bao mat email the ky 21

8/3/2019 Bao Mat Email the Ky 21

1/38

ITPro

SERIES

forthe21 st

Century

By Dustin Puryear

&EmailSecurity

Spam

Fighting

Spam

Fighting

EmailSecurity


2/38

ContentsBetter Understanding Corporate Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Increased Corporate Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Targeted Attacks on Corporate Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Defining Email Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Email Security and CIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Attacks Against End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Spam Attack! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

How Spammers Obtain Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

sidebar: Attacks Against Mobile Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Attacks Against Mail Systems and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Buffer-Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15DHAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Attacks Against Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Finding and Deploying Solutions and Countermeasures . . . . . . . . . . . . . . . . . . 16

Stopping Spam and Phishing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Signature-based Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Distributed Signature Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Rule-based Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Filtering Based on Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20RBLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Challenge-Response Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

i
http://www.ironport.com/http://www.windowsitlibrary.com/Ebooks


3/38

Graylists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Learning Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23MTA-level Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Combining Antispam and Anti-Phishing Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Stopping Virus, Trojan Horse, and Spyware Attacks . . . . . . . . . . . . . . . . . . . . . 26Reactive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Predictive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Heuristic Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Behavioral Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

The Layered Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Stopping Attacks Against Mail Systems and Servers . . . . . . . . . . . . . . . . . . . . . . 30

Buffer-Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Avoiding Server Compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Network Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Managed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Integrated Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

DoS Attacks and DHAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Strength in Diversity: Combining Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Achieving Email Security in the 21st Century . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

ii Spam Fighting and Email Security for the 21st Century


4/38

1

Brought to you by IronPort and Windows IT ProeBooks

Spam Fighting and Email Security

for the 21st CenturyEmail has changed the way that business is conducted: how we communicate our thoughts, sharenew ideas, plan budgets, schedule meetings, and even archive the history of a company. Simply put,email has revolutionized communication, which is no small feat. In the past two centuries, only theadvent of the telegraph and the telephone have revolutionized communication to the same degree.

In this light, its easy to see that email is a crucial component of the modern world. But email isat risk because its under constant attack. Spam overloads mail servers and fills end-user mailboxes.

Viruses attack servers and threaten to overwhelm antivirus software on end-user workstations.Phishing attacks present new risks to an undereducated population. Because of these threats, emailsecurity is taking a central role in information security policies andjust as importantlyininformation security budgets. To ensure the wise use of your information security budget, you mustunderstand email security, including its subcomponents and its relationship to the larger concept ofinformation security. Youll then be able to assess potential attacks, design solutions, budget for thosesolutions, and ultimately implement protective measures.

In this eBook, Spam Fighting and Email Security for the 21st Century, I discuss the concept ofemail security and how it relates to your organization. Email is so important today that leaving itunmanaged and unprotected is simply out of the question; this eBook provides some insight intohow you can best protect this crucial asset. I begin by discussing several broad areas, includingcorporate risk, email security, how email security and the information security concepts of

confidentiality, integrity, and availability (collectively known as CIA) work together, and the differentkinds of attacks to which email is vulnerable. With these concepts and vulnerabilities in mind, Ipresent solutions that have been field-tested on Internet-facing systems that large and smallorganizations use worldwide.

Better Understanding Corporate RiskBefore I turn to the technical details of handling email attacks, its important to explore the need tomitigate risk at the corporate level. Modern corporate culture around the world revolves aroundelectronic mail. Indeed, email has come to serve as both the primary medium for communication andthe storage mechanism used to detail how a company has evolved over the years. Emails usefulnesspresents corporations with an interesting dilemma. It enables employees to more easily communicate

within the organization and with outside parties, but it also poses new and dangerous avenues ofattack.


5/38

2 Spam Fighting and Email Security for the 21st Century


Note

Currently, you hear a lot about content filteringand email compliance. These terms areimportant because they describe real-world safeguards against both intentional andunintentional misuse of email. Content filtering lets a company control what it permits in anemail message (e.g., whether an email can contain patient medical details). Email compliance isa broad term that indicates how email must adhere to the overall company regulations. Thoseinternal regulations are often dictated in large part by a parent countrys regulations.Adherence to policies and regulations can protect a company against lawsuits and criminalaction, especially if internal systems are used for illegal purposes.

Increased Corporate Liability

One of the most high-profile corporate risks involving email is the increase in corporate liabilitybecause of unfiltered email. For example, if an employee is sexually harassed through email messages(e.g., forwarded sexually explicit jokes), that occurrence can be as damaging as if the employee

were sexually harassed in another manner. Also, companies must ensure that they comply withgovernment regulations concerning how and when information can be disclosed. Being able tomanage such corporate risk is crucial.

Regarding corporate liability, perhaps the most important consideration is whether an organiza-tion can properly provide content filtering and follow through to address violations. Content filteringshould let management determine whether email messages meet the criteria of a given rule (e.g.,contain sexually explicit comments), and when that rule is triggered, follow an action such asforwarding the offending email message to a manager or to Human Resources (HR). Unlike spam or

virus filtering, which usually drops an offending email message, content filtering typically requires ahigher level of sophistication from both the supporting server software and from the people adminis-tering that software. Ultimately, due diligence is crucial in this area.

Targeted Attacks on Corporate InformationAlthough many attacks are still unorganized attempts to gather information from consumers, targetedattacks are becoming increasingly frequent. Because of a lack of end-user education in manybusinesses, end users are quite capable of inadvertently divulging key corporate information andeven internal network logon information to both external and internal attackers. As the level ofInternet sophistication in the criminal world grows, organized attacks against large corporations and

government agencies are of increasing concern.

Defining Email SecurityEmail security includes protecting mail systems, email message content, and end users. I group thesecomponents together under the label of email security because theyre interdependent. Figure 1shows the layers of email security.

n


6/38

Figure 1The layers of email security

The outermost layer is comprised of end users. This layer contains the people (or softwareagents) that write and read email messages, attach Microsoft Word documents, and forward dailyjokes to one another. This layer interacts with the mail infrastructure that accepts email, processes it,and delivers it to another user.

The second layer contains mail systems (i.e., the mail infrastructure). As Figure 2 shows, mail sys-

tems provide the infrastructure that supports email, including components such as Message TransferAgents (MTAs)for example, Sendmail, Postfix, Qmailand groupware servers that contain MTAs,such as Microsoft Exchange and Lotus Notes.

Figure 2Mail infrastructure

Spam Fighting and Email Security for the 21st Century 3


Email

MailInfrastructure

End Users

Human User

Human UserMail Server/MTA

Mail Server/MTA

Web Mail Server

Directory Server Directory Server

oftware Agent Software Agent

Software Agent

Internet

Human User


7/38

Finally, email messages form the innermost layer (the core). Generally, the mail infrastructureprovides an important layer between the end user and email, especially in terms of email security asit relates to CIA.

Each layer requires its own type of protection. For example, end users require heightenedsecurity against viruses and phishing attacks, while mail systems must be specially hardened againstattacks such as buffer-overflow exploits and worms. Ultimately, however, all three realms are part ofthe domain of email security. Email cant be truly secure unless all three areas are equally wellprotected. Its not effective to harden mail servers against a worm if a targeted phishing attack caneasily compromise end users.

Email Security and CIAMuch of modern information security revolves around CIA. Failure to maintain one or more of theseelementsconfidentiality, integrity, and availabilitycan have far-reaching effects on your organiza-

tion (e.g., the exposure of privileged information).The next three sections of text explore how CIA information security concepts apply to emailsecurity. Exploring each area separately lets you better define problem areas and begin to findsolutions. Additionally, applying CIA as a framework lets you see how you can leverage bestpractices that have been well-tested in other realms of information security to secure the emailinfrastructure. Keep in mind that the CIA model has its limitations; I use it here to provide aframework for discussion.

