Email Security Best Practices

Email Security Best Practices for MSPs



Scott J. Barlow

V.P. Sales & Product Management

Reflexion Networks, Inc.

Overview of Presentation

• Spam

• The ubiquitous dilemma

• Some fundamental insights

• A fractionation solution

• Our spam proliferation project

– Methodology

– Findings

• Who else shares my email address?

• Email security best practices for MSPs

• Conclusion & questions

Spam

Spam…The Definition!

“Spam” is defined by the end-user, a partial definition may look similar to this









The Chain Letter from Mom

Kidney Theft in New Orleans

Cookie Recipe from Neiman Marcus for $200

500 ways to drive your roommates crazy.

Выгодное для Вас соотношение цены и качества



I need Viagra, Hoodia, Valium







If your CC: list is longer than the actual message content.







(‘04-’05)

Spam Tactics (‘04-’05)



1. Endless means to bypass spam filters

– Hashbusters (e.g. s^pam instead of spam; F'REE instead of FREE)

– Beacon URLs

• Embedding recipients’ email addresses in hyperlinks or ‘web bugs’ or images

• Validates email addresses during DHA

– Social Engineering -- “Personalized” messages & provocative subject lines

– Encoded Messages with special decipher instructions

read downwards ;)

C-V-V-V-X-S

O-I -I- A-A-O

D-C-A-L-N-M

E-O-G-I -A-A

I -D-R-U-X

N-I-A–M

E-N

N

– International languages/double-byte characters

– 100% image-based content

(‘04-

Spam Tactics (‘04-’05)



2. Bogus to/from addresses

– Spoofing

– Unknown “reply to:” address

3. Relay tricks

– Transfer of mail via:

• Use of zombie desktops and open relay servers

• “Direct-to-MX” software

– Offshore ISPs

4. “Creative” misspelling & bogus text (white text on white

background)

V-i-@-g-r-a is still Viagra!



Viagra went from Viagra to V1agra! to:



V I @ G R A , V--1.@--G.R.a, \./iagra, Viiagra, Vìagrä, V--i--a--g--r—a, V!agra,



V1agra, VI.A.G.R.A, vi@gra, vIagr.a, via-gra, Via.gra, Vriagra, Viag*ra, vi-



agra, Vi-ag.ra, v-iagra, Viagr-a, V^I^A^G^G^A, V'i'a'g'r'a', V*I*A,G,R.A,



VI.A.G.R.A..., Viag\ra!, Vj@GRA, V-i:ag:ra, V'i'a'g'r'a, V/i;a:g:r:a, V i a g r @,



V+i\a\g\r\a, Viag[ra, Víagra, V;I;A*G-R-A, V-i-a-g-r-a, V*I*A*G*R*A , V-i-@-



g-r-a, VI@AGRA, , V\i\a.g.r.a, V1@GRA, v_r_i_a_g_r_a, V\i\a:g:r:a,



V^i^a^g^r^a, V-i-@-g-r-@, Viag(ra …



Bad HTML: Viagra

Spam Tactics (‘07 & Beyond)



1. GIF Layering – One message, many images

2. Joe job -- A spam attack using a spoofed sender and aimed at tarnishing the

reputation of the apparent sender.

3. OCR Duping – Geometric distortion by color, offset or blurring

4. Ransom Notes – GIF Layering through word splitting

5. Blowback (backscatter) -- A malignant email sent with a forged sender

address that generates thousands of bounce messages to the innocent

party – denial of service tactic.

6. Geometric Variance – Randomly generated speckling or pixel/word salad.

a) Speckling – Confetti-like distortion

b) Pixel Salad –

c) Word Salad -- defined. I can write about what is now happening in my world, as will be able to conduct daily work activities without leaving the away on the other side of the world. This was unfathomable years lives. A

technology this pervasive must surely be adopted by the institutions.

