bã~áä=pÉÅìêáíó ^ååì~ä=oÉîáÉï=C qÜêÉ~í=oÉéçêí= OMMR
REPORT PUBLISHED BY POSTINI, INC. JANUARY 2005 PREEMPTIVE EMAIL PROTECTION As the leading provider of secure email boundary services, Postini is in a unique position to describe email security activity and trends because of the scale of our global email processing. Currently processing more than 3 billion email messages per week for 6.6 million email users worldwide, Postini sits between the email gateway and the Internet, preventing spam, viruses, phishing and other email attacks from impacting our customers email systems and networks.
More than 4,000 customers now route their emails through Postini's redundant bã~áä data centers to remove unwanted emails and threats, and instantly deliver legitimate emails to recipients. Because all customer email flows through Postini's ^Çãáåáëíê~íçêë= processing centers, Postini is able to directly monitor and collect statistics in real time. The hundreds of millions of emails passing through Postini's managed service on a daily basis constitute approximately 1% of the world's business C pÉÅìêáíó email traffic, and therefore provide a unique opportunity to accurately view worldwide email activity and trends. The data provided in this report, unless mêçÑÉëëáçå~äëW specifically stated otherwise, is based upon direct measurements of mail flowing through Postini's systems, and is not the result of extrapolation, estimation, or subjective analysis.
The Postini Email Security Annual Review & Threat Report provides a summary of how spam and other email threats have evolved over the course of the past year; changes in the regulatory climate that impact email communications; how organizations have responded to changes in email threats and regulations; and what to expect in email security trends in 2005.
The Email Security Annual Review & Threat Report offers email and security professionals a concise and convenient resource to:
z Gain a brief, yet comprehensive overview of 2004 in terms of changes in email threats and the regulatory environment.
z Review the latest tactics and trends in spam, virus and email attacks, and get an overview of how organizations are responding to these threats.
z Get a sneak preview from analysts and experts into emerging issues and concerns that may help inform email security strategies and/or implementations in 2005.
Please note that the opinions expressed in this report are those of Postini unless indicated in references or direct attribution. To monitor email security statistics and trends from Postini throughout the coming year, visit our website at www.postini.com. Current email threat activity statistics are updated daily on our website. Postini Redwood City, California January 2005
2 1. EXECUTIVE SUMMARY PAGE 4
2. 2004: THE YEAR IN REVIEW PAGE 6
3. 2004 EMAIL THREAT STATISTICAL HIGHLIGHTS PAGE 9 Spam Viruses q~ÄäÉ=çÑ Directory Harvest Attacks `çåíÉåíë Phishing
4. 2004 MILESTONES IN EMAIL SECURITY & PAGE 19 REGULATORY ENVIRONMENT
5. BEST PRACTICE RESPONSE TO PAGE 22 EMAIL SECURITY THREATS & REGULATIONS Intrusion Prevention Encryption Policy Compliance & Enforcement Archiving Authentication Administrator/User Flexibility Reporting & Security Management Email Disaster Recovery
6. EXPECTATIONS FOR EMAIL SECURITY IN 2005 PAGE 27
7. APPENDICES PAGE 29 Appendix A - References Appendix B - Postini Real-time IP Analysis Appendix C - About Postini
3 Even as attention to spam and its harmful impact on worker productivity reached a high point in 2004, threats to email systems grew worse as the incidence of spam, virus attacks, and directory harvest attacks have all increased in frequency and/or severity over the course of the year.
Email Threat Highlights from 2004:
z Despite new laws and regulations, the proportion of spam compared to total email remained consistently high—between 75% and 80% throughout 2004.
z Smaller companies such as those with 100 users or less received up to 10 times more bã~áä=pÉÅìêáíó=OMMQ spam per user than large companies (10,000 users or more).
bñÉÅìíáîÉ=pìãã~êó z Different types of organizations received different amounts of spam. The publishing industry, for example, leads with more spam per user than any other industry.
z The average company experienced 150 directory harvest attacks (DHAs) per day in 2004, with each attack averaging 234 invalid address lookups. These figures make DHAs the least visible and most underreported threat of 2004.
z Virus infected emails were more widespread, encompassing 1.5% (about 1 in 67) of all emails in 2004. This is significanly higher than in 2003 when .5% (1 in 200) of emails were infected.
z Email viruses significantly increased the propagation of spam through highjacked computers (known as zombies) that unknowingly serve as conduits for spreading spam.
z As email threats continue to escalate and become more sophisticated, small businesses with limited IT resources that often rely on first-generation or open source anti-spam solutions were vulnerable.