ConfidentialityConfidentiality requires that access to information be limited to authorized users only (or,

conversely, that unauthorized users not be able to access protected information). Confidentiality relies

on two core components: authentication and authorization.Authentication (aka identification and authentication) determines who users are and verifies that

they are who they claim to be. You perform identification and authentication by using one or moreof the following elements:

Something the user knowsThis approach relies on the users knowledge (e.g., a passphrase,a username and password combination).

Something the user hasThis approach relies on something the user possesses (e.g., a key toa lock).

Something the user isThis approach relies on something specific to the user (e.g., voiceprint,fingerprint).

Generally, its assumed that using more than one approach or mechanism for identification andauthentication is stronger than using a single approach. Using all three mechanisms provides thestrongest identification and authentication processassuming each mechanism is well designed andimplemented. In the realm of email security, you can apply identification and authentication atmultiple levels. Specifically, you can apply identification and authentication to each step of emaildelivery. For example, when mail is initially delivered to a mail server, the server can require that thesender identify itself, as the code in Figure 3 shows.




8/38

Figure 3Identification and authentication during email delivery

220 mail.domain.com ESMTP Postfix

HELO example.com

250 mail.domain.com

MAIL FROM:

250 Ok

RCPT TO:

250 Ok

DATA

354 End data with .

In SMTP, identification is performed by using the HELO command. However, HELO providesidentification only, not authentication. That is, SMTP doesnt provide a method for validating thatusers are who they claim to be. The lack of authentication is one reason spoofing works so well.Currently, no widely deployed mechanism can validate a senders identity.

Authorization, or access control, is the second requirement for enforcing confidentiality. Itrequires that identification and authentication be performed to ensure the identity of the user.(Identity determines which set of access control rules should be applied.) Authorization is theapplication of access control rules between a user and a set of resources, such as a users access toher or his mailbox or the ability of a mail server to relay mail for a client.

Note

Early in the history of the Internet, mail servers were configured out-of-the-box to relay mailfor any client. In the past decade, the growth of spam has resulted in a reversal of this defaultconfiguration. Now, most mail serversby defaultwont relay mail. The new default helps toprevent spammers from usurping an organizations mail server for their own purposes, but italso makes it more difficult for remote users to relay mail through their organizations server.(Current solutions for remote user access include POP-Before-SMTP and SMTPAuthenticationSMTP AUTH.)

IntegrityIntegrity ensures that information is trustworthy (i.e., legitimate). Integrity is vital to informationsecurity; it offers assurance that any information or resource you use is accurate (where accuratemeans that the information is as originally created; it hasnt been modified).

Until recently, no widely deployed mechanisms on the Internet could ensure email integrity.For example, attackers who compromised an ISPs mail server could replace an original email mes-sage en route with their own version. The final recipient had no way to know what had occurred.Fortunately, modern solutions such as pretty good privacy (PGP) and Secure MIME (S/MIME) providea way to ensure the integrity of an email message with the use of a message digest.

n




9/38

AvailabilityAvailability involves the ability of information users (e.g., humans, software agents, mail servers) toactually access that information. Achieving high availability in the email realm has a long history thattypically centered around server clusters providing multiple routes of access to the information. Theseclusters were generally engineered to provide for redundancy of services. However, since the adventof Denial of Service (DoS) and Distributed DoS (DDoS) attacks, the concept of availability mustinclude an organizations ability to handle such an attack while preserving access to core mailservices.

Attacks Against End UsersReferring back to Figure 1, note that intruders can attack any layer. That is, an attack can target anend user, a mail system, or an email message. In this section, I discuss some possible attacks againstend users. Later, I examine potential attacks against mail systems and against email messages.

Spam Attack!The most obvious and best known type of email attack is a spam attack. Spam attacks are generated

when a spammer sends spam to one or more users on a mail server. In some instances, a spammermight try to flood a mail server intentionally so that filtering is disabled or bypassed after mail delayshave become unacceptable.

Figure 4 provides an example of an email spam message sent to a users mailbox. Notice thewording, which attempts to defeat keyword-based antispam filtering, as well as the nonsense phrasesmeant to defeat modern Bayesian engines. (Most Bayesian engines will simply learn from this styleand adjust accordingly.)




10/38

Figure 4Example spam email message

Return-Path: X-Original-To: [email protected]

Delivered-To: [email protected]

Envelope-to: [email protected]

Delivery-date: Fri, 14 Oct 2005 10:18:24 -0600

Received: from example.com [1.2.3.4]

by localhost with POP3 (fetchmail-6.2.5)

for [email protected] (single-drop); Fri, 14 Oct 2005 10:20:04 -0600 (CST)

Received: from [58.33.162.16] (helo=matrixfanatic.com)

by nitrogen.server.com with smtp (Exim 4.52)

id 1Ebh2F-0007Vt-Eq

for joeuser @example.com; Fri, 14 Oct 2005 10:18:24 -0600Message-ID:

Date: Fri, 14 Oct 2005 06:53:15 -0200

Reply-To: donnell streeter

From: donnell streeter

User-Agent: AspMail 4.0 4.03 (SMT470603F)

X-Accept-Language: en-us

MIME-Version: 1.0

To: Noe Streb < joeuser @example.com>

Subject: Stay healthy with great new performance enhancers at 2/5 of retail price.

Content-Type: text/plain;

charset=us-asciiContent-Transfer-Encoding: 7bit

No embarrassing doctor visits. Reliable and peaceful buying environment.

Youll sleep without interruption knowing you bequeathed the best prices

for your options.

Your trust is the whole lot to us. Encounter any difficulties? Get hold of

us 24 hours a day.

Express delivery service makes certain that you get your supplements

delivered to you in the least amount of time as it takes.

For countless number of people across the globe, our establishment is the

topmost choice for their medicines.

Our web page provides a bountiful inventory of meritable products,

including generics.

http://uk.geocities.com/johnathon_olivares/?wln=jmkpky

that because egg of it we would be safer in the head future at leap year

go shopping lay the table For

incredible embodied for her all that was accommodation finest and brake

strongest and best in her savage world. She gloried




11/38

Figure 4 shows just one of many types of spam. Antispam filtering must constantly struggle withthe different patterns of spam entering mail systems. Table 1 shows some common spam contentareas.

Table 1 Common spam content areas

Type Description

Adult Usually offers products related to sex or provides links to pornographic Web sites.

Education Typically offers cheap education and inexpensive degrees over the Internet.

Health Offers a wide range of advertisements, including skin care and prescription drugs.

Personal finance Focuses heavily on debt reduction and mortgages.

Recent studies suggest that more than two-thirds of all email messages are spam, which meansthat about 70 percent of your mail server resources might be absorbed by spam. In effect, you could

be spending well more than half of the budget for your mail servers on handling spam.Spam email messages can arrive several ways. Spam can reach end users outside of just their

mailboxesfor example, through Instant Messaging (IM). IM is extremely popular, but it doesnt havethe maturity of most email-related software. This immaturity means that IM is ripe for a new wave ofspam attacks in the coming years as spam attacks continue to increase in all realms of electronic mail.Table 2 shows spam attack vectors, IM among them.

Table 2 Spam attack vectors

Avenue Description

Email message Spam is part of an email message sent to a user.

Instant message Spam is sent to a user of an IM system.

Phone message Spam is sent to a user as a cell text message.

Windows Messenger Spam is sent to an unfirewalled computer as a Windows Messenger message.

