality and authentication by using 3DES for encryption, MD2 or MD5 message digests, X.509 digital certificates, and the RSA asymmetric system for digital signatures and secure key distribution.
  • Pretty Good Privacy (PGP): PGP is a popular email encryption application. It provides confidentiality and authentication by using the IDEA Cipher for encryption and the RSA asymmetric system for digital signatures and secure key distribution. Instead of a central Certificate Authority (CA), PGP uses a decentralized trust model (in which the communicating parties implicitly trust each other) which is ideally suited for smaller groups to validate user identity (instead of using PKI infrastructure, which can be costly and difficult to maintain).

Today, two basic versions of PGP software are available: a commercial version from Symantec Corporation, and an open-source version, GPG.