The email protocol (SMTP) was designed at a time when very few people were using emails and everyone basically knew each other. So, security was not a concern, but today the world has changed and that trust isn’t there anymore, but the SMTP protocol we’re using remains the same.

So, how is today’s technology dealing with this problem?

If it comes to your Inbox it’s your problem

This is the approach taken by most of the ISPs and small companies who cannot afford the cost of extra security or simply think that it’s end users problem. So, you and I receive emails with viruses, spams and phishing traps. We’re on our own to decide what to do with them. This approach has proven to be the most ineffective (since most users aren’t aware of the security issues). It has damaged corporate images, caused loss in productivity, money and business. If the users need to fight email problems at this level, then getting a good email client or third-party softwares is the best option. Some of the end user solutions available in the market are:

Apple Mail – Mac users have one of the best email client, with pretty good built-in spam filter. It can learn for over a period of time and can be quite effective in identifying spams. It has additional options to identify spams, for example, if your ISP uses SpamAssassin, Brightmail or another spam-analysis tool, Mail leverages that analysis.

Thunderbird – It’s a cross platform email client form Mozilla, with a built-in junk mail filter. It also has a learning capability, as you keep marking messages as spam, over time thunderbird’s filtering improves. Thunderbird also has anti-phishing protection that will tell you if it thinks the message might be a scam to steal your passwords, personal information, credit cards, etc…

There are some desktop anti-spam softwares that can be installed as plugin to the email client:
Trend Micro Anti-Spam Pilot – Free plugin to Outlook provided by Trend Micro.
Comodo Anti-Spam Desktop 2005 – Free anti-spam for Windows PC, supports popular email clients.

If you’re using a Windows PC then I think it’s obvious that you need an anti-virus software too. Some popular anti-viruses are Norton, McAfee and Trend-Micro. If you’re looking for a free one then get AVG Anti-Virus Free.

Stop it before it reaches to users Inbox

This is also called a gateway solution, where the incoming/outgoing emails are routed via email filters before delivering to the users Inbox. This has proven to be the most effective solution available today, but it’s by no means a 100% solution. Some new viruses, spams and phising emails do manage to bypass the filter. Here are different types of gateway solutions available:

Spamassassin – Very popular free mail scanner software, which works with most of the widely deployed email servers like Sendmail, Postfix, Qmail and many more. It uses a wide variety of local and network tests to identify spam signatures.

Ironport, Barracuda, Sophos, Mcafee, Symantec and many others… – They all provide a single box gateway solution to fight virus and spam. These email security appliances are relatively easy to implement in the existing email environment. They run special softwares and signatures are updated constantly. All you need to do is perform a simple configuration and point the MX record to these appliances.

Messagelabs and Postini – These are hosted gateway solutions to solve the email problem. The selling point of such service has been “no initial hardware and software investment” from the customers. It works similar to the Security appliance scenario, you have to point your MX record to these providers SMTP servers, where the emails will be filtered and only good emails allowed to reach your mail server.

Most of the popular free webmail providers such as Gmail, Yahoo and Hotmail use gateway solutions that is tightly integrated with the user’s web interface.

Let’s patch the email system

This is indeed a very smart solution, which requires some minor addition/modifications in DNS and SMTP server, but the problem is the scale in which emails are deployed today. It’s proving almost impossible to ask all the email server and domain name owners to make such a small change. Here are some popular extensions proposed to fix the SMTP protocol.

Sender Policy Framework (SPF) – SPF is an extension to the SMTP protocol, which allows to identify and reject emails from forged addresses. This is how it works: ” 1) the domain owner publishes this information in an SPF record in the domain’s DNS zone, and when someone else’s mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain’s stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.”

Sender ID – This is Micorsoft’s protocol, and it was derived from SPF. “The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail is sent. Sender ID validates the origin of e-mail by verifying the IP address of the sender against the purported owner of the sending domain.”