4 Regulatory Highlights Email Security Expectations for 2005: from 2004: z Email threats will continue to evolve at a faster pace as spammers
z The CAN-SPAM Act went in to effect on become more sophisticated and counter measures designed to January 1, 2004 in the U.S. and did not combat these threats will become available much more quickly. demonstrate any significant impact in z Companies will move from first generation single function "point" decreasing spam during 2004. email security products/services to next-generation solutions that
z Microsoft, America Online, Earthlink, and offer broader scope of protection from a single vendor/source. Yahoo! filed the first major industry lawsuits z Email security will see an increased focus on sender IP address under the CAN-SPAM Act in March 2004. and "reputation" or behavior analysis of email messages in addition The lawsuits named hundreds of to content filtering as a critical component of "multi-layer" email defendants, with more than 90 percent of intrusion prevention. them identified only as "John Doe." z Increased consolidation among email security software and "point z On the first anniversary of Britain's Privacy product" vendors will continue as appliance and managed service and Electronic Communications regulations email security solutions grow in popularity and expand their share (December 2003) aimed at stopping of the market. unsolicited email, not a single offender has been prosecuted. z Email authentication efforts will continue despite setbacks, but will have only minimal effect on solving the spam problem.
z As email threats continue to escalate and become more sophisticated, small businesses that often rely on first-generation or open source anti-spam solutions will remain particularly vulnerable to spam, viruses and email attacks.
5 Spam Levels Consistently High
Throughout 2004, Postini observed that 75 to 80 percent of all emails were spam, with the statistics showing consistently high levels throughout the year. Richi Jennings of Ferris Research (www.ferris.com) argues that the economic incentive for sending spam versus the risks continues to favor spammers. Ferris Research reports the type of spam generated in 2004 according to the following categories:
Other 10% Discounted software, Pornography drugs, herbal 15% alternatives bã~áä=pÉÅìêáíóW 35% Fraud & scams Financial OMMQ=áå=oÉîáÉï 20% Services 20%
Spammers Get More Sophisticated, Shift Tactics
By mid-2004, spammers were observed using new tactics designed to fool conventional anti- spam content filters. The logic behind these new spamming techniques was simple: take away or reduce the content of a message to confuse filtering methods just enough to allow a message to get through. Because anti-spam filters on enterprise servers must handle messages for hundreds or even thousands of users, it is difficult for the IT department to increase the sensitivity of filters to catch these techniques. Increasing content filter sensitivity too much increases the risk of false positives.
6 During 2004, spammers and hackers also shifted techniques to launch more of what are known as directory harvest attacks (DHAs). DHAs are designed to steal valid email addresses from corporate email directories so they can send more spam or sell the harvested addresses to other spammers. DHAs cannot be stopped by conventional content filtering since there is no message content, nor can new spam techniques that reduce or eliminate content in a message be reliably blocked with content filtering. DHAs and minimal content spam must be detected at the SMTP connection point in real time, in order to prevent these threats from reaching the enterprise email gateway.
Battle Against Email Threats Moves To The Front Lines Of IP And Behavior Analysis
Because spammer techniques have shifted to minimizing or removing content from spam messages, conventional content filtering alone proved insufficient in stopping spam and email attacks in 2004. This has put increased focus on multiple layer protection from email security providers such as Postini, specifically, with its patent- pending IP analysis and threat detection. Postini estimates that it currently blocks 35 to 50 percent of email messages at the SMTP connection point, prior to examining the message content, based on the actual behavior patterns of the sending computer over the previous seconds, minutes, or hours.
Anti-Spam Legislation Largely Ineffective So Far
The CAN-SPAM law in the United States, and anti-spam regulations based on the Privacy and Electronic Communication directive from the European Union, have thus far failed to stem the growing tide of spam throughout the world. Despite fines and jail time penalties under the CAN-SPAM law, prosecutions have been limited to only a few high profile cases.
