Further resources for this month’s
NoticeBored module on email security
This page last updated on Wednesday, September 03, 2008
The following Web resources proved useful in our research for this month’s NoticeBored awareness module on
email security. Hover over the  blobs below to see when new links were added and be sure to visit
the pick of the bunch, the  sites. Do let us know if your favorite resources are not yet listed here. Hit <F5> to refresh the page for recent updates and keep up with relevant entries on the NoticeBored blog.
General email security resources
SecurityDocs has a collection of email policy examples.
Wikipedia explains S/MIME and PGP and has links to more technical sources and other standards.
In SP 800-45 Guidelines on Electronic Mail Security NIST offers 139 pages of free advice on the secure
installation, configuration and maintenance of email servers and clients, from operating systems to administration and use.
A 3-lesson Email Security School [access requires free registration] consists of webcast presentations by an
email security guru, technical papers and quizzes to check your comprehension.
Hushmail offers simple-to-use encrypted email for individuals and (small) corporations, including webmail and POP/IMAP access for Outlook etc. Secure Webmail offers SSL access with anti-spam and antivirus functions
included. At around $40 for a year’s subscription, services like these won’t break the bank and yet avoid the complications of setting up in-house encrypted email services.
CERT’s easy-to-swallow cyber security tips on email security cover email clients, blind carbon copy, attachments, chain letters, hoaxes and urban legends and spam.
GFI MailSecurity is an email content checking, exploit detection, threats analysis and antivirus solution that
incorporates multiple detection engines/methods.
Everyone seems to have their own idea of what email disclaimers should say. Typically they use curious
pseudo-legal mumbo jumbo wording that has little if any force in law. A huge number of largely meaningless
statements are in use worldwide (... “If you are not the intended recipient, this message should be destroyed without reading”...).
Find out how to back-trace the origins of an email using information in the mail header ... but be aware that
pretty much anything in an ordinary (i.e. not cryptographically signed) email may be forged or manipulated en route to your inbox.
Sender Permitted From (SPF) is perhaps the most widely used email authentication standard, vying for the
top slot with Microsoft’s Sender ID. Neither has gained sufficiently acceptance as yet to become a de facto
standard and since they address slightly different problems, they may coexist for a while yet.
Spam
Please note: SPAM is not spam.
If I had an inch for every penis enlargement spam ... :-)
 Slamming Spam: A Guide for System Administrators by Robert Haskins and
Dale Nielson (~US$32 from Amazon) provides how-to guidance for IT pros on selecting and co nfiguring anti-spam controls for a good selection of email systems including Domino, Exchange, Outlook and more.
Spam wars - our last, best chance to defeat spammers, scammers and hackers by Danny Goodman (~$12 from Amazon) starts with a gentle
introduction to the history of email scams, then moves on to discuss the strengths and weaknesses of a range of anti-spam and similar techniques. Gets good reviews from trusted reviewers.
Why am I getting all this spam? reports on the Center for Democracy and
Technology’s fascinating research project into how spammers found valid email addresses in 2003. Although a little technical at times, the report provides practical advice on how to reduce the problem.
eWeek’s spam page carries dozens of articles on spam including pieces on CAN-SPAM and product reviews of spam filtering software.
The Register reports “Each active copy of the [HotLan] Trojan attempts to set up a webmail account,
sending off the captcha image in an encrypted form to a spammer-controlled website. Servers behind this site process the image and extract the solution to the captcha challenge, which is then posted in the
appropriate field. Once a webmail account is established, encrypted spam emails are sent from a website onto infected machines. The HotLan Trojan then decrypts these junk emails and sends them to (presumably
valid) addresses taken from yet another website.” The Register’s spam page has all the spam news you can eat, and then some.
The US CAN-SPAM Act bans false/misleading email headers and deceptive subjects, and requires that email
distributions contain an opt-out method. It also requires that commercial emails be identified as advertisements and include the sender's valid physical postal address. Unfortunately, CAN-SPAM has
patently failed to stem the spam tsunami.
According to the New York Times, 11% of the 650 million computers on-line contain botnet code, 250,00
new systems get botted every day and 80% of all spam originates from botnets.
Support Intelligence monitors the Internet for spam, botnets etc. Many big-name companies are named and
shamed, in other words spammers have evidently infitrated major corporate networks, setting up botnets that spew forth spam through the corporate email systems.
Anti-spam email systems that use “challenge-response” to confirm that human beings, not spam-bots, have
sent emails that arrive unexpectedly in your inbox may seem at first glance like a good idea but they are blamed for creating even more spam. One unfortunate victim whose email address was used by a
spammer to forge the sender field received over 25,000 ‘backscatter’ messages including a good number of
automated challenges.
Abuse is an open source program to respond automatically to spam messages, automatically composing
responses to go to the abuse addresses listed for the IPs of the sending machines. As the senders are commonly compromised zombie PCs, informing the owners and getting the machines cleaned up helps fight
the avalanche of spam.
