The most common question I have received as a result of this post on mail server misconfigurations is “how do I change my SMTP banner?” This article will tell you how to do so on several common mail server platforms. But first, let’s discuss why you want to.

Bad guys frequently use banner grabbing techniques as a part of the initial recon. It is a fairly innocuous activity that takes advantage of expected behaviours. To determine the type and version of mail server you are using, a bad guy need only connect to it on port 25, just like any other system would that is trying to send an email to one of your clients. IPS/IDS systems won’t alert on this, since to them it looks just like any other mail server trying to send mail, and unless you review every single log item, you probably won’t notice a connection that doesn’t actually send an email.

If, however, your SMTP does not reveal its version, all the bad guy knows is that he connected to your mail server. He is going to have to work a lot harder to identify your server, and that may be enough to trip an IDS/IPS alarm. Or, he may simply move on to easier pickings. Either way, make him work for it…don’t just give up all the information in your banner. Intrigued? Read on to learn how to change the SMTP banner on several popular mail server platforms.

Continue reading How to change your SMTP banner for fun and profit

Passwords are a necessary evil for system security, but they need not be as evil as some organizations require them to be. Even “trivial” passwords can be secure, if their system-wide use is policed.

That’s the conclusion of a pair of Microsoft researchers and a Harvard computer science professor reached in a paper expected to to be presented at the Hot Topics in Security workshop to be held in Washington, D.C. next month. The trio–Stuart Schechter, Cormac Herley and Prof. Michael Mitzenmacher–maintain that users can be allowed to adopt simple passwords as long as too many of them aren’t allowed to adopt the same password.

“We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want–so long as it’s not already too popular with other users,” they write in Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks.

One reason organizations impose password creation rules is to protect their users from brute force “dictionary” attacks. If a password can be found in a dictionary, then sooner or later a hacker will crack it. Passwords made up of non-words can foil such attacks. Passwords made up of hellacious combinations of upper- and lowercase letters, numbers and symbols are better yet. The problem for users, though, is that, for most of them, the most secure passwords are the hardest to remember.

Rather than modify user behavior–which is to damn security and choose as simple a password as possible–security pros often deploy a “three strikes and you’re out” lockout system to foil password horde attacks by hackers. With that system, if a password is entered incorrectly three times, the person attempting to log in to the account is locked out of it for a brief period of time. Crackers, who are great students of human behavior, quickly figured out a workaround to lockout schemes. The workaround has to do with how users choose passwords.

Continue reading How to choose a password according to Microsoft

I recently wrote an article that dismissed the use of fake MX records as an email security measure, on the basis that it did more harm than good for preventing spam.

I was reminded this week of an incident in which a customer was confused as to how spam was making it into their email systems.  Actually this has happened on more than one occasion with the same ultimate outcome.

The confusion mostly comes from the client thinking that because there were no MX records in public DNS zones that pointed to their email servers that the spammers and hackers shouldn’t be able to find them.

The fatal flaw in that thinking is that spammers and hackers don’t just use MX records to find places to send email or attack mail servers.  When they really want to find email servers, say to try and locate some open relays that they can exploit, they will use port scans instead.

A “port” in networking terminology is a communications end point that is specific to a process or service running on a computer.  In the case of SMTP, the protocol that email users, the port is TCP 25.

In other words, if you’re running an email server on your network then chances are you firewall has TCP port 25 open and allowing traffic through from the internet to your server.  In many cases the traffic might be filtered first by an intermediary server, but with a lot of environments running their email security software directly on the email server itself, often the SMTP traffic goes straight to that server.

In my customer’s case they had multiple servers in the environment, with a security product running on the internet-facing email server.  When they had merged companies they had ended up with multiple internet connections and firewalls, and kept those running.  They consolidated all of their email to the primary site, removing the MX records that were pointing to the second firewall and then promptly forgot all about it. Continue reading Email Server Security: Port Scans and MX Records

Every company attempts to minimize server downtime as any outages mean loss of productivity, potential loss of data and more importantly loss of revenue.