DKIM (DomainKeys Identified Mail) – DKIM is a method for email authentication using signatures, this is an enhanced protocol based on Yahoo’s DomainKeys. The sender’s MTA signs and receiver’s MTA verifies. “DKIM uses DNS-based self-certified keys. Because the scope of DKIM is limited, it does not need generalized, powerful and long-term certificates, issued by separate authorities.”

CSA (Client SMTP Authorization) and CSV (Certified Server Validation) are some other solutions proposed to solve the email problem.

Forget about the existing email system and let’s design a new one

This is the approach taken by some experts, who think that email at it’s current state is broken and there’s no point trying to patch it. Even if you come up with a good patch it’s difficult to implement anyway. So, why not design a new email system from scratch, with the security in mind. This sounds very radical but some people did propose such ideas and demonstrated a working system:

Internet Mail 2000 – This is a project launched by D. J. Bernstein, the author of popular Qmail MTA. “IM2000 is a project to design a new Internet mail infrastructure around the following concept: Mail storage is the sender’s responsibility” . The sender’s ISP, rather than the receiver’s ISP, is the always-online post office from which the receiver picks up the message. Meng Wong’s RSS Email is the implementation of IM2000. Here’s the presentation at Google in July 2006 Turning Email Upside Down: RSS/Email and IM2000 (Google Video)

Can e-mail be saved? – An old article from 2004, but is interesting to see how six of the industry’s most provocative thinkers envision the future email.

Some popular techniques used in most of the solutions

blacklists and whitelists – a list of email addresses, domains and ip addresses to either exclusively allow or block emails. There’re some public blacklists that are used by SMTP servers and gateways to block potential spammers. Spamhaus and Sorbs are popular public blacklist providers.

Bayesian spam filtering and trainable systems – based on Bayes’s theorem, “probability that an email is spam, given that it has certain words in it, is equal to the probability of finding those certain words in spam email, times the probability that any email is spam, divided by the probability of finding those words in any email”. These type of systems can be trained on a per-user basis.

Heuristic filtering – Heuristic filtering uses various tests for spam and assigns a numerical score to each test. Each message is scanned for these patterns, and the applicable scores tallied up. If the total is above some fixed value, the message is identified as spam.

Reverse DNS lookup of the connecting IP, Content filtering, Signature-based filtering (such as Vipul’s Razor), Greylisting (temporarily reject messages from unknown sender mail servers) and enforcing RFC Standards are also used to identify spam email.

Conclusion

Latest anti-virus and anti-spam techniques are proving to be quite effective, but it’s not implemented in all the email servers. For the spammers only 1-in-100,000 success rate is enough to pay for their efforts. As these anti-spam techniques become more effective, criminals are finding new ways to attack, and they always seem to be one step ahead of the security professionals. The recent problem with the image spam boom and Messagelabs Intelligence Report shows that. I personally think that we need a new email protocol like IM2000 or RSS/Email but also understand, it’s very unlikely to happen anytime soon. If 96% of spam still cannot kill the current email protocol, I wonder what needs to happen to replace it…

This article originally appeared in SecurityTNT.com

1. Admit that e-mail is managing you. Let go of your need to check e-mail every ten minutes.
2. Commit to keeping your inbox empty.
3. Create files where you can put inbox material that needs to be acted on.
4. Make broad headings for your filing system so that you have to spend less time looking for filed material.
5. Deal immediately with any e-mail that can be handled in two minutes or less but create a file for mails that will take longer.
6. Set a target date to empty your in box. Don’t spend more than an hour at a time doing it.
7. Turn off automatic send/receive.
8. Establish regular times to review your e-mail.
9. Involve others in conquering your addiction.
10. Reduce the amount of e-mail you receive.
11. Save time by using only one subject per e-mail; delete extra comments from forwarded e-mail, and make the subject line detailed.
12. Celebrate taking a new approach to e-mail.

IT programmer Ray Tomlinson sent the first message in late 1971.

The test messages were entirely forgettable and I have, therefore, forgotten them. Most likely the first message was QUERTYIOP or something similar.

Josh Burt of The Sun is reminding us of the top 5 embarrassing emails of last 35 years.