Spam Tactics (‘07 & Beyond)



Spoetry or Spoems are poetic verses made primarily

from the subject lines of spam e-mail messages.









“Some have already disappeared. And you can watch the amazing video for the single "Dani California" at their site, myspace

page, or just about any other damn corner of the ol' Interweb. Tonight was live poker tourney night - our first one in a. Like

always the mind of Allen has put a brilliant twist on the basic concept of affiliate marketing. And this is potentially a very good

thing for you.”

White Text/White Background

Call Forward Phishing *









• Step 1: Email victim telling them to verify phone number



• Step 2: Provide the phone number:

*72 (555) 555-1234



• Step 3: Update bank account, SSN, etc.



• Step 4: Victim’s bank calls to question an unusual transaction,

the phisher confirms the illegal transaction is legitimate.









* Reported by SecureWorks, 2007

FUNDAMENTAL INSIGHTS

Fundamental Insights



• Two email addresses are better than one

– “To – From” address pairs for lightweight sender identification

– Address-specific security states control access

– Assures delivery as well as prevents delivery

– Protects one’s primary address; facilitates wider use of email





• Protective Addresses improve traditional defenses

– Remove false-positives (legitimate senders being blocked!)

Addresses Provide Context









So that’s how they

got my mailing

address!

A SOLUTION BY

FRACTIONIZATION

By a show of hands, how many people

have 3 or more email addresses?

“Address-on-the-

“Address-on-the-Fly”



1. To set the foundation for the

scott.amazon@reflexion.net

next few slides, AOTF is a

mechanism by which users can

spontaneously disclose a unique From: sales@flowers.com

alias to their primary address. To: scott.amazon@reflexion.net





2. If I purchase a book at Amazon.com

and then send me a receipt, the to/from

address pair will be logged in the To:

From:

database.



3. Reflexion checks the incoming

“To-From” address pair, and if Amazon

shares my email address with

Flowers.com, a Control Panel indicating

that Amazon has shared my address To: scott@reflexion.net

and presents appropriate policy choices. From: receipt@amazon.com



4. I now have more granular control over who

has access to my inbox, and rather than just

a binary on/off proposition, I can apply

a variety of security states to that alias.

