Seven Tips For Avoiding Insider E-Mail Threats

SMTP Authentication

E-mail using organizations must require their end users to use SMTP Authentication (Auth) to be allowed to send outbound mail. This is probably the hardest recommendation to implement, but one of the most important in the prevention of outbound spamming.SMTP Auth prevents outbound e-mail from being sent without first identifying the sender using a username and password. This also helps the organization identify the sender of particular messages since the message-ID can be logged along with the actual username of the sender. If an end-user is caught spamming, the logs allow for easy identification in order to disable access to that end-user's account.

SMTP Auth alone is not sufficient to prevent outbound spam. While e-mails become traceable back to the original account that sent them, it's still possible for the sender to forge an outbound e-mail disguising it to the recipient. Additional technologies are necessary to prevent mail forgery and outbound spam.

(SMTP Auth is a standard that has been widely adopted by the Internet community that is defined by IETF RFC2554, and is broadly supported in almost all e-mail clients today.)

Sender Is Valid Recipient

A technique known as "Sender Is Valid Recipient" (SIVR), gives the enterprise more control over outbound e-mail and who the sender can claim to be. SIVR requires that the sender (the "From" address) of the e-mail must be a valid recipient in the organization's domain. Implementing SIVR together with SMTP Auth, the enterprise can force the sender to use their own true identity for outbound e-mail and accordingly reject delivery of any e-mail that appears to have a false return address -- in particular one that does not match the authenticated user name.

Securing The SMTP Connection

Even if you've implemented SMTP Auth and SIVR you have an additional concern remaining regarding the security of the SMTP connection. Usernames and passwords pass unencrypted in the SMTP Auth protocol. That means that any hacker monitoring the network can easily pick up usernames and passwords for malicious use.

That makes it crucial for you to implement STARTTLS encryption for encrypting the SMTP session for their end users. By enabling this Secure Socket Layer (SSL)-based encryption for the SMTP layer, the organization can require encrypted connections for all clients using SMTP Auth to protect the confidentiality of usernames and passwords during the SMTP session. SSL-based SMTP connection support is also fairly common in e-mail clients and should not pose a problem for the organization's end users. Requirements for SSL should be implemented at the same time as SMTP Auth in order to eliminate the migration issues associated with new features.

Masquerading The Sender

An alternative to rejecting e-mail messages that fail the SIVR test is to offer Sender Masquerading based on the authenticated end-user. Sender Masquerade allows the "From" address of outbound e-mail to be rewritten using the actual authenticated end-user's e-mail address. Sender Masquerading can prevent an end-user from using an alternate, or forged, e-mail address in the organization's mail system.Typically, this information can be retrieved from either an internal or external source, such as a Lightweight Directory Access Protocol (LDAP) -based directory server. By re-writing the "From" address, it would be easy to pinpoint the source of generated spam, as the "From" address will clearly identify the problem account, which can then either be disabled or reset with a new password in the case of a compromised account.

Connection Rate Limiting

Another technique organizations can use to help control outbound spam and virus-bearing messages is to limit the connection rates on their SMTP servers. Typical end users send only a few e-mails every few minutes, whereas spammers can churn out hundreds or thousands of e-mails in a minute. This commonly occurs when an infected desktop computer is being exploited for propagating virus messages and when enterprises implement a rate limiter that allows only a few SMTP connections per minute outbound spam traffic cannot get out and can be detected.

Outbound Spam And Virus Scanning

Outbound virus and spam scanning is an important way to help prevent outbreaks from emanating internally on your network. The best way to prevent theses threats from spreading in an organization's outbound e-mail traffic is to scan for spam and viruses both on the inbound and outbound SMTP gateway. In particular, spam scanning can be used by the e-mail administrator to identify trends, to monitor outbound patterns of e-mail by end users, and to quickly target problem end users.The spam-scanning engine should be used in a pass-through mode where it scans and identifies spam messages, but does not reject, discard, or tag them. This allows the system to retain logs and message information about the messages processed by the system.

Stripping Off Known Bad Attachments

As an added protection layer on the outbound SMTP layer, you may also want to strip attachments from e-mails when they are suspected or known to contain malicious content. This will help prevent the spread of new viruses before they are identified by virus scanning. Examples of file types that an enterprise should consider stripping from e-mails include vbs, pif, and scr, which are well-known as file types that have been used to transmit e-mail-borne viruses in the past.