While the United Kingdom was among the first European countries to introduce its own version of the Privacy and Electronic Communication Directive (nearly half the EU member states had failed to implement any laws by the end of 2004), the UK law protects only personal email addresses, and the government agency in charge of enforcing the law lacks the funds and clout to pursue prosecutions.
Phishing Grabs Headlines
Phishing schemes grabbed headlines in industry publications and the mass media, and the attention of IT managers as reports of identity theft multiplied significantly during the second half of 2004. Phishing involves using email messages to trick users into revealing their passwords for a particular service, or confidential information. Fraudulent emails appear to be from legitimate senders directing users to a web site where private information is requested. Gartner estimates that last year, phishing scams cost banks and credit card companies billions of dollars.
7 The New York based Financial Services Technology Consortium announced an initiative to counter phishing in September, attracting financial services companies such as CitiGroup, J.P. Morgan Chase & Co., and Visa U.S.A. as well as technology vendors. An antiphishing group called Digital PhishNet was formed in December, to bring together the FBI and law enforcement groups with companies such as Microsoft, America Online, Earthlink and others.
Viruses Enabled Bot-Nets Spread More Spam
During the last half of 2004, email viruses such as "netsky" and "bagle" attacked the cable-modem or DSL linked computers of individual and small business users, creating "zombies" that can be tied together into "bot-nets" that allowed spammers to use these computers to send spam and DHAs. In most cases, the individual computer users are unaware their computers have become a zombie conduit for perpetrating spam. Some analysts now estimate that more than half of all spam sent during the last quarter of 2004 came from these bot-nets.
Email Authentication Stumbles On Standards
The past year saw a proliferation of email "authentication" proposals that were not necessarily in line with one another. Yahoo! created "DomainKeys" and Cisco announced "Identified Internet Mail", both of which use digital signatures to verify an email sender's authenticity. Others such as Microsoft and America Online are approaching email authentication by cross checking addresses with domain name service records.
In mid-year, Microsoft merged its "Caller ID for email" technology with Pobox.com's SPF or "Sender Policy Framework" approach to produce "Sender ID." Sender ID, however, faced a setback when open source groups withdrew their support, and the Internet Engineering Task Force (IETF), which sought to develop email authentication standards, shut down its working group.
All the controversy however, may be a tempest in a teapot. Many industry experts warned that none of these technologies are actually intended to stop spam; they merely authenticate the source of the email message. By the fourth quarter of 2004, most of the SPF and Sender ID records published were actually being published by spammers.
8 Spam
Generally, spam is any type of unwanted email, but is more accurately defined at the user level where spam definitions are considered to be "in the eye of the beholder." The Postini system allows individual users to construct their own definition of spam. Utilizing white lists, black lists, and adjustable filter sensitivity settings, one user's filter may be very different from another user's, resulting in a broad range of possible spam blocking attributes—therefore the definition of spam will vary accordingly. When an email gets caught in Postini's customer-defined filters, it is considered to be spam. OMMQ=bã~áä=qÜêÉ~í pí~íáëíáÅ~ä=eáÖÜäáÖÜíë
9 Figure 1 Proportion of Spam in Email: 2004 Proportion of Spam in Email
SOURCE: Postini 90% ------80% ------70% ------60% ------50% ------40% ------30% ------20% ------10% ------0% ------
WEEK ENDING 2/7/2004 3/6/2004 4/3/2004 5/1/2004 8/7/2004 9/4/2004 1/10/2004 2/21/2004 3/20/2004 4/17/2004 5/15/2004 5/29/2004 6/12/2004 6/26/2004 7/10/2004 7/24/2004 8/21/2004 9/18/2004 10/2/2004 1/24//2004 10/16/2004 10/30/2004 11/13/2004 11/27/2004 12/11/2004 12/25/2004
Statistics
On a weekly basis, the percentage of email considered as spam was consistently 75% to 80% throughout 2004.
Analysis
The proportion of spam in email was remarkably steady throughout 2004, averaging between 75% and 80% throughout the year, despite some significant events such as the CAN-SPAM Act that could have impacted the flow of spam.
It would appear that the battle between spammers and spam fighters reached a plateau or equilibrium in 2004, with spam still representing a significant portion of all email.