SPAM PROLIFERATION

PROJECT

Methodology

• Select 40 market segments

• When applicable, mask identity behind one of 40 profiles

• Disclose 748 unique email addresses through online forms

40 Market Segments

Adult/Pornographic Medicine/Pharmaceuticals

Bricks & Clicks News/Newspapers/Magazines

Business/Finance Non-Profit

Computers/Electronics/Technology Photography

Cooking/Food/Entertaining Parenting

Diet/Fitness Pop-Up Ads

eCommerce Relationships/Dating

Entertainment Real Estate

Free Coupons/Gifts Science/Nature

Gambling Small

Government Single Newsletter Sign-Up

Hollywood/Celebrities Sexual Orientation

Hate Groups/Hate Speech Sports

Health/Wellness Senior Citizen/Retired

Jobs/Careers Teen

Kids Travel

Large Women

Men Weapons

Multi-Newsletter Sign-Up Young Adult

40 Identities

ID Code First Last Street Address City State Zip Phone Number Birthdate Income

1 James Stewart 65 Washington Street Omaha NE 68111 (402) 672-9752 12/13/54 $35,000

2 Sheila McJohn 18 Nordstrom Avenue Tampa FL 33611 (813) 542-3692 08/01/79 $100,000

3 Warren Singer 6 School Street Apt. 12B Waltham MA 02451 (781) 865-6795 03/30/69 $25,000

4 Jennifer Segal 3791 Erickson Way San Francisco CA 94114 (415) 831-1451 10/16/45 $150,000

5 Morris Shwartzman 100 Franklin Way Glen Rock NJ 07452 (201) 214-9494 05/05/40 $40,000

6 Sam Truman 159 Baker Street Brookline MA 02445 (617) 917-6195 11/24/80 $55,000

7 Sarah Gruman 149 Dudley Road Newton MA 02459 (617) 652-1542 09/08/72 $120,000

8 James Roberts III 89 Salaway Avenue San Antonio TX 78208 (210) 851-1581 04/26/68 $220,000

9 Sandra Rothman 60 Circle Way Chicago IL 60601 (312) 954-6545 02/02/82 $28,000

10 Jim Murphy 80 Bradford Street Bridgton ME 04009 (207) 497-8191 06/09/78 $30,000

11 Henry Sender 100 Perlin Avenue Seattle WA 98115 (206) 696-4523 12/08/69 $70,000

12 Neil McAlister 790 Imperial Street Las Vegas NV 89044 (702) 452-1592 07/07/77 $110,000

13 Craig Zuman 100 Santa Anna Way Cleveland OH 44101 (216) 388-3798 12/05/60 $270,000

14 Isabelle Wraling 90 Laughlin Road St. Petersburg FL 33707 (727) 309-3659 08/09/82 $11,000

15 Andrew Learner 120 Sapphire Street San Diego CA 92101 (619) 342-6542 09/02/72 $160,000

16 Amy Chan 404 Washington Street Portland OR 97202 (503) 721-1451 03/22/81 $45,000

17 Angel Stellar 401 Main Street Billings MT 59101 (406) 696-2456 05/05/75 $25,000

18 Becca Libman 602 Lexington Avenue Franklin MA 02038 (508) 851-1451 04/23/62 $67,000

19 Benjamin McMann 129 Republic Way Louisville KY 40202 (502) 412-8090 11/17/60 $400,000

20 Brett McLean 330 E. 38th Street New York NY 10001 (212) 242-6952 05/03/49 $210,000

21 Christopher Salem 415 Pushkin Boulevard Jersey City NJ 07307 (201) 918-8321 06/03/82 $41,000

22 Kristina Applegate 12 Bolivar Street Providence RI 02902 (401) 451-6514 02/06/86 $10,000

23 Dale Ernest 987 Mountain View Denver CO 80014 (303) 631-1121 03/07/50 $50,000

24 Dana Persman 110 Cedrick Circle Apt. 7 Chapel Hill NC 27515 (919) 619-5649 06/03/84 $25,000

25 Eric Sanderman 10 Apple View Orchard Charleston SC 29422 (843) 597-0975 09/23/70 $170,000

26 Emily Mahoney 1067 Rainer Drive Orlando FL 32802 (407) 657-7545 02/02/50 $320,000

27 Ian McDonald 110 E. 87th Street New York NY 10001 (212) 244-8951 07/13/67 $78,000

28 Kelly Vister 91 Element Avenue Houston TX 77007 (713) 697-8153 12/12/78 $32,000