And a list of very useful tips from IT Security; Hacking Email: 99 tips to make you more secure and productive. The article include Etiquette, Communicating & Effectiveness, Mobile Email, Productivity, Folders, Filtering, Email Attachments, Tricks, Hacks, Backup, Software specific tips, Privacy and Security.

Phishing is one of the most popular techniques used by criminals to fool the users (even quite experienced ones) in giving in their personal information.

Phishing – Fraudulent emails and pop-ups designed to fool you into revealing personal information, such as passwords, credit card details, and account numbers, for criminal gain.

Some of the latest phishing attacks in News:

Attackers use BBC Story to convince users to click on the link, then install keylogger to the users PC exploiting the latest IE Security hole.

Phishers set hidden traps on eBay, when you click on the listing, it’ll run a script that automatically takes you to a new page that requests login info.

This Australian news, How Phishing sites fools us talks about the study conducted by Harvard University and Berkeley Why Phishing works? (pdf). The study found that best phishing site was able to fool more than 90 percent of participants. The indicators that are designed to signal trustworthiness were not understood (or even noticed) by many participants.

How to protect yourself from phishing

1. Never reply to an email or pop-up messages that ask for personal or financial information. Don’t click on the links within the message.
2. Keep your OS and softwares up to date (specially if it’s Windows and IE)
3. Use anti-virus, personal firewall, anti-spyware and keep them up to date.
4. Don’t send your personal or financial information in an email.
5. Always review your credit card and bank account statements as soon as you receive them.
6. Take extra care while opening any attachment or downloading any files from emails.

This security hole affects all Linux and Unix versions of Sendmail 8 up to version 8.13.5. Microsoft Windows versions of Sendmail are not affected. Sendmail has released a new verion 8.13.6 to fix this problem and also patches for earlier versions are available at their FTP site.

If your server is running Sendmail, I highly recommend to patch it or upgrade it. It is the most popular MTA but unfortunately has a history of serious security problems. If possible I recommend to switch to other MTAs like Postfix, Exim or Qmail which are more modular in design and were built with security in mind. My personal favorite is Qmail and all of my SMTP servers are running it. I’d previously written a guide Email Server Installation Checklist which you might find helpful while installing a new server or switching from Sendmail to other softwares. If you want secure and out-of-the-box SMTP server then SME Server can be a good choice.

Installation

A fully functional 30 days evaluation version (iso image) can be downloaded from the Download Site (requires registration). You can burn the CD and installation takes less than 20 minutes. Following is the recommended hardware by Astaro:

• minimum Pentium II or compatible CPU
  256 MB RAM
  8 GB SCSI/IDE HD
  bootable CDROM SCSI/IDE
  3 PCI-NICs (Internet, Local Net, Demilitarized Zone) (for testing, 1 is enough)

Support, Documents, Downloads and other useful stuffs are available in MyAstaro portal. You can login with the registered email address and the password that was sent to you by Astaro. A searchable knowledgebase with useful infromation is also available (doesn’t require login).

Features Review

Firewall: Excellent, similar to other high end firewalls like Netscreen or Cisco PIX with both stateful packet inspection and application-level deep packet filtering. Supports multiple interface and HA, setting up DMZ is very easy. Other good firewall features are; transparent mode, traffic shaping, QoS and detailed reporting.

VPN: PPPT is easy to setup and didn’t encounter any problem. IPSec; both Road Warrier and Site to Site vpn work smoothly and do have rich and confusing choice of Encryption algorithms, Authentication methods and IPSec protoclols.

Intrusion Protection: Based on popular open source software Snort. It is a signature based system which detects most of the popular attacks. The bad point about this and actually any Intrusion Protection System is that they produce a lot of false positives.

Proxies: SMTP, HTTP, DNS, POP3, IDENT. Actively tested the SMTP and HTTP proxies only. I think both of them are quite good. SMTP proxy is capable of doing attachment filtering but one limitation I found is that, we cannot customize the concurrent smtp connection. It should be set to either 20 or unlimited.