In addition to its effect on how an organizations IT budget is spent (e.g., additional mail servers,spam-filtering solutions), spam also has an impact on end-user productivity. Users must makeconscious decisions about whether and how to read their email messages so that they dont wastetime reading spam. Additionally, spammers often use spoofed email addresses. If the spoofedaddresses are in fact legitimate, bounced email messages can flood email address owners mailboxes.Spamming affects both the recipients of spam and the victims of spoofed addresses.

How Spammers Obtain AddressesSpammers obtain addresses in several ways. One method is to purchase a list from a list merchant.List merchants might obtain their lists by direct purchase from a Web site (e.g., many online retailstores sell client email addresses to increase profits); by harvesting email addresses from Web sites

with programs that search Web site pages, mailing lists, and newsgroups; by using WHOIS (see Notebelow); and by launching directory harvest attacks (DHAs). Of these methods, DHAs can pose themost danger to the victim system because theyre resource-intensive. Essentially, during a DHA, spam-mers use software that runs through most of the possible email addresses for a given system. Thisapproach means that victim mail systems will experience a high level of incoming mailmuch higherthan if spammers use a validated address list.




12/38

Note

Not everyone is familiar with WHOIS, although its an important tool for systemsadministrators who run Internet-based systems. WHOIS is a protocol that administrators canuse to determine who owns a domain name or IP address on the Internet. Generally,administrators use WHOIS to determine an administrative contact for a domain name or todetermine which DNS servers are authoritative for a given domain. The whois command isavailable on most UNIX and Linux systems; Windows administrators can use the Web-basedversion available from sites such as http://www.internic.com.

A recent trend in spamming is targeted spam. With targeted spam, spammers not only have validemail addresses, but also have more detailed personal information about victims. For example, spam-mers might know that a victim uses a specific Web site. Spammers can gather this information with

surprising ease. To generate a list of valid email addresses registered with a Web site, spammers canperform a registration attack. In a registration attack, spammers attempt to register a set of emailaddresses with a Web siteif the email addresses are already registered, the Web site returns a failurenotice. The spammers then know that the email address is both valid and registered with the site. Atthat point, spammers can send a spam email message customized for users of the Web site to the

validated list in hopes of having a higher rate of response.Among current routes that spammers use to deliver their spam, two popular methods are open

relays and botnets. Open relays are mail servers typically set up for legitimate use but misconfiguredso that any Internet-based email client can relay mail through them. This configuration problem isusually not discovered until either a systems administrator notices abnormally high bandwidth orsystem use or the victims ISP disables service because of complaints.

Spammers also deliver spam through botnets (aka zombie networks). A botnet is a set of com-promised computers (or bots) networked across the Internet. The compromised computers run soft-

ware that lets spammers send spam through each victim machine. Although each compromisedmachine might be able to send only a small number of spam email messages, the botnet often con-tains thousands of machines, so the spammer can deliver large amounts of spam easily.

PhishingPhishing (derived from fishing for information) refers to a social engineering attack in whichattackers send a specially crafted email message that appears to be from a legitimate organization,such as a bank or online retail store. Unsuspecting users then follow the instructions in the email

message and inadvertently divulge sensitive information to the attacker. This type of attack is a viola-tion of confidentiality (both in terms of an individuals general confidentiality and as the term isapplied in CIA). Figure 5 shows an example of a phishing attack.

n


http://www.internic.com./http://www.internic.com./


13/38

Figure 5An example of a phishing attempt

Note

Phishing originated on AOL in the 1990s when attackers crafted special instant messages to

other users to gather account information. Phishing spread to the wider Internet and has sinceestablished itself as a major threat. To learn more about the history of phishing, visithttp://en.wikipedia.org/wiki/phishing.

Unfortunately, phishing is increasing in popularity as an attack vector to gather confidential infor-mation. Table 3 shows two phishing attack vectors.

n


http://en.wikipedia.org/wiki/phishinghttp://en.wikipedia.org/wiki/phishing


14/38

Table 3 Phishing attack vectors

Avenue Description

Email message A phish is part of an email message sent to a user. The email message appears to contain validinstructions for the user to follow.

Instant message A phish can also be part of an instant message sent to a user. This tactic began with AOL IM andspread to other Internet-based IM and email systems.

Phishing attacks are a danger to consumers, businesses, and government agencies. Consumersoften divulge account information (e.g., bank accounts, PayPal logins) during a phishing attack.

Victims of phishing attacks in businesses and government agencies risk exposure of even morecrucial information, such as highly privileged accounts in key organization software (e.g., ERPsystems, mission-critical databases). Phishers can increase the accuracy of their attacks by using atargeting technique known as spear phishing. Spear phishing relies on information-gathering

techniques similar to those for targeted spam (e.g., using a registration attack to determine whichemail addresses a given Web site has registered, then attacking those email addresses).

Note

As you can see with phishing and will see with other types of attacks I discuss later, many ofthe techniques spammers develop are then used elsewhere. Because spam tends to be a provingground for new techniques, it has become an arena in which spammers, antispam vendors, andsystems administrators develop both new attacks and new defenses.

VirusesViruses, which are self-replicating computer programs intended to spread to other computers, have along and interesting history. First documented in the early 1980s, computer viruses began spreadingby floppy disk from computer to computer. Since then, viruses have matured into network-awareentities that can attack other hosts by a variety of means, including email and network scanning.Table 4 shows methods by which viruses spread.

Table 4 Example virus attack vectors

Avenue Description

Floppy drive A virus monitors the use of a floppy disk and copies itself to any executable found there. It

then runs when the floppy disk is used on another computer.Email message A virus is attached to an email message. When the recipient reads the email message, the virusscans the recipients address book and forwards itself to other victims.

Windows networks A virus scans the local Windows network for disk shares and infects other executable files.

When viruses were initially confined to spreading through removable media (e.g., floppy disks),the speed with which they could spread was limited. But because recent strains have so manyavailable avenues, a virus can infect millions of computers in a matter of hours, making viruses oneof the most expensive and dangerous problems that IT currently faces.

n




15/38

Antivirus vendors are in a constant struggle with virus writers. New and innovative viruses areconstantly being released, although the number of virus writers capable of real innovation is limited.Most virus writers use virus kits, which are essentially programming packages other virus writers

have released to help less-sophisticated programmers write new strains of viruses. Unfortunately, viruskits make it all too easy to create new strains, so the number of viruses has increased dramatically inrecent years.

Protection from viruses begins with a secure OS. Unfortunately, the most popular desktop OS,Microsoft Windows, has a long history of vulnerabilities that have made it susceptible to virus attacks.(Recently, Microsoft has embarked on a program to reduce both realized and potential vulnerabilitiesin its OS and products.) Because of this security emphasis, the industry surrounding the protection of

Windows systems has grown exponentially. Most other popular OSs are also susceptible to viruses.

Trojan Horses

A Trojan horse is a computer program that disguises itself as a legitimate program but performs somemalevolent operation. Unlike a virus, a Trojan horse doesnt self-replicate. Instead, Trojan horses typi-cally spread to other systems indirectly because they require users to distribute them. Table 5 showsTrojan horse attack vectors.

Table 5 Trojan horse attack vectors

Avenue Description

Computer program A Trojan horse is built inside a legitimate program and activated whenever the program is run.

Web site A Trojan horse is loaded whenever a user visits a rogue Web site. In this case, the Trojan horsetypically installs itself and then displays pop-ups on user desktops.

Email message A Trojan horse is part of an email message sent to a user.

Because Trojan horses appear to be programs that perform useful operations (e.g., systemutilities), users make them available to other users. In the past, Trojan horses often performed aharmful operation against the host computer after a set amount of time. For example, after several

weeks of use, the Trojan horse might have begun deleting key system files. However, recent Trojanhorses tend to perform long-term surveillance of the host system as spyware (e.g., key logging, moni-toring Web site usage). Alternatively, a Trojan horse might turn the host system into part of a botnet.