10 Figure 2 Spam Volume by Company Size Spam Volume by Company Size: 2004 40 ------SOURCE: Postini 35 ------30 ------25 ------20 ------15 ------10------5 ------SPAM EMAILS PER USER/DAY SPAM 0 ------
EMAIL USERS PER COMPANY < 100 100-500 500-1k 1k-5k 5k-10k >10k
Statistics
z The amount of spam email users received varied widely by company size.
z Small companies with fewer than 100 email users received by far the most spam messages per user, over 35 spam emails per user/day.
z Companies with more than 10,000 email users received by far the fewest spam messages, fewer than 3 spam emails per user/day.
Analysis
There are several possible explanations of why small companies received more spam per user than larger companies, including:
z Large companies generally employ more comprehensive, holistic information security programs than smaller companies, which results in a reduced incidence of spam-provoking employee behavior.
z Spammers anticipate that small companies will have less sophisticated defenses than larger companies and therefore target smaller companies.
11 SOURCE: Spam Volume byIndustry:2004 Figure 3 Postini their business,andcannoteasilychangepublishedemail addresses. be readily accessibletotheirprospects andcustomers inorder toproperly conduct forexample,must hands ofspammers.Reporters,real estateagentsandattorneys, addresses thanothers,makingitmore likelythattheir emailaddresses endupinthe spam thanothers,itmaybethatcertainindustries are more visiblewiththeiremail While thestatisticsdonotmakeclearwhysomeindustries received somuchmore Analysis user/day inthepublishingindustry. spam emailperuser/dayinthepharmaceuticalindustrytoover25emails The amountofspamemailusersreceived varied widelybyindustry:from lessthan1 Statistics SPAM EMAILS PER USER/DAY 0 5 10 15 20 25 30 ------Publishing Advertising Legal Real Estate Software IT Consulting Spam VolumebyIndustry Accounting Non-Profit Education
Insurance INDUSTRY Utilities Construction Government Agriculture & Mining Retail Healthcare Transportation Engineering Manufacturing Banking Financial Electronics
12 Food & Beverage Pharmaceutical Directory Harvest Attacks (DHA)
Directory harvest attacks occur when a spammer attempts to steal valid email addresses directly from email servers by exploiting standard SMTP commands. By sequencing through a dictionary of common names in rapid fashion, and interpreting the server's response of "yes, valid address" or "no, invalid address", spammers can, through brute force, compile a comprehensive list of valid email addresses within a company.
Spammers, list brokers or other unscrupulous culprits exploit this simple functionality to harvest legitimate email addresses from a corporate directory by sending thousands (or even hundreds of thousands) of messages to multiple addresses such as [email protected], or [email protected]. Spammers track all of the addresses that do not bounce back or generate errors, and consider these valid addresses, which are then compiled into lists that are then sold or distributed to other spammers.
13 Figure 4 Severity of Directory Harvest Attacks: 2004 Severity of Directory Harvest Attacks: 2004 400 ------350 ------SOURCE: Postini 300 ------250 ------200 ------150------100 ------50------0 ------# OF LOOKUPS PER DHA ATTACK
JAN FEB MAR APR MAY JUN JUL AUG SEPT OCT NOV DEC
Statistics
z The frequency of directory harvest attacks was consistent over the course of 2004, with the average company experiencing 150 DHAs per day.
z The severity of attacks grew, with the average attack consisting of 234 invalid address lookups.
Analysis
Directory harvest attacks are considered by Postini to be one of the most unrecognized and therefore underreported email threats. Known as "silent killers," DHAs often result in very damaging side effects: consuming enormous amounts of email server resources as email servers try to cope with DHA probes. Lotus Domino and Microsoft Exchange servers, for example, generally accept all messages for their domain by default. This aggravates the negative impact of a directory harvest attack because the spammer assumes all the attempted addresses are valid, and thus will send more spam or sell the attempted addresses to others.
