The Changing Landscape of E-mail Security


Topic Last Modified: 2006-07-05

The relatively recent and rapid rise of e-mail as a means of communication has created opportunities and challenges for the software industry and businesses worldwide. As recently as 1986, the Internet Engineering Task Force (IETF) was formally established in an effort to document Internet standards and influence best practices for using the Internet. In the nineties, the popularity of the World Wide Web transformed the computing landscape, as millions of computer users rushed to the Internet for business and recreation.

Software companies developed popular e-mail client and server software, providing enhanced functionality via free downloads and high-end commercial applications. Along with the growth of the Internet and Web browsing, many companies released Web-based e-mail solutions, frequently supported by advertising and often free to the end user. Commercial providers of enterprise software have continued to innovate and provide enhanced functionality to help IT departments manage e-mail systems more effectively and securely, while helping information workers deal with the challenges of managing the growing volume of e-mail. The convergence of telephony and e-mail systems is now allowing access to voice mail and faxes via e-mail clients, and trendy handheld devices have been proliferating, providing mobile access to e-mail.

The importance of messaging technologies continues to grow, becoming a competitive advantage for businesses around the globe. System managers are faced with the challenges of delivering enhanced features to keep their workforces competitive while protecting their networks and intellectual capital.

Over the past five years, we have seen the evolution of increasingly serious security risks to e-mail users and companies. Viruses, worms, spam, phishing, spyware, and a progression of newer and more sophisticated hacking methods have made e-mail communication and the management of e-mail infrastructure a much riskier endeavor. There are many incidents of identity theft, resulting in the loss of intellectual property and personal information such as credit card numbers and social security numbers. These problems, along with the success of electronic communication, have contributed to the creation of new regulations governing privacy, traceability, and journaling.

The first major e-mail worm was Melissa in March 1999; and in May 2000, the ILOVEYOU e-mail virus raised havoc on the Internet. As a result of these viruses, attachment filtering and blocking has become standard e-mail functionality. Certain attachments are now usually stripped from e-mail during transport and blocked by clients like Outlook, Outlook Express, and Outlook Web Access (OWA). Antivirus solutions can be run during e-mail delivery or when it is stored on the server and on e-mail clients. It is common to implement antivirus solutions on both clients and servers. In fact, many corporations prevent machines not running current antivirus software from connecting to their networks.

In the early 2000s, spam was becoming a major problem, threatening to severely affect the usefulness of e-mail. In 2002, the United States Federal Trade Commission started to crack down on deceptive junk e-mail, but large variances in the laws between the different countries make legal enforcement difficult in a global ecosystem like the Internet. Spam is not only an irritation, but also commonly used in phishing scams to steal information and money. It is a very cheap method used for advertising (or attacking); even with an extremely low click-through rate, it is effective. The Radicati Group, Inc estimated that during 2006 over 100 billion spam messages, on average will be sent every day, accounting for over two thirds of all e-mail traffic. To download the full report, see Microsoft Exchange Market Share Statistics, 2005.

The technology to fight spam started with very simple concepts like deleting e-mail containing blocked words. Today, these have evolved into multi-pronged spam detection and reduction technologies. Current solutions still include word blockers, but now they also include sophisticated spam detection tools like Microsoft SmartScreen™ technology. A quick search on the Internet will yield a list of many companies selling technology to fight spam, as well as many people willing to help others bypass anti-spam detectors. Unfortunately, the process of attempting to circumvent anti-spam detection continues to improve as spam detection technology continues to improve. Anti-spam detection software, just like antivirus software, needs to have regular updates to remain effective.

In the nineties, exploiting some of the common coding mistakes, like buffer overflows, was understood by computer scientists and students. These vulnerabilities became easier to exploit as it became more common for computers to be connected via networks. Until then, viruses traveled via floppy disk and since then there have been many advances in the complexity of attacks. There are clever exploits against many kinds of memory management bugs, including integer overflow exploits, which are very fashionable among the underground community. Cross-site scripting and other script injection techniques are used to attack Web applications. Many of the modern attacks are financially motivated, whereas earlier attacks were more often motivated by publicity.