SpywareA relatively recent type of malicious software (malware), spyware monitors the use of the host

computer and reports the information back to a central reporting server. The key concern withspyware is that the host computers owner usually doesnt know spyware is present. Unfortunately,spyware is distributed by more than criminalsits also distributed by well-known software vendorsin an effort to determine how users are using their computers and software. Users often implicitlygive consent to the use of spyware by accepting the license of software they install. Many freewareapplications (not to be confused with open-source software) contain some form of spyware.

Spyware has a large impact on network security because of its ability to steal passwords andother information through screen captures and keystroke logging. Additionally, if spyware monitors

Web site usage, it might log URLs that contain sensitive information (e.g., a URL that contains ausername such as http://www.example.com/?userid=dustin).


http://www.example.com/?userid=dustinhttp://www.example.com/?userid=dustin


16/38



Attacks Against Mobile UsersOrganizations have come to realize that mobile users present an enormous opportunity to increase productivity

because mobile users can have one-on-one contact with vendors and clients alike. Mobile users are the field army

of todays corporations. To support those users, organizations offer their users a wide range of mobile devices,

ranging from sophisticated cell phones to PDAs, which support a large number of applications. And of all the

mission-critical applications that mobile devices support, email is the most powerful.

However, mobile users present a specialized problem when youre securing email networks. Specifically,

most organizations let mobile users bypass perimeter email firewalls (especially if the email firewall is a managed

service) and send and receive mail directly from internal mail servers. Given this practice, mobile users can have a

large security impact on internal systems because their mail often comes in with a higher level of assumed safety

than mail sent to the organization from external parties. Figure A shows a typical connection between a mobile

user and the internal email server.

Figure AMobile user using internal email

With Avenue 1, the user bypasses the perimeter defense entirely and is connected to the internal network and

mail server. Any email messages the user sends arent properly scanned, thus endangering other users. With

Avenue 2, the user is properly contained in the DMZ, but still bypasses the email firewall. These two avenues are

by far the most common and dangerous approaches used.

Security is also crucial for email messages going to mobile users. Because they often have more relaxed

security controls on their devices, mobile users can be susceptible to attacks that an organizations email security

firewall would usually stop.

Another concern organizations face is the elevated risk to data confidentiality that mobile users present. Many

mobile devices (e.g., PDAs) that download email messages will keep them on the deviceand, unfortunately, a

large number of mobile devices are lost or stolen every year. This pattern points to the risk of outsiders gaining

Internet MailServer

VPN

DMZ Firewall

Packet Filtering

Firewall

Avenue 2: Mobile users mightbypass email firewalls

Avenue 1: Many VPNs are configured fordirect access to internal resources

Email Firewall

DMZ MailServer


17/38

One of the most dangerous attacks against end users is an attack against mobile users. For moreinformation about such attacks and about the particular vulnerabilities that mobile users present, seethe sidebar Attacks Against Mobile Users.

Attacks Against Mail Systems and ServersAttacks against end users are the best known form of attack, but attacks against mail systems have amuch longer history. The first documented attack was the Morris worm, a computer worm that

attacked the Sendmail MTA that runs on UNIX and Linux systems. The Morris worm, whichessentially took down a significant portion of the Internet infrastructure, signaled the end of theoriginal free for all culture of the Internet. At that point, organizations really began to take note ofthe security of their own email infrastructure and that of their partners.



access to privileged information from these devices. You can minimize much of this risk by avoiding the use of

protocols that download and store email (e.g., POP3) and instead relying on systems that offer only a view of

mailboxes stored on a central, protected server (e.g., IMAP server, Exchange server).

Note

Your information security policy should include details about how youll support andmanage your mobile users and their corporate access. What information will they be ableto access? How will their mail be routed? How will you ensure that their antivirus softwareis updated? Without strong security policies and procedures, mobile users offer intruders asimple avenue for attacking your internal network.

Regrettably, organizations rarely evaluate the risk that can come from their mobile users. Access to intra-

organizational email can reveal a huge amount of information about an organization. Indeed, because email is so

pivotal a communication tool and because it provides a running history of organizational decisions, it is often a

blueprint of internal structures, products and services, and future plans.

Ultimately, supporting mobile users offers both a potential boon and a risk to organizations. Mobile users give

organizations more flexibility, but the organizations must be dedicated to protecting themselves from the added risk.

Note

One of the first recorded mobile phone viruses was Timofonica (circa 2000), a worm thatspread to phones by using the Global System for Mobile Communication (GSM) standard.

The worm didnt perform any harmful actions (e.g., deleting contents from an addressbook), but it introduced a new generation of viruses and worms.

n

n


18/38

Note

The Morris worm was the original Internet worm. Its creator didnt design it to damagecomputer systems, but a programming bug caused it to infect computers multiple times.Because of the multiple infections, servers would eventually crash, causing a DoS. You can findmore information about the Morris worm at http://en.wikipedia.org/wiki/morris_worm.

Buffer-Overflow ExploitsOne of the oldest and still one of the most effective means of attack against a mail server is abuffer-overflow exploit. A buffer overflow occurs when a program is written to accept input of agiven size but doesnt protect itself if the size of the input is greater than expected. In the case ofemail software, buffer overflows can result when some portion of an SMTP, POP3, or IMAP session

causes the server software to request input from the client softwareand the client transmits anoverly long response. The response can include machine code instructions that cause the serversoftware to perform an unexpected operation that in turn lets an attacker perform an unauthorizedoperation or even completely take over the server machine.

Although buffer-overflow exploits have a long history, they still occur. Therefore, you should takesteps to mitigate the risk they pose. Some mail server software attempts to minimize this risk bycompartmentalizing each function of the server software into a separate program that cant interfere

with other components of the server. This approach reduces the effects of a successful attack.

DHAsSpammers often acquire a list of valid email addresses through DHAs, which can take two forms.

With a brute-force DHA, spammers use software that runs through a directory of potential emailaddress names for a given domain against a mail server. For example, the software might try to sendemail messages to recipients such as [email protected], [email protected], [email protected], and soforth. The second method sends email messages only to addresses that are reasonable to thesoftware, such as a list of common names (e.g., [email protected], [email protected],[email protected]) and combinations of names (e.g., [email protected]).

DoS AttacksDoS attacks are common throughout the Internet. Attacks against Web sites have the highest profiles,but DoS attacks also occur routinely against mail servers. A DoS attack often involves zombie

machines sending email messages as fast as possible to a single mail server. The mail server usuallybecomes overwhelmed and eventually shuts down; at a minimum, delivery of legitimate mail isdelayed. Other forms of attacks are executed against mail servers, including the tried-and-true methodof tying up all available TCP connections on a server. Some DoS attacks are consequences of otherintrusion attempts. For example, if spammers attempt a DHA, a mail server can become so over-loaded that a DoS occurs.

n


http://en.wikipedia.org/wiki/morris_wormhttp://en.wikipedia.org/wiki/morris_worm


19/38

Attacks Against EmailTypically, attacks against email messages involve a message being altered (a compromise in integrity).

The email message might be altered to reflect a change in an order (e.g., to place an order for 10units instead of 3 units, or vice versa), to begin a given procedure, or even to start a rumor. In manysituations, such an attack is surprisingly easy to mount. For example, once attackers compromise amail server, its usually trivial to replace the message contents of any email message in a temporarystore awaiting final delivery or even in a permanent store thats part of a local mail archive (e.g., inan IMAP folder).

