The most common question I have received as a result of this post on mail server misconfigurations is “how do I change my SMTP banner?” This article will tell you how to do so on several common mail server platforms. But first, let’s discuss why you want to.

Bad guys frequently use banner grabbing techniques as a part of the initial recon. It is a fairly innocuous activity that takes advantage of expected behaviours. To determine the type and version of mail server you are using, a bad guy need only connect to it on port 25, just like any other system would that is trying to send an email to one of your clients. IPS/IDS systems won’t alert on this, since to them it looks just like any other mail server trying to send mail, and unless you review every single log item, you probably won’t notice a connection that doesn’t actually send an email.

If, however, your SMTP does not reveal its version, all the bad guy knows is that he connected to your mail server. He is going to have to work a lot harder to identify your server, and that may be enough to trip an IDS/IPS alarm. Or, he may simply move on to easier pickings. Either way, make him work for it…don’t just give up all the information in your banner. Intrigued? Read on to learn how to change the SMTP banner on several popular mail server platforms.

Continue reading How to change your SMTP banner for fun and profit

I recently wrote an article that dismissed the use of fake MX records as an email security measure, on the basis that it did more harm than good for preventing spam.

I was reminded this week of an incident in which a customer was confused as to how spam was making it into their email systems.  Actually this has happened on more than one occasion with the same ultimate outcome.

The confusion mostly comes from the client thinking that because there were no MX records in public DNS zones that pointed to their email servers that the spammers and hackers shouldn’t be able to find them.

The fatal flaw in that thinking is that spammers and hackers don’t just use MX records to find places to send email or attack mail servers.  When they really want to find email servers, say to try and locate some open relays that they can exploit, they will use port scans instead.

A “port” in networking terminology is a communications end point that is specific to a process or service running on a computer.  In the case of SMTP, the protocol that email users, the port is TCP 25.

In other words, if you’re running an email server on your network then chances are you firewall has TCP port 25 open and allowing traffic through from the internet to your server.  In many cases the traffic might be filtered first by an intermediary server, but with a lot of environments running their email security software directly on the email server itself, often the SMTP traffic goes straight to that server.

In my customer’s case they had multiple servers in the environment, with a security product running on the internet-facing email server.  When they had merged companies they had ended up with multiple internet connections and firewalls, and kept those running.  They consolidated all of their email to the primary site, removing the MX records that were pointing to the second firewall and then promptly forgot all about it. Continue reading Email Server Security: Port Scans and MX Records

In John P. Mello Jr.’s blog post, “Peeking into employee’s email can be no-no”, John details a recent New Jersey court case involving the rights of a company to view the contents of an employee’s non-business related emails on the laptop issued to the employee after the employee had left the company.

In the court case, the trial court refused to require the employer, Loving Care, to return the emails to the employee’s attorneys. A judicial panel had upheld a lower court’s ruling that it was allowable for the company to access the employee’s email communications between the employee and her attorney.

Later, however, an appellate court reversed the lower court’s decision and held that the employee had not waived their attorney-client privilege.

As it turns out, the laws regarding email privacy vary not only at state level but also at the federal level. For example, if one of the employees in your company sends an email from their state to someone else in another state the question could come up – which state’s email privacy laws supersedes the other state’s email privacy law? As it happens, what might be considered legal to read in one state might, in another state, be considered illegal and unjustified to read.

According to the State of California Online Privacy Protection Act (OPPA) of 2003, companies which operate commercial websites must disclose their privacy policy with regard to what data they might collect and share with other organizations. That data could theoretically include the contents of email messages that pass through their servers.

Continue reading Employee Email Privacy Considerations

More than a third of all network devices attached to business nets are carrying at least one known security vulnerability, according to an annual report released by a global IT infrastructure company.

Dimension Data, headquartered in Johannesburg, South Africa, in its Network Barometer Report 2010 revealed that an analysis of data gathered from 235 organizations around the world showed that 38 percent of networking devices had vulnerabilities that had been publicly disclosed but remained unaddressed by their businesses.

The data was obtained electronically through technology lifecycle management assessments performed by Dimension Data. The assessment technology discovers installed assets on a network, identifies their lifecycle status and determines their maintenance coverage.

The 38 percent vulnerability number is significantly lower than the 73 percent found in last year’s report, but because the methodology in the 2010 report was altered from the 2009 one, results aren’t entirely compatible.

Continue reading More than third of network devices running known vulnerabilities

Every company thrives on communications; conference calls, corporate web sites, forums, internal communities and most obviously, electronic mails. But with all communications there comes the risk of eavesdropping, stolen ideas and the exposure of private communications into the public domain.

And in all corporations there are numerous devices which function as email transport points in the communications chain. These numerous email communication points can include workstations, servers, handheld devices, smart phones, iPads, etc. With all the communication points in the chain there are many openings for email hijacking to occur. All of these devices send and receive thousands of emails a day and so there many opportunities for false and misleading emails to be received by any end user in your organization.

But not only are the end users in an organization susceptible to false emails so are the companies’ email server hardware. Viruses can infect the servers, trojan horses can get embedded in the operating systems which run the email servers and malware can attack the various components of your servers.

There are many security issues that administrators need to protect against. Some of those issues include:

1. Denial of Service (DoS) – In this attack, an attacker is able to prohibit end users from accessing their servers and applications. Applications such as email will appear to be hung as end users attempt to send and receive email messages but are sometimes even unable to log into their application.

