Security Experts:

Are You Blocking Your Own Email?

Spam Blocking: How can you Prevent Against False Positives in Your Organization?

Several industries rely on a network of external independent agents to do business. These include: insurance, mortgages, real estate, and private wealth management. This has significant impact on the way a firm designs its email infrastructure, permits use of the mail system, sets acceptable use policy, and deploys Internet gateway security. In week's column, I’ve outlined specific steps that will help mitigate the impact of the agent’s computer and that will help prevent against false positives.

SPAM Blocking False PositivesWhen a firm utilizes the services of external agents, there is a distinct risk that they will block legitimate email from those agents as spam. The risk is created as follows:

1. Agents are usually using their own computers email clients, email accounts, and ISPs to send email.

2. The firm exercises no control over the email practices of the agents, when not doing work on behalf of the firm.

3. The agents are frequently ignorant of sender best practices, for example, as set by the Mail Anti-Abuse Working Group (MAAWG), an industry trade organization dedicated to fostering the development of technologies and polices for combating abuse of the Internet email system.

4. The agents abuse the Internet email system out of ignorance.

For example, an independent agent sends bulk email on behalf of a third party that is not your firm. That email does not comply with CAN-SPAM and Internet sender best practices. It is determined to be spam by receivers and lands the personal information in the email, such as phone numbers and URLs in email signature content, in anti-spam engines. Now, whenever that agent sends an email with the same contact information, the email will be blocked. The worst-case scenario is now realized. Inbound email to your firm containing important communications related to revenue or customer service will now be blocked by your own anti-spam software.

There are strategies to mitigate this risk, and there are technological solutions. On the business process side you need to establish acceptable use policies for agents and conduct training to agents on proper use of email. MAAWG has resources that may be used to develop that training. On the technical side you need to provide email infrastructure that agents use when working on behalf of the firm.

The provided email infrastructure could amount to providing email accounts and computers that are to be used only on behalf of the firm, providing email accounts and VPN access to the firm’s email systems, and providing authentication credentials that permit relay on the firm’s Internet gateway. When the credentials are presented, you can rest assured that email sender is who that sender claims to be and can create a policy bypass around the spam filter to avoid the business impact of the false positives created by their own behavior. Alternatively, the same authentication could be achieved with the deployment to the agents of encryption keys that are used to sign the mail. The signature would be verified at the Internet gateway and the policy bypass invoked. Were the email encrypted as well as signed, the email is confidential in transit.

Without these steps, you will be fighting a losing battle against false positives. The false positives as they come in can be contested with the anti-spam vendor, but as bad sending practices continue, those senders will continue to be blocked.

An added benefit of taking these steps is that it mitigates the impact of the agent’s computer, unbeknownst to the agent, being infected and becoming a node in a bot-net, sending spam, that will cause the agent’s machine itself from being blocked at the IP address level. You will still be able to receive email from that agent with a policy bypass when the email is authenticated.

Read More of Greg's Email Security Columns Here

Subscribe to the SecurityWeek Email Briefing
view counter
Greg Olsen is Director of Business Development at Sendmail, Inc. Greg has more than 20 years of experience as an IT professional. He has been designing, deploying, and managing SMTP email infrastructures for 17 years. He has broad industry experience across high technology, higher education, government, and financial services industries. In his current role at Sendmail, Inc., he manages the third-party technology partnerships, including VMWare, and the open source initiatives of Sendmail.
view counter