Once theyre compromised, most mail systems provide little resistance to such an attack.Therefore, external solutions are usually required to provide a safeguard. For example, if all emailuses PGP, the recipients can detect any compromised email messages. PGP is only now coming into

widespread use.

Finding and Deploying Solutions and CountermeasuresIve discussed many of the threats that face both your users and the email infrastructure that supports

your organizations. In the following sections, I shift the focus to the solutions you can use to mitigatethe risk that those threats pose. As I discuss attacks against end users, Ill separate defending againstspam and phishing from defending against viruses, Trojan horses, and spyware because the defensescan involve different considerations and require different approaches. Ill then look at defendingagainst mail system and server attacks. Ill conclude this section with some strategies for your bestoverall defense against attacks.

Stopping Spam and Phishing Attacks

The raw volume of spam entering Inboxes affects end-user productivity if only because of the time ittakes users to sort through email to find legitimate messages. To worsen matters, phishing attacks areon the rise. Phishers also use plain email messages with wording that appears legitimate to the enduser.

Currently, several commercial and open-source products attempt to address spam, and, eitherdirectly or indirectly, phishing. Generally, these systems rely on one of several methods for detectingspam, including signature-based filters, rule-based filters, and learning systems.

Note

Although the term spam is familiar, one term for email messages that arent spam isnt as

well known. Nonspam email messages are often referred to as ham. Regarding filtering, twodefinitions that involve ham and spam are important: false negative and false positive. A falsenegative is an email message thats spam but isnt labeled as spam by the filter. A false positiveis an email message thats ham but is improperly labeled as spam by the filter.

n




20/38

Signature-based FiltersSignature-based filters were one of the earliest methods used to prevent or at least reduce spam. Asignature-based filter has a database of signatures for known spam email messages. As Figure 6shows, if an incoming email message has a signature in the database, the signature-based filter flagsthe email message as spam.

Figure 6Signature-based filtering

The real benefit of signature-based filters is their extremely high accuracy. An email message isflagged only if another email message with the exact same content has previously been flagged asspam. Signature-based filters also tend to be fast. Signatures are generally computed by creating ahash of the original spam. Although creating hashes of large emails isnt necessarily a fast process, itstypically much faster than the processes other types of filters use (e.g., the statistical analysis that alearning engine uses).

Signatures for signature-based filters can be produced either by end users or systems administra-tors (locally) or by antispam and anti-phishing solution vendors. Generally speaking, vendors providethe most signatures and update them more regularly. Vendors usually deploy a large network of hon-eypots that comprise a honeynet, as Figure 7 shows. The honeynet collects spam for review andsignature creation. Because vendors can deploy this type of network so readily, they usually haveaccess to a larger corpus of spam than an individual business or end user.



New Mail HashCreated Delivered

Discarded

SignatureDatabase

Yes

NoMatch

known signa-ture/hash?


21/38

Figure 7Honeynets deploy honeypots across the Internet

Unfortunately, signature-based filters have a significant flaw: Spammers can defeat such filterswith only slight changes to the content of their email messages. The element that makes signature-based filters so accurate (their reliance on matching signatures) is ultimately their greatest flaw.

Distributed Signature DatabasesSignature-based filters rely on a database of known patterns for matching. However, becausespammers constantly change the email messages that they send out, signatures constantly become

outdated. Distributed signature databases address this flaw.A distributed signature databasewhich might be either commercial (e.g., Vipuls Razor) or opensource (e.g., Pyzor)relies on both honeypots and end-user contributions to create the databases.Rather than being stored locally, distributed signature databases are stored on the Internet. They canthen be updated as needed and clients can access them easily. Distributed signature databases areproving to be effective because the databases are dynamic enough to remain relatively current. Table6 lists three distributed signature database services.



Internet

Honeypot Honeypot

Honeypot

Honeypot

Vedor Spam Database

EmailFirewall

SpammerSpam

Spam

Spam

Spam


22/38

Table 6 Common distributed signature systems

System URL

Pyzor http://pyzor.sourceforge.net/

Razor http://razor.sourceforge.net/

DCC http://www.rhyolite.com/anti-spam/dcc/

Rule-based FiltersRule-based filters rely on specific keywords in email message headers and bodies to determine

whether an email message is spam. However, unlike signature-based filters, rule-based filters dontneed to match an entire email message against a signature. Instead, only the elements specific to agiven rule must match in the message, as Figure 8 shows.

Figure 8Rule-based filtering

Unlike signatures in signature-based filters, systems administrators and end users often create therules for rule-based filtering. Unfortunately, these filters tend to have much higher false-negative andfalse-positive rates than signature-based systems.

The high false-negative rate occurs because rule-based filters match specific keywords. Forexample, a systems administrator might include words such as Viagra, Rolex, or mortgage in a spamrule. However, spammers often use alternative spellings, by which those words becomev1agra,r0lex, and mortg@ge. In this way, the spammer avoids common rules that wouldotherwise flag the email message as spam.



New Mail

Mail Brokeninto HeaderValues and

Body

Delivered

Discarded

RulesDatabase

Yes

NoMatch rule?
http://pyzor.sourceforge.net/http://razor.sourceforge.net/http://www.rhyolite.com/anti-spam/dcc/http://www.rhyolite.com/anti-spam/dcc/http://razor.sourceforge.net/http://pyzor.sourceforge.net/


23/38

In the case of false-positives, overly general rules can flag email messages that are legitimate butcontain keywords often associated with spam. For example, the word pre-approved is used in spamthat advertises lending Web sites, but it can appear in legitimate email messages as well.

Filtering Based on ListsIn addition to signature-based filters and rules, some filtering engines and many Mail User Agents(MUAs) employ a type of filtering specific to the email message sender. Related to rule-based filtering,this type of filtering can be broken down into blacklists, Realtime Blackhole Lists (RBLs), whitelists,and graylists, which I discuss below. Associated with whitelists, challenge-response systems developedto make whitelist deployment easier. Graylists, which are implemented inside a server (never insidean MUA), provide a powerful way to defeat most spammer software.

Blacklists

A blacklist contains a list of IP addresses, domains, and/or From addresses that have been reported tosend spam. Most blacklists contain both individual blacklist entries (e.g., the IP address of a singlemail server) and entire IP address ranges (e.g., the IP address ranges that spammer-friendly

Web-hosting providers own). The concept behind a blacklist is to avoid IP addresses that spammershave used. After an ISP is added to a blacklist, other users of that ISP soon find that they haveproblems sending email messages. They then require the ISP to crack down on spammers. Thoughsomewhat effective, this approach generally penalizes ISPs.

Blacklists have several advantages, including their speed and their modest use of local processingresources. However, they have several disadvantages. Most importantly, blacklists often penalizeinnocent users of an ISP for the abuse of one user (i.e., the spammer). This problem is especiallyprevalent for those blacklists that dont perform any verification of submitted IP addresses. ISPs can

end up being blacklisted even if they dont actually harbor spammers. It also means that blacklistingcan become a viable method for creating a DoS attack against an ISPs mail service. In addition,because spammers move often from ISP to ISP, blacklist entries can become quickly outdated.

Note

Many ISPs are moving to better protect themselves and their customers from spammers thatuse their services. They often do so by monitoring for network traffic that might indicatespamming, and, when found, terminating the accounts of guilty users.

Blacklists that contain From addresses are generally useless. Most spammers use spoofedaddresses or generate random From addresses, which effectively defeats any type of blacklistingbased on From addresses.

n




24/38

RBLsRBLs provide a central location for databases of IP addresses that known spammers use. RBLs arepowerful and provide an extremely fast way for MTAs to filter mail before having to process actualemail message content. However, RBLs have a mixed history because many innocent users can beaffected if an ISP hosts a block of IPs that a spammer usesand the ISP is added to the list.