During a directory harvest attack, a Domino or Exchange server also creates non- delivery reports (NDRs) for all of the invalid addresses (which can number in the thousands or tens of thousands). If, for example, a directory harvest attack makes 10,000 delivery attempts to an email system and only 100 turn out to be deliverable, the Exchange or Domino server will generate 9,900 non-delivery reports. For Exchange servers, these NDRs are sent back to the sender using illegitimate addresses, and they often bounce back again creating an "NDR storm" of messages. NDRs from DHAs, therefore, use up vast amounts of server cycles and result in full deferral queues and in extreme cases, can bring down email servers.
In addition, directory harvest attacks are often launched simultaneously, from many different computers. The resulting spike in traffic from the directory harvest attack can easily knock an email server offline.
14 Figure 5 Largest Directory Harvest Largest Directory Harvest Attack of 2004 Recorded by Postini Attack of 2004 Recorded by Postini 80000 ------
SOURCE: Postini 60000 ------
40000 ------MESSAGES 20000 ------
0 ------TIME 09:00 09:10 09:20 09:30 09:40 09:50 09:59 ------
500 Errors
Blocks
Directory Harvest Attack
The largest DHA attack recorded by Postini to date occurred December 10 against a major North American retail company. The attack took place over a one-hour period, peaking at more than 60,000 delivery attempts per minute in its final phase. Such attacks are becoming more severe as spammers seek to harvest legitimate email addresses for sales and distribution to other spammers.
15 Figure 6 Top Viruses: 2004 Top Viruses of 2004
other objectdata SOURCE: Postini 17% sobig bagle zeroilin
Viruses zafi 8% Viruses continued to proliferate netsky throughout 2004, and the speed 54% with which they spread throughout the Internet continued mydoom to accelerate. Personal and small 10% business computers hijacked by spammers through email viruses mime and harnessed as "bot-nets," 11% generated from 40 percent to more than 50 percent of all spam according to analyst estimates.
Statistics
z Of the approximately 1 billion virus infected emails intercepted by Postini in 2004, the netsky virus was by far the most prevalent, accounting for 54% of the infections.
z In general, the virus problem worsened in 2004. The percentage of virus infected emails recorded by Postini increased from .5% in 2003 to 1.5% in 2004.
z Viruses became a significant contributor to the spam problem in 2004: Postini estimates that around 40% of spam was sent by virus-infected zombie computers. Richi Jennings of Ferris Research estimates that more than half of all spam at the end of 2004 was generated through bot-nets.
Analysis
Email viruses such as bagle and netsky have become spam enablers as they act to take over personal and small business computers by harnessing them as zombies to distribute even more spam. As ISPs and others have become more adept at identifying originating IP addresses of spammers—and shutting them down—spammers have used these virus-enabled "bot-nets" to send spam, more viruses, or launch denial of service attacks. Moving through numerous IP addresses in a matter of minutes, log analysis becomes "too little, far too late," to effectively identify spammers and stop offending IPs.
16 Figure 7 Typical Directory Harvest Attack Using Coordinated Network of Spam Zombies Typical Directory Harvest Attack Using Coordinated Network of 500 ------472 unique IPs Spam Zombies 450 ------detected, showing a 4-fold increase 400 ------in only one minute 350 ------SOURCE: Postini 300 ------250 ------
UNIQUE IP 200 ------150 ------100 ------50 ------0 ------
1 3------5------7------9------11------13------15------17------19------21------23------25------27------29------
MINUTES
Spammers and hackers manipulating bot-nets (groups of zombie computers infected with email viruses) can launch spam and email system attacks from hundreds or even thousands of hijacked machines, making it impossible for older anti-spam technologies to trace and identify the IP sources of the attacks. More than one-third of IP addresses blocked by Postini's patent-pending IP Analysis technology now resolve back to cable modem and DSL line sources that should not be relaying SMTP directly—an indicator of how extensive the use of bot-nets to "spread spam and move on" has become during the second half of 2004.
17 Phishing
Phishing schemes grabbed the attention of major financial services companies and technology vendors as reports of attempts to steal private account information grew significantly during the second half of 2004. Phishing involves using email messages to trick users into exposing their passwords or confidential information. In many cases, fraudulent emails appear to be from legitimate senders directing users to a web site where private information is requested.
The Anti-Phishing Working Group (www.antiphishing.org), a consortium of law enforcement, financial firms and security vendors, issued several statements in 2004 warning of the increase in frequency of these fraud-base email scams. Estimates of losses due to identity or privileged information theft facilitated by phishing schemes varies widely, but Gartner has estimated losses to banks and credit card companies in the billions of dollars.