It has been estimated that forty-two percent of businesses had experienced database corruption in the year 2007. The risks of database corruption is cause for great concern in the data center particularly for email administrators who are responsible for protection of email content and for providing near continuous availability of email communications.

Without email communications companies can experience the same loss of productivity, loss of data and loss of revenue that is associated with database server downtime. Near continuous operation of email servers and communications is a necessity in order to maintain any company’s reputation with their customers and also as a competitive edge in their respective marketplace.

Continue reading 6 Causes of Email Downtime

Every company needs to protect their data from corruption. By now most every company uses multiple layers of security to prevent viruses from entering their network but as your company grows from small to medium to large then so do your needs for improved service levels. And antivirus software must be capable to support your companies changing environment. Administrators cannot allow their company’s private data to be put at risk of compromise because of limited product functionality.

Here then are several features to expect when considering a new antivirus package.

1. The ability to scan both inbound and outbound email messages should be a feature that is part of your evaluation checkbox list. Most administrators think of only protecting their customers – either all employees or a subset of various company departments – from viruses coming into their company. But administrators should also be looking to protect all email messages that are sent to the outside world. Just as everyone does not want to receive emails which contain viruses it is also just as important to not be the one responsible for inadvertently sending viruses to the outside world. Customers are much less likely to do business with another company if they don’t believe that the company who is selling them either products or services can be trusted to send out email messages that do not contain viruses.
2. Multiple antivirus scanning levels should always be a component of any good antivirus software package. Does the antivirus package support single, double and triple level virus scanning levels?
3. Updates should be at regular and frequent intervals. A choice of five minute, ten minute and fifteen minute intervals can support fine granularities of protection from viruses. Manual or automatic updates should be user selectable and easy to change.
4. Measurable scanning times and visual checks on virus scans in progress can be a great help when the time comes to plan your antivirus checks.
5. File, folder or entire system level scanning should also be a user selectable option. But consider entire system level scanning reserved only for system administrators.
   Continue reading 15 Email AntiVirus Features and Considerations

Since spam has reared its ugly head on the Internet, its antagonists have waged an uphill struggle to block its arrival in inboxes. That battle, though, has remained largely reactive. White Hats expend enormous amounts of energy to extinguish the latest fire set by spammers so that good mail can make it to its destination unsinged. Much of that energy could be saved, however, if spam fighters focused their efforts on what’s good in the email stream instead of what’s bad. They can do that with whitelists.

In its simplest form, a whitelist is a set of email addresses that have been verified as belonging to entities from whom you want to receive email. It’s by no means a panacea. Spammers have been known to spoof email addresses that may well be on a whitelist. Nevertheless, with estimates of the amount of spam on the Internet in the 80 to 95 percent range, concentrating on the five to 20 percent of “good” mail  seems, on the face of it, an easier task than taking up arms against a horde of bad mail.

What some of the things you should look for when adding whitelists to your anti-spam arsenal?

• You’ll want the whitelist to augment itself automatically. You already have enough things to do without adding vetting email addresses for a whitelist to your to-do list.

  When evaluating a solution that automatically creates whitelists, you’ll want to carefully review how it verifies its content. To do that, it will need to vet both the source and sender of email messages.

  Some common source tests are sender system and familiarity tests. Sender system tests examine servers sending email to see if they behave as email servers. That is, they can both send and receive email. Familiarity tests review messages to see if their senders have sent “good” messages to your organization in the past.

  Some common address tests include checking outbound mail to the source of a message, comparing addresses from sources to existing contact lists on your system and requiring a source to authenticate their address through a confirmation request.

  Of course, no matter how efficient an automated solution may be, you’ll still want the power to manually alter the whitelist to correct any glitches in the system.

