With computer viruses posing a constant threat, spam is something every Internet user knows about. Of the several e-mail addresses I use at any given time, I receive at least twenty messages a day inviting me to buy this or that, or check out this or that website…
Since e-mail addresses are essentially untraceable, spammers are free to flood whatever message platform they choose, from major services used by millions of Web users for their personal e-mail, to company inboxes used for business communications.
This kind of “incoming” spam is familiar to everyone. That’s why there’s a big push to block these unsolicited messages: multiple filtering systems are available that offer a variety of services and solutions (“in the Cloud” filtering, spam boxes, software for e-mail servers and programs installed directly on work machines). Almost every company uses at least one of these solutions.
what about spam sent by companies?
While everyone knows about “incoming” spam, spam sent by company networks suffers from a serious lack of communication. Sometimes it’s even a taboo subject, since it points directly to security problems within a company’s local network.
First of all, let’s set aside companies that send spam deliberately. These can be “online marketing” companies sending out e-mails for their customers, or other companies that send messages to expand their potential customer base. In both cases, these businesses may run up against a variety of sanctions if they don’t follow several rules. This can be a problem in particular for small companies that don't always operate in gray areas.
Our topic today, however, is companies that send out spam without realizing it.
what companies are we talking about?
We're talking about companies of all sizes: small businesses with just one website, nationwide companies and multinationals. But of course, this tends to be a particular problem for smaller companies.
All sectors are concerned: this means companies that manufacture precision tools for the automotive industry, for example, or those who provide IT services, supply heavy equipment for construction, or work in finance. Essentially, everyone!
All Internet connection types are concerned: experience has shown that the Internet connection type does not notably alter the problem. This means companies that connect with separate interconnection routers are just as vulnerable as businesses using more complex protection services such as gateways or services offered by their ISP.
how is this possible?
After analyzing feedback on this problem, we can recognize two main categories of businesses affected by these problems:
- businesses whose internal message server is hacked by a third party
- businesses where employee machines are infected by a “bot” or “zombie” program
improperly secured message servers
In this case, a company fails to take sufficient measure to secure its internal e-mail server. This will be quickly noticed, as spammers use the company server as a relay to send out spam! Spam will then be sent from the company server to the greater Web community. This means the company and its access provider will be responsible for the spam. In this situation, spam is sent over servers configured as open relays.
Failure to take action in this situation can have a significant impact on the company’s activities: the message server will eventually be registered on “blacklists” and consequently “forbidden” (impossible to send e-mail to customers or partners).
Correcting this problem is fairly easy: simply change your server settings to deactivate the open relay mode.
employee machines infected by a “zombie” or “spambot” program
In this next case, spammers do not hack a server; instead, they take control of employee machines connected to the company’s LAN. First, spammers will try to infect machines with a program that will enable them to remotely control the machine. Once this is done, the machine (also called a “bot,” “robot,” “zombie,” or “spambot”) is now ready to send out spam.
Once again, failure to take serious action in this situation can have adverse consequences. Aside from the obvious risk of “banishment” through “blacklists,” there is the added problem that machines are no longer under company control. This means an attacker has the means to access documents stored on the network, listen to internal communications on the network, etc.
This can be a tough problem to fix. A little planning and method are required. First, block messages moving in and out of the network, and then “follow the trail” to locate suspicious machines. Last, disinfect the machine or, for more security, reformat it entirely.
how do you know if you are sending spam?
First off, it’s important to know that your ISP’s “Abuse” cell will be the first to receive any complaints issued by third parties. After this cell conducts an initial investigation, it will contact the person in charge of the service contract. In general, this is a company’s executive or general manager. Any communication of this sort should be taken very seriously, since it almost always means there is a real problem. Mistakes are rare.
If you want to go the extra mile, you may also want to test your “reputation” using several different websites to determine if spam is being sent from your network.
recommendations: e-mail servers
- Check your settings on a regular basis: when you set up the network and during any maintenance actions. Any “anti-open-relay” features are as important as any other security measure.
- Determine if your servers are seen as open relays. A variety of free testing services are available on the Web. For the more tech-heavy tests, a simple “Telnet” and knowledge of some basic SMTP commands will suffice.
- Monitor your message server: keep an eye on the number of messages sent per day, the length of queues, the number of send failures, etc. Any sharp fluctuations in these numbers should tell you something is up.
recommendations: employee machines
- Block (or set up a service to block) SMTP fluxes (TCP/25) at your Internet access point. Only authorize communication through your ISP’s relay servers.
- Even better: reconfigure your message client (Outlook, Thunderbird, etc.) so your e-mails are submitted through a protocol requiring authentication (Submission Protocol RFC2476, TCP/587) and block all outbound SMTP flux (TCP/25).
- Monitor bandwidth usage on your network to detect any suspicious behavior.
- Regularly update security measures used on your machines, and update your antivirus software on a daily basis.
conclusion
Spam sent from company networks is a real problem: this problem touches all businesses of every size and in every sector. It’s important to treat each complaint received for spam sent from your network. The consequences of not taking action can be heavier than they appear at first. If you have any questions or problems, I suggest you follow the recommendations outlined by your ISP and browse through the wealth of information available on the Web.
Jean-François
PS: “road warriors” and other advocates of mobility will immediately recognize the value of using the “Submission Protocol” (TCP/587) to send e-mail. It works de facto no matter where you connect to the network. Changing outbound SMTP servers is a thing of the past! :-) When security helps improve ease of use, you have to mention it, right?
This blog post was originally published in French here.
Photo credit: copyright kromosphere - fotolia.com
Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens