Architecture, Application Security

The growing importance of security in messaging and email services

May 2, 2013

Messaging service providers have many different security issues to watch for, and a multitude of security threats to protect against. While the list of security challenges continues to grow, there are a select number of really critical issues -- let's call them our “Top 3” -- that are center-stage for messaging leaders.

Ensure validity of incoming mail
Solving the issue of detecting and preventing spam while allowing all valid email messages through is a key focus for any large-scale email system. Because the spam detection and prevention issue is huge, it's no surprise that there are many products and services available to combat this problem. Having served the messaging industry for decades, I learned long ago that when unwanted traffic is out of control, it greatly hampers the function of core messaging services, including email and voicemail, and makes these features unattractive and much less useful, both for the carrier and end users.

Choose the right approach to block unwanted traffic
The Messaging Anti-Abuse Working Group (MAAWG) reports that approximately 90 percent of email is identified as abusive and blocked, which means that for the end user the email service is usable. There are varying approaches used for reducing unwanted traffic. A typical three-pronged approach includes blocklists that limit the IP addresses allowed to send email to a system, good filtering software that automatically checks the content of the messages for viruses and tries to identify add/remove SPAM messages, and a set of specific additional rules and functions implemented to try to catch unwanted traffic the intended recipient does not want.

The complexity of modern messaging and the types of message sent means systems are pushed to their limits at times. It's a battle between the email service managers using the anti-abuse systems and the spammers. We need to remember also that all the time the mail system is trying to deliver valid and wanted email service to the users. It's a constant balancing act.

The adoption and growth of IPv6 is changing the landscape and rules. Blocklists are not going to work as well going forward. Discussions are in progress as to how to use reputation and white lists as well as other systems in this new massive IP address space world. As part of this, the number of potential source systems for email (both valid and invalid) are escalating. The risk of getting spammed by your household appliances, such as your fridge, may not be that far away!

Just stopping spam is not enough
While spam avoidance is important from a security perspective, it is not enough for email providers. Access to mailboxes is critical. If the user's mailbox is compromised (whether they know it or not), problems can escalate for both the user and the provider. A comprised email account can affect the operator's reputation and can even circumvent the systems put in place to thwart the spam messages. Having a platform that protects against brute force attacks while enforcing good password security is obvious, but there are limits to what can be done in this area. In many cases, due to the type of service offered by email providers, comprised accounts can create other “child” accounts. Even when a mailbox owner is not directly impacted by a compromised account, this can become a big problem, creating what we call “bad guys” local to the system.

Secure web page tools such as simple captchas and security questions have helped reduce the vulnerability, but users generally have bad password discipline. No security system is perfect either, and tools like captcha can and have been broken by attackers. Proactive reporting and management systems are required to ensure that operators know what is happening on the system, to help track what unusual patterns and logins occur.

A hidden problem in this area is the issue of what to do if a compromised user/account (either PC or mail account) is identified. Telling users about the problem and getting them to resolve it generates a whole different set of challenges. If handled well, it can turn a customer into a strong advocate for the operator's service. If done badly it's likely a user will move their email service and possibly all their business elsewhere.

In many cases, the sheer nature of email and other messaging protocols mean that it's hard to stop such attacks, but good reporting and filters can often track and limit a carrier's exposure. In short, mail platform security is complex and needs to be treated with care and respect. While there is no single answer to the problems that exist, there are a certainly areas to pay close attention to, and these three are a good place to start.

prestitial ad