Saturday, March 22, 2008

Spam Prevention - Home User

Someone had asked me to post some tips for home users that doesn’t have the luxury of protection from a anti spam appliance. These users probably won’t have the need to know about greylisting, SPF, DKIM, etc as well. So before I go on to blog about the methods used in anti spam technology, I will do a simple write up on how home user can prevent themselves from being a spam victim and some ways to control it.

Firstly, I think many home users received spam because they do not have a good email discipline. Most people that received spam have registered their email on commercial websites, sign up for some out of the blue marketing promotion, registered as members as they download software, etc. The problem here is that many of these sites do not have a privacy policy that they follow. Emails are sold or leaked to the marketing world.
Spammers even make money by selling their email database to other spammer and the cycle goes on. Therefore you will received more and more spam emails. End user has to be careful about giving away their email. Honestly this is the most important basic of all. I will list down a few steps on what you can do and how you can cut down on your existing spam.

Prevention

1) Don’t reply to unsubscribe spam mail! Please do not click on any link on the spam mail to unsubscribe the spam. If you did not sign up for it, don’t click to unsubscribe it. The moment you click on the link, you are basically telling the person that sent you the spam that, “ Hey, yes. I am a active user. Go ahead and spam me in future!” But of course if it come from a reputable company, then there is probably no harm in clicking on that link.

2) Don’t forward an email from someone you don’t know to a list of people. They are perfect for spammers to harvest email addresses.

3) Try using a complicated email username when signing up for email address. Email such as jenny76@hotmail.com” are easily havest by Spammers' software.

4) Camouflage your email address. Putting your email address in plain text on your web site is easy for spammer spider to harvest email addresses. Best is to disguise your email address by stripping out periods and "@" symbols. For example, "YOURNAME AT YAHOO DOT COM." You can also make the "@" an image, this will prevent crawlers from identifying it.

5) Get a desktop anti virus with anti spam filter. There are many desktop virus software that comes with anti spam features. Example would be Kaspersky, Sophos, etc. Such anti virus software are normally affordable and effective.

Control

If you are using outlook express or outlook to download your mails, you can also set rules to filter your mails to the junk folders. I will take outlook express as an example and list down the step below. I will use the word “Viagra” as an example.

1) Open up Outlook Express
2) Go to Tool --> Message Rule --> mail
3) Click "New"
4) Select the condition for the rules to take effect and the action to it. I will choose words contain in the message body as it is normally more effective compare to the others and i will choose moved mail to junk email then delete as even if it turn out to be detect wrongly, i will still have the mails.



5) I will fill in the specify words that i have decided and select the folder.





6) Voila!!!!! The rule has been created. Any new message with the word viagra in the mail body will be moved to the junk folder.

Above is just a simple steps to filter out potential spam mails. But such rules are tedious and may need to be find tune along the ways. Try the desktop anti virus with anti spam features. It will probably be easier, less time consuming and more effective.

Friday, March 21, 2008

Spam! How did it get into me!!!!

It is so irritating when i have to spent 10 minutes every morning while eating breakfast in front of my computer clearing Spam. Haha, kidding. Since the day i am involved in doing IT security, i hardly see them in my mails anymore. Let me share with you what is spam and slowly how we can prevent it.

A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. "UCE" refers specifically to "unsolicited commercial e-mail." According A Gartner report in TechWeb News, Spam has cost the world a lost of $50 billion in lost of productivity and other expenses.

The questions often come to the user mind when they received spam email is how the spammer got their email address? E-mail spammers do not get their address because they are on the company distribution list or legitimate e-mail publications. In today’s world, legitimate mailing list is normally secured and is unlikely possible for spammer to got hold of their email address. But the problems start when user subscribes to unknown website or newsletters. Emails subscribes to unknown website or newsletters were often leak out intentionally or unintentionally resulting with the users receiving high amount of spam emails. User subscribing to newsletters or registering on unknown website should always check on the privacy policy. The policy should state clearly that the email or informations provided by the user will never be release to another party or use for other purpose other then stated.

