15-12-2012, 01:05 PM
Smart Email Security
Smart Email.docx (Size: 28.5 KB / Downloads: 22)
Abstract
Electronic Mail is quite arguably the most important application for personal and
business communication across the Internet. People depend on it for sending text, image
and even sound files quickly to their destinations. This is a far cry from the Postal
Service and even the Pony Express for delivering messages to their destinations in days
or even weeks.
E-Mail was designed to be both easy to use and quick for fast end to end message
delivery. Because of these factors E-Mail does not have many built in security measures
by default. Barebones E-Mail services do not provide non-repudiation between the
sender and receiver. They also fail at providing encryption to protect the clear text nature
of E-Mail as it traverses the Internet.
The goal of this paper will be to provide secure methods of sending and receiving
E-Mail over the Internet. This will include both server/provider technologies, as well as,
end user client solutions to encompass E-Mail technology as a whole. E-Mail is a
convenient technology that most people rely on for communication today, but it can come
at a cost if poor security measures are taken.
Introduction
Electronic Mail is one of the most used tools when it comes to business and
personal communication in the world today. Notes, Messages and even Pictures can be
sent quickly from source to destination using E-Mail. The senders of these messages
often assume that the contents are private and are kept sealed from the source to the
destination. This is not always the case! With the proper techniques, malicious hackers
and spammers can read and send unauthorized E-Mail information that senders and
E-Mail Security 3
receivers assume is private. This could range from reading/modifying a message being
sent between E-Mail servers to sending unauthorized Spam messages to individuals
throughout the world. The heavy reliance on E-Mail makes the proper security
precautions essential to providing secure and reliable E-Mail solutions in organizations
today.
Overview of E-Mail Systems
The E-Mail process can be broken down into two general parts, message sending
and message delivery. The processes are dependent on each other to allow the E-Mail to
be successfully set and delivered the correct destination. First, the message composition
and sending process will be covered.
In this example a simple text message will be composed and sent to its
destination. The end user’s client E-Mail program plays what is known as the User
Agent role [5]. Once a message is composed in an E-Mail client program, it sent to a
SMTP server to be delivered to its destination. SMTP is Simple Mail Transfer Protocol
as specified in RFC 2821 for delivering E-Mail messages and uses TCP port 25. In most
cases an SMTP server is provided by an ISP or organization to provide E-Mail sending
functions for an individual or organization. The E-Mail client computer first sends the
SMTP server a “HELO” message to the SMTP server. This message informs the SMTP
server that the client would like to send a message and even what type of message is
being sent. If the SMTP server can accept the message, it will reply with a reply back to
the client. Next, the client sends the “MAIL FROM:” message with the address of the
sender. The SMTP server will then reply back with a “Sender OK” message to continue
E-Mail Security 4
Common Vulnerabilities
As shown in the process detailed above, there can be many opportunities for
hackers to send unauthorized messages, modify messages during delivery. Messages that
are sent in clear text can be easily read if the mail delivery system is compromised. This
could happen if MX entries are compromised or even with the installation of Rogue Mail
Servers. When messages are sent to these compromised servers during the delivery
process, the messages could easily be sent to alternate destinations along with the correct
destination. This would allow hacker/spammers access to E-Mail addresses or sensitive
information contained in the messages themselves.
Many of the problems that E-Mail users encounter are related to the material
contained in messages that they receive. These sometimes include html formatted
messages, harmful attachments or other forms of executable code. The most common
and most known harmful E-Mails commonly contain viruses or malware. If these
attachments are opened on a computer they can install viruses or spyware that can do
anything from format the computer to sending an entire address books worth of viruses
and personal information [10].
Security Requirements
For the purposes of this paper the main security goals are as follows. The E-Mail
services must be able to provide Non-Repudiation and Encryption when necessary. A
secure E-Mail system or client also must be able to minimize the effects of spam and
malware on the systems that receive messages. The security measures analyzed here will
be divided up primarily into two categories, first are options for end user or client based
products; the second are server based or other corporate solutions. Methods of
authentication will also be discussed to help provide identification of E-Mail users.
Client Based Solutions
E-Mail clients have traditionally used MIME (Multipurpose Internet Mail
Extensions) for formatting most messages that have multiple messages embedded or for
non-text based messages. Messages formatted in such a way are sent as clear text and as
we know can be vulnerable to disclosing sensitive information to hackers and spammers
[3].