29 Leslie Neilsen 312 Berklee Street Los Angeles CA 90002 (323) 541-1020 11/11/77 $89,000

30 Michael Osterman 583 Yellowstone Road Cheyenne WY 82006 (307) 297-8763 04/04/65 $90,000

31 Norman Samson 921 East Huron Avenue Ann Arbor MI 48104 (734) 759-8321 08/06/86 $14,000

32 Naomi Goldman 2312 East Bannister Road Kansas City KS 66110 (913) 891-1001 10/31/78 $36,000

33 Paula Cassidy 1069 Galvin Road Bellevue NE 68005 (402) 651-4904 05/02/72 $62,000

34 Rob Pembroke 2131 Pinnacle Terrace Way Salt Lake City UT 84104 (801) 310-0393 06/28/68 $100,000

35 Tina Brockton 1315 Eldorado Drive Apt. E Billings MT 59105 (406) 934-2010 05/04/81 $26,000

36 Thomas Napper 35 Glenhaven Drive Florissant MO 63031 (314) 449-0908 03/22/87 $10,000

37 Victor Lindt 2204 Lakeshore Dr Birmingham AL 35202 (205) 891-1616 06/17/74 $46,000

38 Yelena Akerman 2303 E. Indian School Road Phoenix AZ 85005 (602) 413-1293 09/18/47 $59,000

39 Zachary Merchant 3500 Indian School Road Albuquerque NM 87101 (505) 914-5545 07/17/52 $254,000

40 Stephanie Yerardi 55 Elm Street Hartford CT 06101 (860) 519-0847 08/03/43 $120,000

Results

Monthly Mail Volume

Monthly AOTF Mo. Volume/

Market Segment Category Code User Account Oct'06 Nov'06 Dec'06 Jan'07 Feb'07 Mar'07

Average Disclosures Disclosure

Adult/Pornographic ad ad@rfxcmd.com 82 86 103 119 111 124 104.2 7 14.9

Bricks & Clicks bc bc@rfxcmd.com 21 29 26 26 21 24 24.5 11 2.2

Business/Finance bf bf@rfxcmd.com 43 37 34 39 42 49 40.7 13 3.1

Computers/Electronics/Technology ty ty@rfxcmd.com 39 24 24 27 35 39 31.3 10 3.1

Cooking/Food/Entertaining ck ck@rfxcmd.com 13 12 10 11 8 8 10.3 10 1.0

Diet/Fitness df df@rfxcmd.com 7 9 6 9 7 10 8.0 9 0.9

eCommerce ec ec@rfxcmd.com 86 90 95 80 67 82 83.3 54 1.5

Entertainment et et@rfxcmd.com 66 64 77 78 79 76 73.3 24 3.1

Free Coupons/Gifts fp fr@rfxcmd.com 6,643 6,667 6,631 6,212 5,398 5,059 6,101.7 100 61.0

Gambling gb gb@rfxcmd.com 9 12 10 13 14 26 14.0 10 1.4

Government gv gv@rfxcmd.com 9 8 8 9 11 7 8.7 8 1.1

Hollywood/Celebrities hc hc@rfxcmd.com 33 34 35 46 43 35 37.7 7 5.4

Hate Groups/Hate Speech ht ht@rfxcmd.com 2 5 4 6 6 7 5.0 7 0.7

Health/Wellness hw hw@rfxcmd.com 83 67 53 60 59 68 65.0 19 3.4

Jobs/Careers jc jc@rfxcmd.com 15 16 13 14 14 14 14.3 5 2.9

Kids kd kd@rfxcmd.com 4 5 3 4 4 5 4.2 4 1.0

Large lg lg@rfxcmd.com 56 54 53 46 47 49 50.8 15 3.4

Men me me@rfxcmd.com 5 6 8 10 13 16 9.7 9 1.1

Multi-Newsletter Sign-Up mn mn@rfxcmd.com 3,340 3,436 3,016 3,165 2,746 2,921 3,104.0 77 40.3

Medicine/Pharmaceuticals mp mp@rfxcmd.com 9 7 6 3 3 6 5.7 11 0.5

News/Newspapers/Magazines nm nm@rfxcmd.com 149 139 130 145 145 156 144.0 25 5.8

Non-Profit np np@rfxcmd.com 10 9 9 11 8 12 9.8 8 1.2

Photography ph ph@rfxcmd.com 5 7 5 16 8 10 8.5 10 0.9

Parenting pt pt@rfxcmd.com 21 19 22 15 12 16 17.5 11 1.6

Pop-Up Ads pu pu@rfxcmd.com 10,456 10,245 10,275 9,499 8,642 8,157 9,545.7 12 795.5

Relationships/Dating rd rd@rfxcmd.com 5 4 8 7 5 6 5.8 9 0.6

Real Estate re re@rfxcmd.com 2 1 1 1 1 2 1.3 7 0.2

Religion rg rg@rfxcmd.com 154 173 176 156 142 161 160.3 7 22.9

Science/Nature sc sc@rfxcmd.com 45 50 48 43 48 61 49.2 10 4.9

Small sm sm@rfxcmd.com 9 6 5 10 6 6 7.0 6 1.2

Single Newsletter Sign-Up sn sn@rfxcmd.com 907 1,003 973 950 838 823 915.7 149 6.1