Most RBL client software uses a DNS look-up to query the RBL. The DNS look-up is a fast querymechanism because it relies on small UDP packets, uses well-proven DNS resolver code on clientsystems, and effectively uses DNS caching.

WhitelistsUnsurprisingly, whitelists are the opposite of blacklists. Instead of containing IP addresses, domains,or From addresses that should be flagged as spam, an email message that matches a whitelist entryshould never be flagged.

Whitelisting can be implemented two ways. In the first method, any email message that doesntmatch a whitelist rule is automatically flagged as spam. Whitelists ensure a low false-negative rate(i.e., most spam is caught), but they also can lead to a high false-positive rate. Users will have littlespam in their Inboxes, but legitimate email messages will more often be flagged as spam. This typeof solution should be deployed when users basically receive email messages only from a well-knownlist of senders.

Alternatively, whitelisting can serve as a complement to standard spam filters (e.g., signature- orrule-based filters). With this approach, a whitelist determines only whether an email message canbypass the actual spam filter. If the email message doesnt match any whitelist entries, the emailmessage will then be scanned by the standard filters. When you combine these approaches, thefalse-negative rate isnt improved, but the false-positive rate is decreased, often substantially.

Note

The use of whitelists and blacklists can have an impact on learning systems, which I discuss inan upcoming section. Often, a blacklisted or whitelisted entry is never passed to a learningsystem, so the system isnt exposed to these email messages. The learning system then cantlearn the standard pattern of email messages a given user or organizations receives, whichkeeps the system from being as accurate as it should be.

Challenge-Response SystemsEven though using whitelists exclusively can produce an extremely low false-negative rate, whitelistsare hard to maintain in most settings because of the dynamic nature of email user populations. Itsdifficult for end users to maintain effective whitelists as their associates change. Challenge-responsesystems were created to make using whitelists easier. As Figure 9 shows, a challenge-response systemis a modification of the standard whitelist system. Email messages from new senders are subjected to

verification.

n




25/38

Figure 9Challenge-response systems

The method of verification can be as simple as having the sender responding to an automatedemail query or having the sender answer some type of question. Once verified, the original email isdelivered to the recipient and the sender is whitelisted.

Challenge-response systems effectively leverage the power of whitelisting while ensuring that end

users neednt constantly maintain the actual whitelist. However, challenge-response systems providetheir own set of problems.First, challenge-response systems simply move the burden of whitelist management from a single

end user to all senders interested in communicating with the end user. Although this approachdoesnt seem invasive, any widespread use of challenge-response places an increasing burden onsenders. In fact, many senders tend to ignore a challenge from a challenge-response system, and thesystem fails because legitimate mail is never delivered to the recipient.



New Mail

Discarded

ChallengeIssued

Delivered

SignatureDatabase

Yes

No

NoSender

already indatabase?

Valid SenderResponse?

Yes


26/38

Second, spammers can easily mimic challenge-response systems as a way to verify victim emailaddresses. Basically, spammers can create legitimate-looking challenges to send to their lists ofaddresses. A significant percentage of those recipients will then response to the challenge, thus

verifying their email addresses. For spammers, this method can prove to be an effective form ofaddress verification.

Another type of challenge-response system is a computation challenge-response. In this version,the idea isnt to challenge the original sender, but the sending mail system instead. For example, aftersenders submit an email message to their mail server, that server connects to the destination mailsystem. The destination mail system, however, wont accept the email message for delivery until thesending system performs some reasonably complex computation (e.g., determining pi to a certaindegree of accuracy, computing a large prime number). The idea is to add cost to sending an emailmessage so that the profit incentive for spammers will be reduced or eliminated altogether.

Its a good idea, but it suffers from a few problems. First, it doesnt really affect most spammers

because so much spam is sent by botsthe compromised end-user systems that spammers use tosubmit mail. If spammers have hundreds or even thousands of bots at their disposal, a computationchallenge might not significantly increase the expense of delivery.

GraylistsGraylisting is a relatively new method of fighting spam. It doesnt rely on either blacklists or

whitelists. With graylisting, whenever a new MTA makes a connection to a server that supportsgraylisting, the email message the MTA is sending is rejected with a 45x SMTP status code (i.e., anSMTP temporary error code). If the MTA obeys the relevant Requests for Comments (RFCs), it willrequeue the mail for later delivery. The local MTA will then update its whitelist of sending MTAs aftera predetermined amount of time (ranging from several minutes to an hour or more) so that the

sender can then reconnect later and submit the email message.This approach is effective because many spammers dont use standard MTAs. They use mail

blaster software that connects to mail servers, attempts delivery, and if a failure occurs (as it will ifgraylisting is in place), moves on. The techniques only real drawback is slower delivery of validemail messages upon the first send by a new sender.

Learning SystemsLearning systems are just thatsystems that learn in order to adapt to changing conditions. In thecase of spam, a learning system adjusts to the pattern of the email messages that a user receives todetect both spam and ham. Most learning systems are based on Bayesian filtering. As Figure 10

shows, with a Bayesian filter, the learning system builds a database of words and the probability thattheyll occur in a spam email message.




27/38

Figure 10Learning systems

These words can be anything from an IP address the sender uses to the actual content in anemail message body. The more often a word is used in spam email messages and the less often the

same word occurs in legitimate email messages, the higher the spam probability assigned to it.One of the virtues of Bayesian filtering is that you can customize it for the target email system.

Generally, spam and phishing filters that rely on Bayesian filtering require an initial training period.During this training period, the Bayesian filter monitors the inbound and outbound email and beginscreating a database (or altering a vendor-supplied database) customized for that email flow. Systemsadministrators also tweak the database (e.g., by manually submitting known spam to the learningsystem) to better train the Bayesian engine. After the training period is over, the Bayesian enginebegins tagging spam. Because the training period introduces the engine to the organizations typicalmail flow, the system often starts with significantly low false-negative and false-positive rates.

Because the probability database is so important to a Bayesian filter, the training period is crucial.

In the case of some implementations, however, the vendor supplies a standard ham database andonly spam is accepted for training. This approach significantly reduces the filters efficacy because itisnt properly tuned for the local organization. When both ham and spam elements of a probabilitydatabase can be updated, the filter will be more flexible and more accurate.

Because the probability database is constantly being updated, the engine can adapt to a changein mail flow. The constant updating means that as spammers adjust their techniques, Bayesianengines can often adapt automatically. For example, spammers attempt to defeat signature-basedfilters by using random words and quotations at the bottom of their email messages. However,Bayesian systems often quickly adapt to these types of changes.



TrainDatabase?

Delivered

No

YesIs Spam?Engine

ComputesProbabilityof Spam

EngineBreaks Emailinto Tokens

Database ofTokens andProbabilities

New Mail

Yes


28/38

Bayesian filters are significantly more accurate than rule-based filters because the entire emailmessage is examined instead of certain keywords requiring a match against a given rule. Although arule-based system can have a high false-positive rate, Bayesian engines are more accurate and have a

lower false-positive rate.A major downside of Bayesian filtering is increased processor use on mail systems, especially

if the antispam engine is hosted on the mail server itself. Bayesian filtering relies on complexalgorithms, and it also generally requires constant and fast access to the probability database. Access

to the database itself can cause delays on a loaded mail server.

MTA-level ControlsIn addition to the solutions mentioned above, you can also reduce incoming spam by adjusting howthe MTA operates. The most common method is to require that a sending MTA have a valid reverseDNS address. (AOL, for example, does use a reverse DNS check.) Because spammers use so many

dial-up and broadband connections and because these IPs rarely have reverse DNS set up, requiringvalid reverse DNS addresses can be effective. However, because many legitimate mail servers donthave reverse DNS set up, this approach can cause at least a moderate increase in your false-positiverate.