We know that malicious users are using tools to automate the process of finding and exploiting vulnerabilities. These include tools called fuzzers which are tools that take good input and mutate it or generate corrupt inputs. They are used to identify coding bugs that could possibly be exploited to execute code. There have been many advances in tools used for reverse engineering and for identifying changes in a program. Various fuzzers and analysis tools are now used in the development of Microsoft products to identify these potential code defects so that we can fix them before we ship a product. For example, the analyze option in Visual Studio® 2005 helps developers find defects in their code. Running a suite of code analysis tools is one of the changes Microsoft introduced as part of the Security Development Lifecycle (SDL).

The following sections provide details on recent Exchange Server security improvements.

Microsoft Exchange Server 2003 was the first release of Exchange to include the SDL in the development process. As a result of this effort, we greatly reduced the surface area, disabling less-used services by default. The Exchange group disabled anonymous authentication for Network News Transfer Protocol (NNTP) and we improved the security of OWA with forms-based authentication.

Exchange 2003 shipped with more secure default configurations. For example, we locked down the public folder top-level hierarchy and recommended enabling SSL to encrypt network traffic when promoting servers to be front ends. We enforced a 10 MB message size limit, removed domain users’ local logon permissions to Exchange servers, and tightened Multipurpose Internet Mail Extensions (MIME) parsing based on security reviews. Our efforts were geared to work with other Microsoft initiatives to secure our products, like Microsoft Baseline Security Analyzer (MBSA) and IIS Lockdown Tool.

After we shipped Exchange 2003, we published a set of guidelines that an administrator could use to further improve the security of Exchange 2003. Those guidelines can be found at the following Web site: Exchange Server 2003 Security Hardening Guide. In Exchange 2003 Service Pack 2 (SP2) we further improved security, particularly for mobile messaging with the release of the Mobile Messaging with Microsoft Exchange Server 2003 Service Pack 2 and Windows Mobile 5.0 Messaging and Security Feature Pack.

Given the risk to company data of lost mobile devices, we delivered remote wipe, local wipe, and PIN lock with Exchange 2003 SP2 to help make the mobile experience more secure. We also protect the mobility experience by encrypting e-mail between the Exchange server and the mobile client. Exchange 2003 SP2 raised the bar in the attack on spam by including the latest Intelligent Message Filter (IMF) that incorporates checks against phishing attacks and domain spoofing tactics.

For Microsoft Exchange Server 2007 we have incorporated the latest edition of the SDL into our internal development process. There are specific security requirements at each stage in the development life cycle. During the design stage we threat-modeled the messaging ecosystem and updated our design to help make it more secure. Throughout the development process, we run tools and use techniques to identify possible security problems. Many of the tools we have used to test Exchange 2007 resemble the tools malicious users use to find vulnerabilities. We have developed custom fuzzers and used these tools to generate millions of corrupted e-mail that we ensure the server can handle securely.

During the development of Exchange 2007, we have continued to use new security thinking from the industry and from across the company. We have hired outside security engineering consultants to review our code and test for security vulnerabilities. This is in addition to the work done by the Exchange Security Team, whose sole responsibility is to look for Exchange security issues and to drive security into Exchange.

In Exchange 2007 we are updating and tightening many of our defaults. For example, we have reduced the surface area by disabling less common protocols and removing or replacing large sections of our oldest code with newer managed code. To make it easier to deploy a reduced set of code on individual servers, we designed Exchange 2007 around server roles.

Exchange 2007 adds the ability for OWA and Exchange ActiveSync users to access documents on Universal Naming Convention (UNC) file shares and SharePoint servers enabling them to easily access internal documents while out of the office. The Exchange administrator can control which UNC file shares and SharePoint sites are available. OWA access to remote files and attachments can, for common file formats like Office files and PDF files, be configured to prevent leaving files behind in the browser cache. This is accomplished through WebReady Document Viewing where the server transforms the file into HTML before it is sent to the client, therefore making IE manage the content on the client and erase it when the OWA SSL session is closed. Data encryption is easier to configure, with SSL configured by default to use self-signed certificates. The Exchange ActiveSync experience has been improved in Exchange 2007 with the introduction of per-user ActiveSync policies. Exchange 2007 has an improved password policy that includes history, expiration, block patterned passwords, block list, storage card encryption, and password recovery.