If you use Spamassassin, visit uribl.com for a blacklist built around the ‘click here to buy’ links in spam
messages. These links are, allegedly, a more reliable guide to spammers than the ‘to’ and ‘from’ address
fields which (as we know to our cost) are all too easily spoofed: we are emphatically NOT responsible for
spams that appear to have been sent from IsecT.com email addresses. We don’t spam. We really hate spam.
If you experience problems with abusers of Google’s Gmail service, report them through the Gmail security center. Report abuse of Hotmail, Yahoo and a zillion other email services to their respective abuse@domain
addresses with the full email headers but be quick: it’s hardly worth reporting 419s, phish or spams more
than a few minutes after they arrive since a zillion other well-meaning complainants will have already notified them, and most have their own early-warning abuse detection processes. Report spam to SpamCop, Spamhaus, SURBL and/or Abuse.net (the latter has a lot of helpful information about spam).
The Coalition Against Unsolicited Commercial Email (CAUCE) is a worthy body of volunteers trying to curb the spam problem by applying pressure to governments.
The OECD reports that parts of the developing world (such as Nigeria) are being overwhelmed with spam. [Given the volume of 419 advance fee frauds still originating from those same parts of the world, some
might call this poetic justice ... but spam is an indiscriminate problem that does not just affect fraudsters].
Fed up with websites that ask you to register before they will impart useful information? Worried about being spammed as a result? Check out Mailinator for one solution: instant email addresses you just make
up on-the-fly, then visit once to collect your information and never again.
Jeremy Jaynes was the first person in the US to get a prison term (9 years) for spamming.
Information Security News (ISN), an excellent source of topical news articles and new resources for this links
collection, has a number of mirror/archive sites. These are regularly updated by automated data feeds. The Security Focus ISN archive, however, evidently has a problem with spam, republishing messages that some
might find offensive. Site owners Symantec have been informed several times since 2004 but (as of August 2007
at least) seem to be unable to resolve the problem. [This seems particularly ironic, given that Symantec supplies Norton Antispam and similar tools ...]
Sophos releases quarterly lists of the top 12 countries relaying spam. USA, the global pinnacle of the
marketing art, typically wins the [fools-]gold medal.
Spam and other obnoxious marketing techniques, such as adware and spyware, are addressed by cexx.org
Hackers broke into an Employment Development Department server containing personal information of 90,000 nannies, butlers, gardeners and their employers. The hackers gained access to names, Social Security
numbers and wage records. Investigators think the hackers broke in to the server to use it to send spam,
not to collect information for identity theft ... although how they reached this conclusion is not mentioned by USA Today.
Other email security stuff
‘Typosquatters’ are not just a threat for website visitors who accidentally mis-type your orgaization’s
URL: they also tap into emails accidentally sent to mis-typed addresses.
If you find yourself lost for words when writing an email to management, try this.
Telecom New Zealand’s disastrous launch of a new email service cost the company at least NZ$7m,
according to press releases and media reports.
Be careful how you configure your email software. A cautionary tale concerns the misconfiguration of
Microsoft Small Business Server systems which led to emails being rebroadcast to numerous recipients, eventually causing a rather embarrassing service outage. Way back in 1996, the RISKS newsgroup reported a story about a deputy prosecutor who set his email to auto-reply before leaving the office for a
few days. Unfortunately, he set it to autoreply to all 2,000 subscribers on the email system and request
confirmation of all messages ... within hours, the system was awash with 150,000 emails including the autoreply/forwards and confirmations. Modern email systems prevent this kind of thing, or at least some do
, but human error has an amazing knack of bypassing technical controls.
Acceptable Use Policies (AUPs) typically explain to employees what the organization considers to be acceptable vs. unacceptable use of the corporate IT systems. Auckland University’s AUP for email is a good example.
The US Department of Justice fact sheet on Operation Global Con noted the arrest of hundreds of fraudsters
involved in running 419, lottery and investment scams through Internet email. Some 565 people were arrested in five countries, indicating the cooperation of international law enforcement bodies to tackle these
so-called borderless crimes.
“Sending a confidential office document unencrypted and without proper permissions to your workgroup is
like attaching a $100 bill with a paper clip to a postcard and passing it around your office. Will it come back to you with the money still attached?” Read the rest in Triangle Tech Journal.
If you slander someone by email, it is treated in law as libel since email is a written form of communication. Libel is legally defined by several criteria. Read this FAQ for more information and ** CONSULT A QUALIFIED LEGAL EXPERT **
for the definitive, if somewhat more expensive, answer. This is not legal advice. I am not a lawyer. I don’t even own a three piece suit.
Related NoticeBored links collections
Laws and regulations, incident management, social engineering, privacy & data protection, IT fraud, network security, mobile computing & teleworking and, last but not least, malware
NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
|