Directory Harvest Attack or DHA is another a technique used by spammers in an attempt to find valid and existing e-mail addresses at a domain by using brute force attack. When under a directory harvest attack, the massive volume of attempts with different addresses sent by the spammer will consume a mail server's resources. At worse, the mail server may be prevented from receiving legitimate email if all available resources are exhausted. Organization should have in place Anti spam appliance that can detect any form of DHA conduct against it’s mail server. Today’s Anti spam appliance would normally have combination of features such as “Real Time Blacklist” (RBL), Domain key Authentication” (DKIM), “Sender Policy Framework” (SPF), “Greylisting”, “Bayesian filter” and many more other features.

Take a little time to digest this blog of "SPAM" ... i will fill you in on the different methods used to fight spam in the on coming blogs.

Tuesday, March 18, 2008

So who is the Postman sending the Email??

It is interesting to know that many email server administrator do not know how emails work. They can be configuring the servers and creating users but doesn’t know what happen when the user click on the “SEND” button. Therefore I decided to blog on how exactly email works as one of my beginning blog.

Email the basic communication that we are all using in our daily work. User simply open up their email client interface, type the sweetest things they can and click “send”. 9 out of 10 users won’t think about how the “postman” is sending theemail for them. But all of them will be expecting the receiver to receive their mails. Of course, we the tech geek, are the 1 out of the 10 that is concern on the amazing technology of email.

In the total process of email, we will look at few key players. The Mail Transfer Agent (MTA) e.g Exchange Mail Server, E-mail client e.g Outlook Express, Mail Exchanger (MX), Domain name Server (DNS) and the Internet. Like any game, there are a few rules to follow.

For out-going emails, Simple Mail transfer Protocol (SMTP) port 25 will be use. For in-coming mails, Post Office Protocol (POP) port 110 or Internet Message Access Protocol (IMAP) port 143 will be use.

Now let’s take a scenario to explain the email flow. John at john@philsecure.com open up his email client using Outlook express and type a email to his wife, Alice at Alice@philblog.com. After finishing his email, he clicked on “send”. Alice on the other hand, received a new incoming email on her email client. So what actually happen?

1) When John click “Send”, his email client send the email to his MTA using port 25.

2) The Email server at philsecure.com will received the address of the sender and the address of the recipient, as well as the body of the message. It will consider the email address as two parts: the recipient name (Alice) and the domain name (philblog.com). If the "to" address had been another user at philsecure.com, the Email server would simply hand the message to the server processing the POP3 or IMAP for philsecure.com and the mail will be sent to the appropriate user account.

3) Here, the email server will look up to the domain name server (DNS) for the IP address of the email server of philblog .com. The DNS replies with the IP address of the SMTP server that philblog.com operates. This IP referring to the Mail Exchanger (MX) IP address.

4) The email server of philsecure.com then send the mail to philblog.com according to the MX record it got from the DNS.

5) The email server of philblog.com received the email and send it to the server running POP3 or IMAP and it will then be deliver to the user’s account.

6) The user log on to its mail client depending on if it is using POP3 or IMAP to download the email.

That’s it! Email a simple yet wonderful technology.

Monday, March 17, 2008

Basic of Inforcomm Security (Part 2)

This is a topic covered by tonnes of network security professional. A trip to the nearby library would probably stuff with more then enough knowledge to handle your network. That is if you can absorb everything you read from the books. What i will list now here are some of the common practices.

Firewall is one of the basic need in a company network. Unless you are an network guru or some Cisco geeks, depending on your router to protect your network will not be your best bet. A firewall would normally come in default as closing all ports. That mean you will only need to open what is needed for your operation to function. Be careful not to open more then what is enough. A quick search to your existing application documentation would tell you what ports is needed and these ports are just what you need to open. Using Network address translation (NAT) is also necessary to protect your servers or application from being exposed to the external network. NAT is safe and it save you the cost of purchasing static IP.

Intrusion Prevention System (IPS)

IPS is an additional protection to the network. For company dealing to large amount of sensitive data and with the budget, IPS is definitely the way to go. As we know that conventional Firewall block unwanted attack and data from coming into the network, but we also know that Firewall ignore what that has gotten into the network! IPS scan and constantly listen to the traffic in the network. Abnormal behaviour of the network traffic and immediately detected and notification can be sent out instantly. There are some Firewall appliance that act as unified threat machine (UTM). Such machine would normally have IPS module in it. Administrator that is looking for IPS together with Firewall and having limiting budget might want to consider such appliance.