Email/HTTP Anti-Virus: Anti-virus works together with proxy server. It is using Kaspersky anti-virus engine which is quite popular with Linux/Unix platform. Infected Emails can be quarantine or deleted and can be released from the server if necessary.

Anti-Spam: It is using SpamAssassin anti-spam engine. The score can be adjusted and it allows to set 2 levels of threshold. For example we can quarantine when the score is 5 and delete when the score reaches 10 or 15. Supports whitelist and blacklist. One good feature is the daily SPAM Digest it sends to the users. So, if the users find some legitimate emails quarantined we can immediately release them.

HTTP Content Filtering: Uses signature to categorize the web sites and can block them based on category, users custom domain or keywords. Also supports blacklist and whitelist.

Logging/Reporting: Logging is very detail and well categorized. Has a very good feature called Live Log, which can be browsed from the web for troubleshooting.

Updates: Anti-Virus Pattern, Intrusion Protection, Content Filtering, and the OS updates are done automatically according to the schedule.

Backup: Backup and recovery is very easy in case of failures. Setup takes around 20mins and restore 5 mins. It also supports HA.

Overall I think this is an excellent product that has got most of the security features. The ease of management, relatively low cost and impressive features makes it an excellent choice for an integrated security product.

If you don’t want to install the software and love out-of-the box solution, then they’ve Astaro Security Gateway Appliances.

1. Choose the MTA (Mail Transport Agent) software: There’re plenty of choices available ranging from free, open source to commercial ones. Some popular free and open source MTA’s are Sendmail, Qmail, Postfix and Exim. Popular commercial MTAs and Groupwares are MS Exchange, Lotus Notes and Novell Groupwise. I’ve worked with most of the the softwares and I find Qmail secure and easy to manage. This choice differs from admin to admin and also depends on the requirements e.g. some organizations require groupware together with the email server.

2. Choose the platform (Operating System): This is usually decided together with the first step. In some situations this step might come ahead of choosing the MTA. Most of the popular free MTAs are developed for *nix platforms only. Again this too depends on admins choice, organizations choice or requirements. For the Operating System my choice is Linux with the MTA being Qmail. I find it more stable, secure and a perfect match for Qmail. And of course it’s free and open source.

3. Estimate the number of users and server loading: This is a very important stage which will prepare you for the next crucial step i.e. choosing the hardware specification. The server loading includes following things (but not limited): how many email accounts the server will be serving, how many concurrent users will be using the service (POP3/SMTP/IMAP) during the peak hour, what is the max. number of email transactions that this server should support per day.

4. Choose the hardware: This is a very important decision which should be made based on the estimated server loading. We don’t want to discover that the RAM is not enough or CPU speed cannot cope with the daily email queues after the server is on production. Normally the more the RAM and CPU you can afford is better but you need to justify every extra MB and Mhz you are asking for. Most of the commercial software vendors provide a clear guideline for hardware requirement according to the number of users and number of email transaction per day. For my favorite Qmail installation there’s an online guide that provides calculation formulas for HDD, RAM and CPU requirements.

5. DNS Setup: Emails don’t work without properly configured domain names. So, it’s a good idea to configure the domain name (names) with proper MX records pointing to the new server before starting the installation of an email server. This can be done before the actual testing of email server but since it’s critical, just do it a step ahead.

6. Install and configure: After having the MX record ready you can install the MTA software and configure it. The configuration varies according to the requirements. It can be simple with one domain or few domains or it can be pretty complicated with groupware functions and integration with other modules like CRM. After the configuration; create user accounts according to the requirement.