Another worthwhile check is to determine whether the sending mail server properly reports itshostname during the identification stage of the SMTP connection. To perform this check, the receivingmail server compares the hostname supplied with HELO against the list of mail exchanger (MX)records for the sending domain. If the hostname doesnt match any of the MX records, you can safelyassume that the sending mail server is probably not telling the truth.

Finally, by using rate controls, systems administrators can at least lessen the effect of incomingemail messages when a site is under a spam attack. Rate controls are typically set to a relatively high

value to ensure that legitimate email isnt affected but that bulk senders are rejected. For example,its common for a legitimate user to include several Ccs in an email but not several hundred.However, spammers often include hundreds of recipients in an email message. A common ratecontrol is to limit the number of recipients permitted; if too many recipients are designated, the emailmessage is rejected.

Combining Antispam and Anti-Phishing SolutionsAs you can see, although all of the solutions discussed are effective to some degree, each falls shorton its own. As Table 7 shows, highly accurate and fast systems, such as signature-based filters, tendto be too specific to particular email messages, whereas learning systems tend to be slower and have

a higher false-negative rate.

Table 7 Comparing solutions

Fast Reliable Dynamic

Signature-based Yes Yes No

Rule-based Yes Sometimes No

Learning systems No Yes Yes

MTA-level controls Yes Sometimes No




29/38

Often, the best approach is to combine the strengths of each of the systems in a comprehensivesolution that also reduces each systems weaknesses. For example, by combining MTA-level controls

with graylisting, you can reject out-of-hand large amounts of spam sent by email blasters. Once email

messages reach a filter, you can achieve a high level of legitimate email messages by combininglearning systems with signature- and rule-based filters.

Stopping Virus, Trojan Horse, and Spyware AttacksTogether, viruses, Trojan horses, and spyware have all had a large, and, for too many, a devastatingimpact on business. Viruses attack both servers and end-user systems constantly. Unfortunately, mostIT departments continue to lag behind when it comes to solutions that properly protect users againstthese attacks. To make matters worse, spyware is still a relatively new concern for most organizations,

with products that can detect and remove spyware being introduced only in the past few years.Generally, server-level and network-level solutions to viruses, Trojans horses, and spyware rely on

either reactive or predictive systems.

Reactive SystemsThe detection of malware is still very much in the domain of reactive solutions. With a reactivesolution, malware is detected through a multistage process that depends upon the vendor. Figure 11shows the steps of the process.

Figure 11Reactive antivirus systems



Discarded

Yes

NoAlready

Known?

Vendor

Analysis

Submissionto VendorNew Virus

UpdateSignature

Database

Push/Pull toClients

Client AntivirusSoftware

Detects Virus


30/38

Reactive solutions generally cant detect malware until after the malware is released (althoughsome solutions do try to detect patterns that would alert them to malware to reduce this disadvantageas much as possible). After the malware is released, the antivirus vendor accepts a sample of the

malware (e.g., from a customer, from a vendor-run honeypot). The vendor analyzes the malware andcreates a signature or rule that will match the malware in email messages. The vendor adds thenew signature or rule to its database for release to customers through either a push-initiated or apull-initiated download. At this point, the antivirus product reads the downloaded database for thenew signature or rule. The antivirus product can then detect the new malware.

This process has both advantages and disadvantages. One advantage is that signature andrule-based scanning for malware tends to be fast compared to other methods (e.g.,predictive/heuristic). Additionally, signature-based matching tends to be exceptionally accurate, whichresults in low false-positive and false-negative rates. Unfortunately, a key disadvantage of purelyreactive systems is that the antivirus product cant stop new malware releases until a new signature is

released, thus creating a window of opportunity during which internal mail systems and end usersare vulnerable.Also, as with spam filters based on signature-based systems, malware can easily be modified to

prevent a match with the vendors signature. Indeed, programs are readily available that have beenbuilt for this purpose. For example, Trojans horses are often masked by the use of packers (programsthat compress the Trojan horse into a version that still runs but no longer resembles the original).Packers can compress Trojans horses to different levels, meaning that a single Trojan horse might bereleased in several versions. Because packers can be combined with readily available binders(programs that bind two executables in a single program that contains both the legitimate programand the Trojan horse), Trojan horses are popular and easy to produce methods of attack.

Predictive SystemsSignature-based reactive systems, although effective and fast, cant sufficiently protect networks frommalware. Because they require that the vendor analyze samples of new malware, create and release anew signature, and get the new signature to the customer for application, the process is inherentlyslow. The malware analysis itself can be slow because its often manual (i.e., a technician at the

vendor must manually scan the malware, determine a pattern that will consistently match themalware, and create the signature). Thus, although reactive systems are fast after they have signatures,theyre slow getting to the stage of detecting new malware because of the signature-creation processitself.

Predictive systems provide an alternative to reactive systems. Instead of being based strictly on

signatures, predictive systems use different types of analysis to determine whether malware exists inan email message, is attempting to initiate a remote connection, or is already on the network.Predictive systems are based on several types of solutions, including heuristic filters, behavioralanalysis, and traffic analysis.




31/38

Heuristic FiltersBased on artificial intelligence (AI) engines, heuristic filters use a combination of patterns and scoresto determine whether a given program is malware. Heuristic filters are used in both spam andmalware detection. They enable malware detection without an existing signature. Unfortunately,heuristic filters arent foolproof, and they tend to have much higher false-negative and false-positiverates than purely reactive systems.

Behavioral AnalysisBehavioral analysis is an advanced method of malware detection. With behavioral analysis, anyprogram that an email message contains is loaded into a sandbox environment in which a built-inanalysis engine monitors and analyzes the email-borne programs behavior. This process is quiteadvanced and lets a malware detection engine acquire a great deal of information about how a givenprogram operates. With this information, the analysis engine is then able to make a reasonably

accurate determination about whether the software is malware (e.g., spyware). Detectable signs ofmalware include attempts to silently install the software on the client and connections made to anInternet server after the software runs on the client system. However, as you might expect, behavioralanalysis is resource-intensive, and therefore expensive to implement. Behavioral analysis wont befeasible in every environment.

Traffic AnalysisTraffic analysis detects patterns in email traffic and notes changes to the usual patterns. For example,

virus outbreaks tend to create a notable influx in incoming mail as external mail users are infectedand their systems attempt to deliver malware to other systems. Alternatively, if an internal corporatenetwork is compromised, a corresponding increase in outgoing email occurs.

Traffic analysis is difficult. Small environments might not have enough traffic for effectivedetection. Large environments can better support traffic analysis, but the analysis requires that ahighly reliable and precise traffic monitoring and alerting system be in place.

The Layered DefenseBecause of the danger of viruses, Trojan horses, and spyware and because email is now the mainattack vector, most organizations rely on multiple layers of defense. Those layers can include apacket-filtering firewall, an email firewall, and a demilitarized zone (DMZ) mail server, as Figure 12shows.




32/38

Figure 12Layered email defense

The first layer of defenseand the layer that best protects the underlying network and providesa crucial level of protection for network-oriented applicationsis the packet-filtering firewall. Apacket-filtering firewall understands networks at the TCP/IP layer, including such matters as TCP,UDP, and ports. This type of firewall is configured to let only certain types of incoming packetsthrough to specifically allowed ports on the internal hosts that the firewall protects. For example, thisparticular firewall allows incoming packets to at least port 25/TCP on the DMZ mail server and port

80/TCP or port 443/TCP on the DMZ Web Mail server.The second layer of defense is an email firewall, one example of an application-level firewall.This type of firewall works at a higher level in the protocol stack. It not only understands SMTP butcan scan the content of mail envelopes and mail content to detect spam, phishing attacks, and

viruses. The email firewall is usually hardened against attacks through SMTP (e.g., buffer-overflowattacks), so that the DMZ mail server is less susceptible to such attacks. An email firewall protectsemail systems (i.e., computer systems that provide mail service) as well as providing a layer ofprotection for internal users from dangerous email messages in their mailboxes.