Sexual Orientation so so@rfxcmd.com 24 25 24 26 21 28 24.7 8 3.1

Sports sp sp@rfxcmd.com 42 36 35 26 18 25 30.3 10 3.0

Senior Citizen/Retired sr sr@rfxcmd.com 24 17 17 19 14 20 18.5 7 2.6

Teen tn tn@rfxcmd.com 11 13 11 10 13 16 12.3 9 1.4

Travel tr tr@rfxcmd.com 22 24 19 29 28 32 25.7 10 2.6

Women wm wm@rfxcmd.com 30 26 29 23 24 26 26.3 17 1.5

Weapons wp wp@rfxcmd.com 4 3 3 5 1 2 3.0 6 0.5

Young Adult ya ya@rfxcmd.com 8 13 16 10 8 14 11.5 17 0.7

…and the winner is:

• Pop-up advertisements:

– 12 disclosures

– Average: 9,545 spam messages/month

– Average 796/disclosure/month

• Why you ask?

– Pop-up from legitimate websites, e.g. Teen Spot, 123 Greetings, to:

• www.lowermybills.com • www.winhundred.com

• www.illyusa.com • www.memberpromotions.com

• www.metarewards.com • www.americanresearchpanel.com

• www.yourgiftcards.com • www.findtherightschool.com

• www.nextag.com • www.thinphone4free.com

• www.classmates.com • www.onlinerewardcenter.com

• www.findtherightschool.com • www.join1.winhundred.com

Findings

• One mistake in disclosing your email may result in one spam/hour



• Your secret is safe in Adult/Pornography and Gambling establishments



• Online merchants typically abide by their Privacy policy



• Legitimate senders never knowingly share your email with spammers



• Spammers NEVER share your email address with legitimate senders



• Stay away from any and all pop-up ads or free coupons, you just might

get ~800 spam/month because you couldn’t resist.

WHO ELSE SHARES YOUR

EMAIL ADDRESS?

Template Monster









• One Disclosure: 8/2/2006 (scott.templatemonster)

• Total Volume of inbound mail: 4,151

• Timeframe: 9 months

• Spam/Day = 15.37 average

Who’s Your Daddy?



Domain Registration on GoDaddy.com

Joe.GoDaddy@Reflexion.net



1000 887*

Cumulative Messages 900

800

700 660

600

440 Spam

500

Legits

400

300 220

200

100 0 0 0 1

0

6 12 18 24

Months





* GoDaddy or someone that GoDaddy shared the email address with resulted in over 880 spam in 2 years.

PR Newswire



• Methodology: Launch a press release with a unique

address

– Expect the first spam to arrive within 24 hours

– Based on 5 disclosures, the average spam/day:



Address: Date Created: Total Days: Ave/Month: As of 2/1/2007: Average/Day:

scott.pr1105 11/14/2005 469 83 1294 2.76

scott.pr0206 2/15/2006 376 2 29 0.08

scott.rtc4 5/23/2006 279 17 157 0.56

scott.sd 6/15/2006 256 38 328 1.28

scott.vr 11/15/2006 103 21 73 0.71





– Each press release address disclosure accounts for an average of

3.57 spam/day

EMAIL SECURITY BEST

MSPs

PRACTICES FOR MSPs

Best Practices for Email Security





Co-Administration

You need the ability to configure your clients independently, and deploy

them On-Demand. This will alleviate the need to build and maintain

your own infrastructure and have a 3-7 day waiting period for

deployment.

Best Practices for Email Security





Co-Branding

The customer is yours, keep them! Look for ways to enhance your

brand reputation through a co-branded solution that includes your

logo. This will help contribute to viral marketing and word of mouth

advertising.