7. TEST, TEST and TEST: This is the most important part of the installation. Many times I find myself going back to step 6 after this. What I’ve learnt is that; installing the software, configuring it and creating the users following the manual don’t mean that the server works until you test. Of course it’s obvious to everyone . But it’s also something we admins tend to skip (sometimes with over confidence and sometimes with little carelessness). So, I want to emphasize one more time TEST, TEST and TEST. You need to create different scenarios for testing. The minimum testing scenario might look like this:

• i) Test from local to local: send an email to local user using the same server. (From: localuser; To: localuser)
• ii) Test from remote to local: send an email to newly created user using any outside server. (From: Gmailuser; To: localuser)
• iii) Test receiving emails: make sure you can receive both the email from test (i) and (ii) .
• iv) Test from local to remote: send an email using the local server to a remote server and make sure you can receive it in the remote server. (From: localuser; To: Gmail user)

This is the minimum testing required for any sort of installation. There could be more tests in some special cases.

8. Check the logs: Check the server logs during test because they provide a very good view on what is happening e.g the newly created user cannot login. You can see “password incorrect” in the log. Which will tell you that you are typing an incorrect password. Or “relay not allowed” meaning your smtp auth is not working or the ip is not listed in “tcp.smtp” file. Server log is the first place we should be looking during first test even if we don’t see any obvious problems. We don’t want to discover any hidden silly problems after the system is put on production.

9. Put the server on production and yourself on standby: After the testing is over we can put the server on production and ourselves on standby. We can’t grantee that the system is error free until the real users test it. It will pass the real test once users can send and receive emails without any problem. I put myself on standby by watching the server log live (”tail -f /var/log/qmail/current”) looking for problems.

I’ve put this checklist from my experience and find it very useful. I hope this will help you and if you have any suggestions comments or maybe a better way to do it, the comment section is open and I’ll be more than happy to improve this list.

In this Example I’ve used following parameters (don’t try the same username and password, it will not work. You should use your own username, password and mail server):

UserName: user
Password: password
Pop3 Server: pop3server.nirlog.com
SMTP Server: smtpserver.nirlog.com

Receiving Email

Go to command prompt. This can be done as following:

Start –> Run –> type “cmd” in the box –>OK

Telnet to the mail server (POP3 Server) and use your username password to login:

telnet pop3server.nirlog.com 110

The server will reply like this:

+OK <2324.1138330846@pop3server.nirlog.com>

Login to the mail server:

user username

The server acknowledges with:

+OK

Now input your password:

pass password

If the password is correct the server responds with:

+OK

Check your emails:
To see how many emails you have in your box use the command:

list

This will list out the emails you have in your inbox:

+OK
1 1623
2 1601
3 1596

1, 2, 3 are the email ids and the 1623, 1601, 1596 are size of respective emails in bytes.
To read your emails you need to use command retr email id. E.g. if you want to read the first email then you should:

retr 1

To delete the emails you need to to use dele command. E.g. to delete the first email you should:

dele 1

To exit form the server use command quit.

Click for full size

Sending Email

Go to command prompt. This can be done as following:

Start –> Run –> type “cmd” in the box –>OK

Telnet to the mail server (SMTP Server):

telnet smtpserver.nirlog.com 25

The reply should be like:

220 smtpserver.nirlog.com ESMTP

Greet the SMTP Server using helo command, after the helo you can put any domain (I’ve used nirlog.com):

helo nirlog.com

The server will respond with something like this:

250 smtpserver.nirlog.com

Input your email address. The sender’s email address:

mail from: user@nirlog.com

This should give:

250 ok

Input the recipients email address:

rcpt to: niranjan.kunwar@gmail.com

This should give:

250 ok

Compose your email with subject and body:

data

This should give:

354 go ahead

Now write the subject of your email:

Subject: This is a Test Subject (Press Enter twice, this is how Subject and body of an email is separated)

Write the body of the email:

This is a test mail from command line
.

After the message body you need to press Enter, type a dot “.” and one more Enter. This way you’ll tell the SMTP server that you’re done writing the email. The server will reply with:

250 ok 1138345550 qp 22585

This means email has been accepted by the server and is queued for delivery.
You can exit from the server using command quit.

