There are two major email pitfalls that every IT manager needs to be aware of—bounce handling and outbound commercial mail.
Bounce handling refers to how a mail gateway responds to incoming mail that has an invalid address. There are two modes of response—conversational bounces and delayed bounces. A conversational bounce occurs during the SMTP conversation. This means that before the receiving mail server has acknowledged receipt, it checks a directory (such as Microsoft Active Directory) to make sure the address is valid. If the address is valid the receiving mail server responds with “OK I have it” or if the address is not valid the receiving mail server says “Sorry I can’t accept it”. The advantage of this approach is that the bounce message that is being delivered directly to the sending mail server using the same connection or “conversation” that the message arrived in, so the bounce message cannot be redirected or spoofed.
The disadvantage is that it effectively exposes the corporate directory to anyone. Spammers will routinely launch “dictionary attacks” where they guess at likely email addresses to see what gets through (e.g. bob@acme.com, charly@acme.com, etc.). Since a valid/invalid message is delivered in the conversation, in a matter of minutes a spammer can have a full list of valid email addresses at a corporation, which in turn can be sold on the internet for $50 or so, resulting in huge volumes of spam.
To protect their directories, most companies have chosen to issue delayed bounces. With a delayed bounce, the receiving mail server accepts all incoming mail. Then it checks for valid addresses. If the address is invalid, it will generate a separate email message back to the sender with a notification of why the message couldn’t be delivered.
This separate email coming back is much harder for a spammer to use to automatically harvest a corporate directory, thus delayed bounces protect the corporate directory.
Since spammers send mail at large volumes, they don’t want millions of delayed bounces coming back to them. So they will typically forge the return address of their spam. This is the root of the “misdirected bounce” problem.
One common spammer tactic is to use the address of a known spam trap as the return address. Thus when the legitimate corporate mail server proceeds to respond to a spam with a delayed bounce message, that bounce message
is sent to a spam trap operated by a blacklist—and the corporation finds itself blacklisted for being a spammer. This is a very common problem, and a huge source of frustration for the IT department. It can be very difficult to get “un-blacklisted” since many blacklists are run by volunteers and don’t provide customer service. The other danger with misdirected bounces is they can be used to create distributed denial of service attacks. If a spammer sends out one million messages with a return address of postmaster@acme.com, acme.com is likely to get 750,000 delayed bounce messages from 750,000 different mail servers on the Internet. These misdirected bounce attacks have caused multi-day mail outages at major banks and ISPs, but also at small and medium businesses that did nothing to instigate it.
IronPort appliances have a unique solution to this problem. IronPort has a “secure bounce” mode where it will issue a conversational bounce to a trusted sender, but not issue a bounce at all to a suspicious sender. It keeps track of the number of invalid address attempts from a given sender. When the sender exceeds the threshold, the IronPort appliance knows it is a directory harvest attack and continues to accept messages, but does not issue a response at all— fooling the attacker and protecting the directory. The number of invalidattempts allowed is tied to the reputation of the sender. A reputable sender like a Fortune 500 company is allowed many invalid address attempts; an unknown or disreputable sender is allowed only a few invalid address attempts. This advanced technology operates totally autonomously to make the headache of bounce handling just “go away”, without exposing the corporate directory.
The other email pitfall facing most IT teams is the handling of commercial email. Most companies have some type of commercial email—newsletters, transactions confirmations, investor updates, etc. These emails are typically produced by a database and sent out automatically.When machines generate and send mail, mistakes can sometimes happen. A new operator might hit the send button 10 times, thinking it wasn’t working. Or the marketing department might get a great new list of names they downloaded for $50 (see previous section on directory attacks). Either way, the receiving mail servers might view this incoming mail as spam—and begin dropping all mail from the corporate sender.
An excellent practice is to separate machine generated commercial mail from employee mail. With traditional equipment, this requires installing and maintaining two mail gateways, an unacceptable cost for many companies.
But the IronPort appliances have a unique capability called Ironport Virtual Gateways™ which can segment different classes of mail and put them on different outbound IP addresses. So employee generated mail goes on one IP address, machine generated mail on another, and delayed bounces (if used) can be put on a third IP address. Think of this as powerful segmentation that will limit damage to only one IP address and not allow an accident to impact the reliable delivery of vital employee generated mail.
No comments:
Post a Comment