Best Practices for Email Security





Wide Range of Blended Features

One size fits all works in the Enterprise, but the small to midsized

business requires multiple configuration options. Some options in

Managed Email Threat Protection may include whitelisting, content

filtering, disposable addresses, and challenge-response. This

breadth of capabilities will enable solution providers to respond to

any client's needs or preferences.

Best Practices for Email Security





Performance Management

SMB customers yearn for data, so ensure the solution has executive

reports on important email metrics, which you can use to

demonstrate vigilance and value to their clients.

Best Practices for Email Security





Added Protection Against Email Downtime

In the event of a local email server outage, the Managed Email Threat

Protection solution should automatically queue incoming mail for fast

delivery as soon as the server comes back online.

Best Practices for Email Security





Optional Granular User Control

Some resellers cringe…but spam is in the eye of the recipient. A

solution should enable the user to make intuitive decisions on access

to their inbox. Look for an in-message HTML Control Panel that a

user can interact with, but also provides the ability to turn that Control

Panel OFF for “those” users.

Best Practices for Email Security





Aliasing

Everyone recommends the use of more than one email address for

specific disclosures. Advanced capabilities that address tough

problems, such as false positives, exist particularly for bulk and

transactional mail.

Best Practices for Email Security





Integration into other MSP Platforms

Having centralized reporting, monitoring and accessibility will greatly

reduce the time required to manage multiple vendor solutions.

Spyware Stats

Spyware are mini programs installed when you download a program, these

Total Spyware Removed: 3,660

track what you do!

Tracking Cookies: 3,594 Cookies that track where you surf the web.

Windows Registry: 66 Mostly from programs that cause slowness.





Computer Cleanup Stats

Internet Temp Files Cleaned: 1,348,657 Internet Files Removed

Internet Explorer Temp Files and other hidden folders that also need

Temporary Files Cleaned: 1,379,287

cleaning.

This is a total amount of space recovered from all computers attached to this

Mega Bytes Recovered: 33,706 Mb

system





Spam Stats (powered by Reflexion)



Messages attempting to guess email addresses that do not exist within your

Messages to Unknown Users: 34,099

company, i.e. name223@company.com

Spam messages to legitimate email addresses that were blocked prior to

Total Spam Messages 34,521

entering your infrastructure.

This is the above 2 numbers added together for a grand total of messages

Total Junk Mail Avoided: 68,620

trying to get into your server.

On average, each message blocked is 16KB in size, therefore, this is the

Total Data Blocked 1.097 GB

amount of data blocked outside of your infrastructure.

Monthly cost-savings based on an average of $.03 per message to read,

Total Money Saved: $1,035.63

identify and deleted.

Managed Email Threat Protection

Managed Service provides the ability to deliver important

advantages for your business and other improvements to

your customers email experience:



• Provides a predictable annuity revenue stream boosting the valuation of your

business (traditionally 6-10x LTM)

• Web-based configuration, administration and demonstration

• 7-day email continuity

• Conserves bandwidth formerly used to process spam and volume based-

attacks

• No hardware or software to install, maintain or upgrade

• Private labeling/branding to reduce commoditization of a solution

Conclusion

• Spammers are becoming smarter and more targeted

• Address-level defenses compliment traditional email security solutions

• Legitimate senders never knowingly share your address with

spammers

• Spammers will NEVER share your address with legitimate senders

• Two email addresses are better than one, three better than two, etc.

• Managed Email Threat Protection provides additional capabilities that

appliances do not afford

• Advise your customers against the enticement of pop-up ads,

regardless how good an offer seems to be

Thank you for your time!

QUESTIONS?



Scott J. Barlow

V.P. Sales & Product Management

Reflexion Networks, Inc.

(781) 569-6666

Scott.MSPA-Prezo@reflexion.net