Click for full size

Email Server
Web Server
DNS Server
File Server
Print Server
Internet Gateway (Firewall/Router/Proxy)

There are many choices in the market and the first decision we need to make is about the platform we want to run. I mean the operating system. There are choices: Unix, Linux, Windows, MacOS and BSD. But in reality the actual contenders today are Windows and Linux. From my experience as a system and network admin for more than 6 years I can comfortably recommend you to use Linux (this is not a news for sysadmins anyway). Simply because they’re secure, do their job best and most importantly they’re free. What more to expect? Of course they don’t come with the support like windows but if you really need support you can buy them (e.g RedHat, Suse or Mitel). I think in many ways the community support for popular open source softwares are already outstanding.

So, after choosing our platform “Linux” we need to decide which Linux distribution is best suited for us. There are plenty of Linux distributions mushrooming today. You can see the popularity of different Linux distribution at Distrowatch.com based on H.P.D (Hits Per Day). The choice of distribution will differ depending on need and taste (of the admins or organizations). But here I’m recommending a Linux Distribution that does the job out-of-the-box and stands separate from the crowd in many different ways.

What is SME Server?

This is what Distrowatch.com says about SME Server :

SME Server (known as e-smith at the time) was founded in January 1999 by Joseph and Kim Morrison. The company introduced the first version of its flagship software product, the e-smith server and gateway, in April 1999. By the end of the year, many thousands of e-smith servers were running in countries from Fiji to Finland. Word was spreading quickly among developers and systems integrators who needed a solid, easy-to-use server for their small-business customers. In July 2001, e-smith was acquired by Mitel Networks, in September 2004 by Lycoris, and the project is currently sponsored by Resource Strategies, Inc.

SME Server is based on the RedHat 7.3 (current stable version is SME Server 6.0.1) which has been customized by removing unnecessary software, and by replacing some with more secure software. SME Server uses the kernel 2.4.x.x. Currently they’re developing a newer version (SME server 7.0) based on RedHat, Fedora and CentOS.

Why SME Server?

Easy Installation. Download ISO, burn CD and after few clicks it’s installed. Takes less than 20mins to install in P4 machines. You can read the excellent documents, which are very detail. The first docs I recommend to read are Design Philosophy and Architecture Overview. This will give a clear picture on how it stands out of the crowd and the basic architectural concept you need to know to use it.

It is much more secure and maintainable than other linux distributions because unnecessary packages are removed and services stopped. It also acts as a firewall by blocking all the access from external network except for those public services that are configured.

Web based administration panel (server-manager). Basically everything can be done from the web. Some Screenshots to get the look and feel of SME server-manager.

Secure Email Server. Supports POP3, POP3 over SSL, IMAP, IMAP over SSL, SMTP, SMTP over SSL and webmail (Horde IMP). Can install Spamassassin and Clam AV to do the server side junk and virus filtering. Runs Qmail which is much secure than Sendmail. The author of Qmail (D. J. Bernstein) provides a security guarantee and offered $500 for the first person to find a verifiable security hole in latest version of Qmail in 1997, his offer still stands and nobody has found any security hole in the Qmail till today.

Web Server. Runs Apache, supports virtual domains and SSL. Also it’s a complete LAMP out of the box. I’ve written about the LAMP in my previous article Top Open Sources.

PPTP VPN Server. Can be enabled by one click which is very useful and convenient for secure remote connection.

DNS Server. Runs djbdns which is a very secure dns package written by the same author of Qmail. And also offers $500 for first person who reports a verifiable security hole.

Raid-1. Supports Raid-1 mirroring both hardware and software. I find it very useful. If one hard disk is dead, just plugin a new one and rebuilt the Raid.

Proxy Server. Runs transparent proxy on Squid. No need to configure the client browser.

File Server. Samba server can be a domain controller or participate in windows domain.

Built in Backup/Restore function. You can backup to tape (scheduled) or your desktop (now). Similarly the backed-up data can be restored with one click.

FTP Server/Print Server. These services can be easily enabled or disabled.

Plenty of other softwares that are contributed by users and developers.

If you want an out-of-the-box solution for basic services (email, web, file, print, gateway) then it’s the best choice available. If you want a secure and easy to install/use/maintain distribution then you should definitely give SME Server one shot.