IDS

Internet MailServer

Web Mail Server

Directory Server

DMZ Firewall

Packet-FilteringFirewall

Email Firewall

DMZ MailServer


33/38

Note

Email firewalls must provide comprehensive antivirus capabilities to properly defend againstboth known and unknown viruses. As Ive discussed, much antivirus software has been reactive.However, because of how quickly viruses now spread and because many viruses arepolymorphic, a reactive approach is no longer enough. Antivirus software must also providepredictive scanning, meaning that it should be able to perform heuristic scanning to detect keycharacteristics that identify a virus rather than needing to know an exact signature. Reactivescanning still has a place in virus defense, but real-time defense against zero-day threatsrequires predictive scanning from antivirus software.

The third layer of defense is a well-configured DMZ mail server. This server accepts only maildestined for the domains that it ownsthat is, for internal users. This approach prevents spammers

from using this mail server for relaying spam. The DMZ mail server is also hardened so that attacksthat jump to it from the email firewall (e.g., invalid input that the email firewall accepts and passes onto the DMZ mail server) dont compromise it.

Finally, additional layers of defense can be beneficial, such as an Intrusion Detection System(IDS) and a separate DMZ Web mail server. (Because Web mail servers usually run complex Webapplications, they often provide an avenue for an attack that can compromise internal systems.)

Stopping Attacks Against Mail Systems and ServersOver the past several years, as attacks against end users and their desktops have increased, directattacks against servers have decreased (although the decrease has been relative). However, serversare still vulnerable because attackers are still releasing exploits against Microsoft Exchange and evenSendmail. In this section, I discuss common ways you can reduce or stop attacks against servers.

Buffer-Overflow ExploitsAs I mentioned previously, a buffer overflow occurs when a software program stores more data in adata buffer than was originally allowed for and no provision exists for the unexpected input.

Attackers can use this bug to make the software program execute other programs it was neverintended to execute. If the software program runs at a privileged level, the entire system can becompromised. Even with better designed software that doesnt run in privileged mode, attackers cancompromise the mail software, which in effect gives the attacker full access to the mail serversresources.

Although they can occur accidentally through programming errors, buffer overflows are acommon security exploit against data integrity. In a buffer-overflow exploit scenario, the extra datacan contain codes designed to trigger specific actions, such as sending new instructions to theattacked server that could damage user files, change data, or disclose confidential information.

In the past, attackers often used buffer-overflow exploits to enable the passing of worms betweenvarious servers on the Internet as well as to prove their prowess. More recently, however, buffer-overflow exploits have a more targeted purpose: They let attackers compromise a mail server so thatthey can then use the mail server to send spam. This type of attack has two serious consequences.

n




34/38

First, a compromised mail server means that attackers can read the email messages being sent to andfrom your company. The results can be devastating. Second, attackers can use the server resources of

your company to send spam. This scenario can earn bad will for your company and violate your

ISPs contract, which in many cases means termination of service. Its important that your mail servers(and any other public servers) be hardened against buffer-overflows exploits and other types ofattacks.

Avoiding Server CompromiseOrganizations can help reduce the chance of a server compromise several ways. The first is to hardenthe mail server itself. In all situations, the hardening is a worthwhile effort. On hardened servers,especially Internet-facing servers, fewer services are available for exploitation and those services aregenerally compartmentalized. The following measures are generally required for hardening:

Physically securing the computer

Updating OS and application software Enabling logging of administrative access and resource use Removing unnecessary applications, services, and tools Enabling local firewall services Restricting the use of privileged accounts

By hardening servers, you can dramatically reduce their vulnerability. Unfortunately, hardeningmail servers often isnt enough. A better solution is to both harden the server and provide additionalfiltering for email traffic before it actually hits the server. You can filter email traffic early by usingnetwork appliances, managed services, and software integrated into an existing mail system (e.g.,Microsoft Exchange). Keep in mind that you want to layer your defensesfor example, by hardening

internal mail servers while at the same time deploying vendor-hardened network appliances toprotect the perimeter.

Network AppliancesNetwork appliances are deployed in front of internal mail servers. These appliances usually providetwo types of firewalls: a packet-filtering firewall and an application-level firewall. As a packet-filteringfirewall, a network appliance ensures that only valid TCP/IP traffic to ports that mail services use(e.g., SMTP, often POP3 and IMAP) is allowed. As an application-firewall, the appliance ensures thatthe sending server properly uses SMTP and follows relevant RFCs and common practices (e.g., havingreverse DNS set up).

Network appliances tend not to be susceptible to attack for several reasons. First, most appliancesrun on heavily customized OSs. These OSs have been stripped of most extra services that would letattackers gain a foothold on the system (or the OS has been designed from scratch specifically for theappliance). Second, engineers typically follow best practices when hardening the appliance. Finally,the appliance permits only a limited set of traffic to and from the server (i.e., traffic related to mailtransport) and even that traffic is carefully scrutinized.

Figure 13 shows the network appliance located in front of internal servers. This placement letsthe appliance protect internal servers and offload processing from the internal mail servers to theappliance itself.




35/38

Figure 13Filtering appliances

Managed ServicesWith a managed service, all email messages are sent first to an offsite service that filters email, asFigure 14 shows. This service then forwards valid email messages to your organizations mail server.

Figure 14Using a managed service




Mail Traffic

Direct MailDelivery Denied

Managed Service

Provider


NetworkAppliance

Internal Mail

Server

Internal MailServer

Internet

Internet


36/38

For this strategy to be effective against direct attacks that use mail protocols, the internal mailserver must not accept any connections other than those that the managed service initiates. However,such services work for inbound email traffic only. Outbound traffic is still sent directly to other servers

on the Internet, enabling possible exploits using mail protocols (e.g., a receiving mail server exploitsa buffer-overflow vulnerability in the sending mail servers software during the SMTP transaction).

Integrated SoftwareFinally, you can install integrated software to help protect your mail server. This locally installedsoftware hardens servers against network attacks. Often, integrated software works at the applicationlayer (i.e., SMTP) to protect a server from exploits. Some integrated software replaces a servers localTCP/IP stack with a customized hardened version. More often, however, local filtering software worksin conjunction with the mail software rather than creating a wall between it and external systems.Because of this approach, integrated software can help if an attacker has direct access to the mail

server (e.g., if a trusted internal user initiates the attack).

DoS Attacks and DHAsDoS attacks reduce the ability of a target system to function. In the case of email, attackers intendto slow down or crash a mail server. Attackers perpetrate DoS attacks several ways, including byconsuming network resources and by perpetrating DHAs.

When attackers perform DoS exploits through network resource consumption, the attacks oftenfocus on consuming all the available incoming connections of the target machine. Because SMTP is aTCP protocol, a successful exploit requires only that the attackers request more TCP connections thanare available. That is, attackers create more connections to the mail server than the mail server canhandle. The mail server is then no longer able to accept valid incoming connections from legitimate

mail servers.Youll find few mail serverbased solutions that prevent DoS attacks. Most mail servers run on

general-purpose OSs that arent geared to prevent DoSs. Even with hardened UNIX systems, variousnetwork settings are required to increase the servers ability to withstand a large DoS attack.Therefore, organizations generally purchase systems specifically created

bao mat email the ky 21

Documents