The Hub Transport and Edge Transport server roles are designed as an efficient pipeline enabling message scanning, with the ability to support multiple antivirus vendors through built-in features and Microsoft Forefront Security for Exchange Server. Microsoft has made a significant investment in supporting more effective, efficient, and programmable virus scanning at the transport level.

Exchange 2007 introduces the concept of transport agents. Agents are managed software components that perform a task in response to an application event. Exchange 2007 propagates antivirus scanning information with messages, preventing duplicate scanning. For example, a message scanned in transport would not be scanned again in the store unless there was an updated signature on the mailbox server. Third-party developers can write customized agents to take advantage of the underlying Exchange MIME parsing engine for robust transport-level antivirus scanning. The Exchange 2007 MIME parsing engine has evolved through many years of MIME-handling experience and is likely the most trusted and robust MIME engine in the industry.

Attachment filtering on the Edge and Hub servers in your organization can reduce the spread of malware attachments between organizations. Also new in Exchange 2007, transport rules can be easily created to help protect organizations against zero-day virus outbreaks. By creating a custom transport rule to quarantine or block messages that have the characteristics of a new virus, an organization is protected even before a new virus signature is released. Transport rules can be created to act on many aspects of an incoming or outgoing message such as the subject, content, or domain.

Exchange 2007, together with Outlook 2007, implements a multi-pronged spam and phishing protection strategy. There have been many improvements to how spam is detected and handled. Among them, Exchange Intelligent Message Filter evaluates incoming messages and determines the probability the messages are legitimate. Based on the spam confidence level (SCL) that is determined for each message, many different actions can be configured including quarantine, delivery to the Junk mail folder or rejection of the message.

Pre-solved computational puzzles can be solved by Outlook 2007, creating an Outlook E-Mail Postmark that can be validated by Exchange 2007 content filtering. In addition, Outlook Safe List aggregation creates an individual per-user Safe Sender List that the Exchange server consumes. This enables legitimate e-mail messages to bypass the content filtering at the edge of the network.

The Edge server can run without being joined to the domain, while at the same time enabling the Recipient Filter agent to block messages that are sent to nonexistent users or internal-only distribution lists.

The sender reputation agent dynamically calculates the trustworthiness of unknown senders by gathering analytical data from Simple Mail Transfer Protocol (SMTP) sessions, message content, Sender ID verification, and general sender behavior, creating a history of sender characteristics. The sender reputation agent uses this knowledge to determine whether a sender should be temporarily added to the Blocked Senders List.

Sender ID verifies that each e-mail message originates from the Internet domain from which the message claims by examining the sender's IP address compared to the Sender ID record in the sender's public Domain Name System (DNS) server. Microsoft also provides an IP Block list that is offered exclusively to Exchange 2007 customers. Administrators can use the IP Reputation Service in addition to other real-time block list services.

Regulations such as European Union Data Protection Directive, Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley add data retention and encryption requirements to an increasing number of corporations. Using Transport Layer Security (TLS) with Kerberos authentication, e-mail within the organization is encrypted between Hub servers by default. Client Access and Hub servers will also encrypt e-mail when they communicate with Mailbox servers. By default, Outlook 2007 will encrypt any e-mail it reads or sends to Exchange Server 2007. To ensure compliance, this can be enforced from the Exchange 2007 server and is just another example of feature and product teams that are working together to build secure messaging into the messaging ecosystem.

In addition to changes in on-premise e-mail defenses, Microsoft Exchange Hosted Services (EHS) offers a hosted solution to protect an organization’s messaging environment while at the same time satisfying internal policy and regulatory compliance requirements. EHS helps reduce large up-front capital investment and frees IT resources, empowering companies to concentrate on areas most critical to their business. Operating over the Internet as a service without any hardware or software to install on premise, EHS enables organizations to protect against e-mail-borne malware, satisfy retention requirements for compliance, encrypt data to preserve confidentiality, and help preserve access to e-mail during and after emergency situations. Organizations can decide whether to implement their security and compliance solutions on-premise or in the cloud. Hosted services can filter spam and viruses from an organization’s e-mail before those messages have a chance to enter the internal network.