• You’ll want your whitelist solution to be dynamic. Source and address tests need to be constantly and quickly applied to your email stream. It’s the only way to minimize “false positives” created by the list and to ensure the best experience for your users.
• You’ll want a system that makes it easy for good guys to join. Any system that makes senders jump through hoops to authenticate their identity won’t buy you any good will from them, from your users or from your organization. If your system has a  challenge-response component, you’ll want to keep the challenge message simple and the response simpler.
• You’ll want to make it hard for the bad guys to join the club. Actually, that’s easier than you might think. That’s due to the nature of the spam beast. For example, simple challenge-response measures can be very effective in weeding out bad guys. Why? It requires spammers to give up their anonymity. When you’re doing something illegal, anonymity isn’t something you want to part with very readily. It also adds to their workload. They don’t want to be dealing with individual messages. They’re interested in mass mailings–even though the cumulative effect of those individual messages may be harmful to their mass mail strategy. What’s more, spamming is mostly a one-way street. Spam servers know how to dish out the dirt, but they’re a dead end for incoming email.

Whitelists can be an effective tool for fighting spam in an organization and freeing up resources that get sucked up by more reactive weapons used to combat Internet scat. Just how effective? A study by three Stanford University professors, revealed that whitelists can be very effective. They reported that “we find that almost no spam makes it to users’ inboxes, and less than one percent of legitimate email is mis-classified.”

“It is interesting to note that this is achievable on a simple prototype system with significantly less engineering effort than is devoted to creation of spam filters,” they added. “But this shouldn’t be surprising: like a buddy-list in IM, a whitelist tries to precisely identify the people we communicate with, or who we allow to send us email. Unless we make a mistake, we will not allow a spammer to send us email.”

“We should expect a well-engineered whitelisting email service to behave almost perfectly,” they asserted.

In John P. Mello Jr.’s blog post, “Peeking into employee’s email can be no-no”, John details a recent New Jersey court case involving the rights of a company to view the contents of an employee’s non-business related emails on the laptop issued to the employee after the employee had left the company.

In the court case, the trial court refused to require the employer, Loving Care, to return the emails to the employee’s attorneys. A judicial panel had upheld a lower court’s ruling that it was allowable for the company to access the employee’s email communications between the employee and her attorney.

Later, however, an appellate court reversed the lower court’s decision and held that the employee had not waived their attorney-client privilege.

As it turns out, the laws regarding email privacy vary not only at state level but also at the federal level. For example, if one of the employees in your company sends an email from their state to someone else in another state the question could come up – which state’s email privacy laws supersedes the other state’s email privacy law? As it happens, what might be considered legal to read in one state might, in another state, be considered illegal and unjustified to read.

According to the State of California Online Privacy Protection Act (OPPA) of 2003, companies which operate commercial websites must disclose their privacy policy with regard to what data they might collect and share with other organizations. That data could theoretically include the contents of email messages that pass through their servers.

Continue reading Employee Email Privacy Considerations

Microsoft released some security patches last month without revealing them to the public. Some of the fixes affected software in mission critical Exchange mail servers.

The patches were hidden in one of Microsoft’s periodic updates issued April 13, namely “Microsoft Security Bulletin MS10-024 – Important: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832).”

“This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Exchange and Windows SMTP Service,” Microsoft said in the security bulletin’s executive summary.

“The more severe of these vulnerabilities could allow denial of service if an attacker sent a specially crafted DNS response to a computer running the SMTP service,” it continued. “By default, the SMTP component is not installed on Windows Server 2003, Windows Server 2003 x64 Edition, or Windows XP Professional x64 Edition.

It added: “This security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003; 32-bit and x64-based editions of Windows Server 2008; Windows Server 2008 R2 for x64-based Systems; and Microsoft Exchange Server 2003. This security update is rated Moderate for Microsoft Exchange Server 2000.”

Continue reading Microsoft releases stealth patches for Exchange

There are many facets to email management. Some of those facets include: email archiving, email server administration, networking and configurations. And these are just a few of the tasks related to email management.

