(E- SECURITY)

E-mail has emerged as one of the most important communication mediums in our global economy, with over 50 billion e-mail messages sent worldwide every day. Unfortunately, spam accounts for as much as 85 percent of that e-mail volume. Spam is more than a minor nuisance - it is a serious security threat to all organizations worldwide.

The Simple Mail Transfer Protocol (SMTP) is used to send and receive e-mail across the Internet. It operates on TCP/UDP port 25 and contains many well-known vulnerabilities. Most SMTP mail servers are configured by default to forward (or relay) all mail regardless of whether the sender’s or recipient’s address is valid.

Failing to secure your organization’s mail servers may allow spammers to misuse your servers and bandwidth as an open relay to propagate their spam. The bad news is that you will eventually (it usually doesn’t take more than a few days) get blacklisted by a large number of organizations that maintain real-time blackhole lists (RBLs) against open relays, effectively preventing most, if not all, e-mail communications for your organization. It usually takes several months to get removed from those RBLs after you’ve been blacklisted and does significant damage to your organization communications infrastructure and credibility.

RBLs is only one method used to combat spam, and generally not even the most effective or reliable method, at that. The organizations that maintain these massive lists are not perfect and do make mistakes. If a mistake is made with your domain or IP addresses, you’ll curse their existence - it’s a case where the cure is sometimes worse than the disease.

Failure to make a reasonable effort towards spam prevention in your organization is a failure of due diligence. An organization that fails to implement appropriate countermeasures may find itself a defendant in a sexual harassment lawsuit from an employee inundated with pornographic e-mails sent by a spammer to their corporate e-mail address.

Other risks associated with spam e-mail include:

• Missing or deleting important e-mails: Your boss might inadvertently delete that e-mail authorizing your promotion and pay raise because her inbox is flooded with spam and she got trigger happy with the delete button - at least it’s a convenient excuse!
• Viruses and other mail-icious code: Although you seem to hear less about viruses in recent years, they’re still prevalent and e-mail remains the favored medium for propagating them.
• Phishing and pharming scams: Phishing and pharming attacks, in which victims are lured to an apparently legitimate Web site (typically online banking or auctions) ostensibly to validate their personal account information, are usually perpetrated through mass mailings. It’s a complex scam increasingly perpetrated by organized criminals. Ultimately, phishing and pharming scams cost the victim their moolah and possibly their identity.

Countering these threats requires an arsenal of technical solutions and user awareness efforts and is - at least for now - a never-ending battle. Begin by securing your servers and client PCs. Mail servers should always be placed in a DMZ and unnecessary or unused services should be disabled - and change that default relay setting! Most other servers, and almost all client PCs, should have port 25 disabled. Implement a spam filter or other secure mail gateway. Also, consider the following user awareness tips:

Never unsubscribe or reply to spam e-mail. Unsubscribe links in spam e-mails are often used to confirm the legitimacy of your e-mail address, which can then be added to mass-mailing lists that are sold to other spammers. And, as tempting as it is to tell a spammer what you really think of their irresistible offer to enhance your social life or improve your financial portfolio, most spammers don’t actually read your replies and (unfortunately) are not likely to follow your suggestion that they jump off a cliff.

Although legitimate offers from well-known retailers or newsletters from professional organizations may be thought of as spam by many people, it is likely that at some point a recipient of such a mass mailing actually signed up for that stuff - it is technically not spam. Everyone seems to want your e-mail address whenever you fill out an application for something, and that often translates to an open invitation to tell you about every sale from here to eternity. In such cases, senders are required by law to provide an Unsubscribe hyperlink in their mass mailings, and clicking it does remove the recipient from future mailings.

Don’t send auto-reply messages to Internet e-mail addresses (if possible). Mail servers can be configured not to send auto-reply messages (such as out-of-office messages) to Internet e-mail addresses. However, this may not be (and probably isn’t) practical in your organization. Be aware of the implications - auto-reply rules don’t discriminate against spammers, so the spammers will know when you’re on vacation, too!

Get a firewall for your home computer before you connect it to the Internet. This admonishment is particularly true if you are using a high-speed cable or DSL modem. Typically, a home computer with high-speed access will be scanned within minutes of being connected to the Internet. And if it isn’t protected by a firewall, this computer will almost certainly be compromised and become an unsuspecting zombie in some spammer’s bot-net army (over 250,000 new zombies are added to the Internet every day!). Then you will become part of the problem as your home computer and Internet bandwidth are used to send spam and phishing e-mails to thousands of other victims around the world, and you’ll be left wondering why your brand new state-of-the-art home computer is suddenly so slow and your blazing new high-speed internet connection isn’t so “high-speed” just two weeks after you got it.

Your end users don’t have to be CISSP certified to secure their home computers. A simple firewall software package with a basic configuration is usually enough to deter the majority of today’s hackers - most are using automated tools to scan the internet and won’t bother to slow down for a computer that presents even the slightest challenge. Size matters in these bot-net armies and there are far too many unprotected computers out there to waste time (even a few minutes) defeating your firewall.

Spam is only the tip of the iceberg. Get ready for emerging threats like SPIM (Spam over instant messaging) and SPIT (Spam over internet telephony) that will up the ante in the battle for messaging security.

Several protocols exist for secure e-mail, including S/MIME, PEM, and PGP. 

Other e-mail security considerations include malicious code contained in attachments, lack of privacy, and lack of authentication. These considerations can be countered by implementing antivirus scanning software, encryption, and digital signatures, respectively.