Real-world email defense in depth: keep it simple, stupid

In this week's Security Levity, I'm interviewing Cameron Brown, the VP of engineering at Sendio. Cameron has been architecting email protection systems for many years; he has an interesting perspective on balancing simplicity with "defense-in-depth".
 

Cameron, email-based attacks continue to grow in volume and sophistication; how can email defense ever be simple?
Developers have converged on the idea that email defense should apply a combination of sender reputation and content analysis. Good content analysis requires use of sophisticated algorithms and up-to-the-minute data about patterns around the globe. Reputation is much more deterministic and simpler to apply than content analysis.

Our readers have heard what I think about sender reputation, but what's your perspective?
Reputation is usually implemented as lists of senders who all have common properties. Email or IP addresses in a whitelist are regarded as having "perfect" reputation -- email sources trusted by a user or system to send good email every time. Blacklists are the opposite.

But in between black and white are the more interesting shades of gray. Reputation databases keep track of other behaviors or qualities that influence a recipient's willingness to receive messages from a source -- for example, how long a domain's been sending email or whether a server's willing to retry deferred messages. The reputation can be tied to a sending server IP address, a sender's domain, or even an individual email address.

What if the sending address has been forged?
There are a number of tests to address this, such as SPF and DKIM signing. Implementing these techniques helps to identify spoofed messages. They're not perfect, but they're improving as more senders implement them.

If a sender has good reputation, why would I care about message content?
Even your best customer could inadvertently send you a message with a virus or other malware, so scanning for known signatures is very important. Additionally, some companies have policies about acceptable content, so they implement additional content filtering tests.

If you have to process the message content anyway, why bother with reputation?
As Leonardo da Vinci said, "Simplicity is the ultimate sophistication." If there are two ways to solve a problem, choosing the simpler way is a well-established principle of software design. Content filtering can be effective, but it's complex and it relies on probabilistic comparisons -- that makes it inherently subject to inaccuracies. So it's difficult for end users to understand and fix things when they go wrong.

Content filtering is best limited to situations where a sender has an indeterminate or unknown reputation.

Do you think it's possible to have a totally secure email environment?
[Laughs] Sure, but it takes more than just hardware and software. People can only be protected if they are an active and willing part of the protection process. Hiding security away from users makes them ignorant and sloppy -- not a great combination. Users should be provided with simple tools to manage their own email whitelists and blacklists, on top of the automated mechanisms.

While obviously-bad content -- such as Trojan attachments -- can be handled automatically, filtering "unwanted" email should be controllable by end users. After all, they're the only ones who know their personal definitions of "unwanted.

So, in summary, your philosophy is to test email starting with the simplest and most deterministic tests, and get progressively more complex until you can make accurate conclusions.
Yes. It’s about implementing many different types of tests to identify message senders and their reputation, and scanning message content for categorization. And users should be involved in the qualifications where they have the best insight. It's ridiculous to rely exclusively on general content filtering.

 
When he's not interviewing email experts, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...

 
Disclosure: Sendio, based in Newport Beach, California, has been a partner of Commtouch since 2006, when the company licensed the Commtouch RPD anti-spam engine as part of its email defense appliance and service.