Responsibility for email administration most obviously lies with the system administrator. If email is not delivered or delivery is sporadic then the email administrator will be sure to hear about it. And it is because of those administrative tasks and responsibilities that the concept of email delivery speed is often a lower priority item on an administrator’s “To Do” list especially when considered against the background of the many fire drills that administrators must deal with each day.

Fortunately email delivery time can be increased by implementing many features, tools and techniques that are also improving each year. One of those techniques is email compression.

File compression has been around more many years and the technologies associated with file compression have evolved greatly over the years. They are used in many applications and have understandably found their way into email server software as a necessity. Sometimes the size of emails has been a factor in their deliverability status. At the very least large email attachments can often be the cause of longer deliverable times. And when customer satisfaction is at an all-time concern for many companies in today’s economy those companies who are providing goods and services cannot afford any customer dissatisfaction especially when there are tools out there to help improve the speed of email delivery.

Here, then, is a list of some of the email compression technologies as they exist today.

2. WinZip Email Companion is an application which will allow your end users to reduce the size of their email attachments; reduce their time spent creating email messages and confidently send email attachments protected by password based AES (Advanced Encryption Standard) encryption. Reducing the size of their email attachments will allow their emails to be sent faster and decrease the amount of time needed to download emails. Another benefit to compressed email attachments is the reduction of disk space required to store those attachments in the users’ email folders. Another benefit of the email compression software is that emails will also load faster when creating them since the attachments are not as large. WinZip Email Companion works with Microsoft Office and various other email applications. To learn more about WinZip Email Companion go to the following site:  http://www.winzip.com/prodpageec.htm/.
3. Zapmail is another application that is used for reducing the time it takes to deliver emails. Many companies support intelligent cell phones which give users the ability to download, upload and read their email while outside of their stationary office locations. Zapmail works with all satellite phones including Iridium, Globalstar, Thuraya and Inmarsat as well as Vodafone cellular phones. More information about Zapmail can be found at: http://www.zap-email.com/.
4. Alpha ZIP is another email compression tool which makes it very easy to compress email attachments. As it is integrated into the Windows environment users will be familiar with its ability to easily compress email files in an intuitive manner. It has an easy to use dialog box that can be initiated by simply right clicking on a selected file, choosing Alpha Zip and then clicking on a start button to begin the compression. Your email client will startup and the compressed attachment will show up as part of the ready to go email message. Make your edits and then click to send. It’s as easy as that. You can try out Alpha ZIP from the following location:  http://www.alphazip.com/compress-email.htm/.
5. bxAutoZip is an add-in for Outlook that can automatically and independently compress any e-mail attachment. Using bxAutoZip is a simple as clicking on a new button which shows up in your Outlook email message window. Clicking the button will automatically compress and attach your file to an email message. Email size reductions can be up to ninety percent of the original email without compression. bxAutoZip has an additional self-extracting option which gives recipients the ability to simply click on a dot exe file which will then auto-extract the compressed file for the user. This option creates and sends the self-extracting files to recipients. Go to the following site for more information about bxAutoZip:  http://www.baxbex.com/bxautozip.html/.

There are many other compression utilities out there on the market that can be used for and integrated with email clients. Those file compression applications include: WinRAR, ALZip, BitZipper, Stuffit, WinAce and more.

More than a third of all network devices attached to business nets are carrying at least one known security vulnerability, according to an annual report released by a global IT infrastructure company.

Dimension Data, headquartered in Johannesburg, South Africa, in its Network Barometer Report 2010 revealed that an analysis of data gathered from 235 organizations around the world showed that 38 percent of networking devices had vulnerabilities that had been publicly disclosed but remained unaddressed by their businesses.

The data was obtained electronically through technology lifecycle management assessments performed by Dimension Data. The assessment technology discovers installed assets on a network, identifies their lifecycle status and determines their maintenance coverage.

The 38 percent vulnerability number is significantly lower than the 73 percent found in last year’s report, but because the methodology in the 2010 report was altered from the 2009 one, results aren’t entirely compatible.

Continue reading More than third of network devices running known vulnerabilities