Continue reading 4 Reasons for Email Security

Encryption is an important component to an email system so choosing an encryption solution should be done carefully. What should be considered when evaluating an encryption protection scheme for an organization’s email system? Here are some suggestions to keep in mind.

One important consideration is whether or not a solution uses open standards. Since email is based on an open standard, there are advantages to basing any protection placed on top of it on open standards, too.

One advantage is open standards assure that data can be recovered in the future. If your vendor uses open standards, then you don’t have to worry about accessing your data should you decide to move to another provider in the future or should your vendor go belly up during the next recession.

Another consideration when choosing an encryption solution is mobility. Mobility is important because email must be accessible to a variety of devices from anywhere. Wherever an organization’s workers travel, they’ll want to check their messages and an email encryption solution needs to accommodate that without creating any hassles.

A solid encryption solution should be able to use a mobile device’s native email application. You don’t want to force your workers to learn another interface for their mobile device or leave an email program they’ve become accustomed to in order to work with encrypted messages. Making things harder for users is a sure fire way to invite them to look for ways to circumvent the system. Those ways are almost always insecure and make your organization vulnerable to a raft of unsavory cyber types.

Continue reading What to look for in an email encryption solution

If you haven’t received an email from someone asking you to buy their latest and greatest digital device or some other product that promises to help you lose weight and look younger in twenty-four hours then consider yourself not part of the world population.

We’ve all received these emails either through our email mailboxes or via text messages on our cell phones. And in case you haven’t heard of it, it’s called spamming.

Spamming involves massive distributions of email messages to recipients that number in the thousands to tens of thousands. All the spammers need is for one percent to five percent of the recipient pool to open their spam messages to get their message out there. That one percent to five percent can translate into 20 to 50 persons for a small sampling of 2,000 recipients to upwards of 200 to 1,000 people on the high end sampling of 20,000 recipients. And it doesn’t cost the spammers anything more than the keystrokes needed to send out their burst of emails and the costs associated with the harvesting of email addresses which is another subject altogether.

So how can an administrator protect their enterprise from being the subject of these email spamming campaigns?

Continue reading 6 Best Ways to Stop Spamming

Appliances take email security beyond spam filtering.

Email security isn’t what it used to be. The days are gone when  an effective set of spam filters alone could provide sufficient armor against email borne threats to an organization’s data and operations. Black Hats have gotten smarter, and their attacks have  gained in sophistication, making traditional defenses inadequate to furnish email systems with the protection they need. Further complicating the task for email security schemes is the swiftness at which new variants of threats are created and spread through cyberspace. Meanwhile, as the threats to email systems  grow, those systems have become increasingly important for the viability of many businesses. That’s why organizations are turning to email security appliances  to boost protection levels for their systems. Here are some things to mull over when adding an appliance to your security setup. Continue reading 7 tips when choosing a security appliance

Gmail has always had an encryption option, but until this week, it has been turned off by default. Now IT people, who tend to be a bit paranoid (but in a good way), would have gone through the trouble to switch on the SSL encryption option, but most ordinary users would simply not be aware that it exists. And for that matter, all those paranoid IT people probably wouldn’t have even used Gmail to begin with.

Google announced last week that it would start encrypting all Gmail traffic. In a blog post, Google noted that they initially rolled out the option to always use https back in 2008. This allows email to be encrypted on the path between the user’s web browser and Google servers. However, when Google first enabled the option, it was off by default. Now, SSL will be used by default, with users gaining the option of selecting “Don’t always use https” from the Settings menu. Some may choose to not enable the extra security option for performance reasons, but in reality, the performance hit will be minor, especially for broadband users—and well worth the extra couple of milliseconds. The login page will still remain encrypted. Using encrypted email can stop several types of attacks, such as man-in-the-middle attacks where an attacker may be snooping email in a public WiFi spot. Using encryption also prevents attacks such as DNS poisoning attacks where a domain name record is hijacked and redirected.

Google decided to make the upgrade just hours after they revealed information about having been victimized by specialized attacks, including certain attacks on Chinese human rights activists’ accounts. Users are cautioned however, not to get lulled into a false sense of security, thinking that turning on Gmail’s encryption option is going to prevent all potential attacks—because it certainly won’t. The same anti-virus, anti-spam and anti-malware software installations should continue in full force, regardless of any added encryption.

With Google making the switch, the next big question is whether the other main free email services like Hotmail or Yahoo! Mail will follow suit; my guess is that they will.

The increasing popularity of in-the-cloud email delivery and email security solutions, and the wealth of innovations available, raises the discussion of whether email administrators should consider cloud-based solutions. While the free, Web-based email remains out of the question for corporate use, some other cloud solutions that offer more robustness and security may be appropriate for some users.

Security is always imposed in cloud-based systems to one degree or another, but a major limitation is that many cloud providers still implement their own proprietary security approaches. While such an approach may well impose good security, this has still limited the uptake of cloud-based models. A more appropriate approach to cloud-based security would be the adoption of a common security model, made available through the cloud platform-as-a-service.

As outlined in “Cloud computing made easy,” co-authored by yours truly, a cloud platform (as opposed to cloud “software as a service” applications) imposes common software elements, which are used by developers to write cloud applications without having to re-invent the wheel for every aspect of each application. The use of a cloud platform is particularly useful for imposing rigorous security, in that it presents a standard security model for managing things like authentication and authorization, role-based access, secure storage, multi-tenancy, and privacy policies. Developers of common SaaS applications may not always be experts in security, but by using the common security model of a cloud platform, the developer is able to draw against the expertise of other developers who are. Continue reading Security and the cloud