Anti Spam appliance.

Normally also sitting in the parameter, Anti spam appliance is often use to safeguard the companies emails. These anti spam appliance normally come with anti virus built in. It is highly important to do a evaluation test of the appliance before purchase it. In fact, during the evaluating period it is very important to ensure the reliability of the appliance even before running it in the production environment.

Anti Spam appliance are suppose to seat in-front of your company Mail transfer Agent (MTA). This mean that all emails will goes through your anti spam appliance before reaching your MTA. If the anti spam appliance is not reliable, it might jam up all your emails or causes your legitimate mails to be filter off unknowing to you. This might cause the administrator a big problem if the company directors' million dollars e-mails has been drop and no one knows about it.

There are several techniques used to detect spam and taking care of the email security. Greylisting, Content filtering, Sender Policy Framework, etc are just few of them. Be sure to understand them well before you engage the anti spam appliance in your company network.

This is a simple guide and understanding of the devices that can be use in the parameter security. Hope it help some of the administrators out there.

Basic of Inforcomm Security ( Part 1)

Surprise is the word i will use often when i step into a customer organization and realized how lack of security knowledge the IT administrator is. I will start off my blog touching on the basic of security from the desktop to the parameter... Note that i will not be going in the details of security each point. This is just a guideline to the "newbie" administrators out there that probably do not know what is needed to be secured in their network.

To simplified things, I will break down the network into 2 parts.
-End Point refering to the Desktop/Servers (Part 1)
-Parameter refering to the line where it separate the internal network from the external internet. (Part 2)

**Mid level security such as usage of VLANs or Network access security will not be mention in this blog. It will be touch in my later entries.

End Point Security Guideline

Till these day, there people who think that risk only come from external factor and therefore spend thousands of dollar securing their parameter and leaving the desktop open to risk. This is a extremely wrong concept as today's risk doesn't come from external alone.

Desktop is open to various type of risk such as data theft, virus, hack tool, etc. In today modern technologies, IT gadget are getting smaller and cheaper. A USB flash drive coming in the form of a pen only cost SGD10.00 can is easily available off the shelves. Such device are brought easily into any corporate office and any system that is not secured would have its data downloaded into the devices easily. Issues about resigned employees stealing data is very real or unhappy employees injecting virus to the production environment is very common.

Desktop has to be installed with Anti virus to keep itself away from virus. I will not elaborate on the anti virus as i assume everyone know the important of having a updated anti virus on its desktop. I will instead elaborate on securing of endpoints ports (E.g USB, Bluetooth, Infra, etc) something that many administrator are unaware of. Desktop ports can secure with various method such as using registry to lock up the various physical port in the notebook or computer. This method is free as no third party software is needed. But the administrator doing it must have pretty good knowledge of the registry setting and keep a tidy and huge record of the computers that registry had been changed. Alternatively, there are third party software in the market that provide the administrator a cool and user friendly interface to do the job above.

Such software normally allow the administrator to decide what are the ports (E.g USB, Bluetooth, Infra, etc) to be allow for use. Informations transferred across the system to the external are also audited. This is to prevent employees from copying sensitive informations and deny doing it. A better End point security software will even encrypt the data leaving the system to the external device. This is to prevent data from falling to the wrong hand should the device be stolen or lost.

As a best practice, the administrator should only allow company register external device to be allow for use in the end point, all data transfer should be logged and all data leaving the system to the external device should be encrypted.

Hardening of Desktop/Servers

Beside the usage of Endpoint software to locked down the ports and control the usage of external devices, there are also some simple practices that we should look into;

1) Password control - Password policy should be in place to prevent un-authorized access.
2) Remote administration - should be disable to prevent un-authorizes access
3) Administrators rights - Proper rights should be assign to user of the workstation
4) Guest account - Guest account and additional account should be disable.
5) Unauthorized Notebook, workstation should not be allow access to the LAN
6) All security vulnerability should be patched
7) Unuse ports should be closed.


I hope this blog can be useful to some in the light of Desktop security..