Active Reported Phishing Sites by Week, Aug. - Nov. 04
500 ------459 417 Figure 8 400 ------412 376 Phishing Sites Reported by 359 329 341 350 Anti-Phishing Work Group: 300 ------302 Aug-Nov 2004 200 ------217 209
NUMBER OF SITES 192 143 127 150 117 SOURCE: Anti-Phishing Work Group 100------107
WEEK ENDING 8/7/2004 9/4/2001 8/14/2004 8/21/2004 8/28/2004 9/11/2004 9/18/2004 9/25/2004 10/2/2004 10/8/2004 11/4/2004 10/16/2004 10/23/2004 10/30/2004 11/13/2004 11/20/2004 11/27/2004
Postini estimates that its preEMPT technology stops 98 percent or more of email phishing attempts before they can reach the customer's network through a multi- layered approach. Postini blocks phishing emails through a combination of sender behavior analysis, URL exploit detection, and advanced content filtering heuristics.
Because many of the features of phishing emails are similar to those of spam, Postini blocks the vast majority of these schemes while applying several hundred content analysis heuristics targeted specifically at phishing techniques. Postini estimates that it routinely blocked approximately 400,000 phishing email attempts each day during the last quarter of 2004, or nearly one percent of all email blocked on a daily basis.
18 The past year exhibited an increase of new laws and regulations in both North America and Europe attempting to reduce spam. The most significant trend of 2004 from a regulatory perspective was how little affect general laws and regulations had on the total amount of spam, viruses, and email threats experienced throughout the year. Initial prosecutions under the CAN-SPAM Act and existing fraud laws began in 2004 but their affect on spammers and fraud perpetrators has yet to be determined.
CAN-SPAM Act in the U.S.
Going into effect January 1, of 2004 in the U.S., the CAN-SPAM Act appears to have had little if OMMQ=jáäÉëíçåÉë any impact on the high volume of spam. The federal law includes fines and criminal penalties áå=bã~áä=pÉÅìêáíó of up to five years in prison for common spam practices. At the close of 2004, analysts and industry observers have generally concluded ~åÇ=oÉÖìä~íçêó that the legislation has not significantly stemmed the growing volume of spam, viruses båîáêçåãÉåí and email threats.
19 Figure 9 CAN-SPAM did not to appear reduce spam CAN-SPAM did not appear to reduce spam
100 ------
90 ------
SOURCE: Postini 80 ------
70 ------
60 ------
50 ------
40 ------
30 ------
20 ------% SPAM OF TOTAL EMAIL - -
10 ------
0 ------NOV 2003 | DEC 2003 JAN 2004 | FEB 2004 BEFORE AFTER CAN-SPAM ACT CAN-SPAM ACT
The percentage of total email recognized as spam shows little change for the period before and after the CAN-SPAM act came into force, indicating that the initial affect of the law has been minimal.
20 Figure 10 Industry Specific Regulations
Email Security In 2004, several laws and regulations in the U.S. affected email security practices. Regulatory Milestones: 2004 The Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), SEC Rule 17a-4, and NASD Conduct Rules 3010 and 3110, forced email administrators in the financial services, healthcare, brokerage, and government SOURCE: Postini sectors to scrutinize their email practices. These laws and regulations raised the visibility of issues such as secure email transmission over the Internet, archiving email messages, and enforcing compliance with email security policies.
Email Security Regulatory Milestones: 2004
JAN FEB MAR APR MAY JUN JUL AUG SEPT OCT NOV DEC
CAN-SPAM Act US
US First arrests First successful prosecution of Congressional from CAN- Internet spammers in US: Hearings held on SPAM Act Jaynes and DeGroot convicted. fighting spam
Federal judge awards ISP Major ISPs sue 200+ $1 billion damages spammers under in lawsuit against CAN-SPAM Act spammers
Australian Spam Act Digital PhishNet introduced with severe group launched fines as penalties for convicted spammers
21 Several key email security challenges emerged in 2004 that demanded a response from organizations and email security vendors. Following is a description of these challenges along with a summary of how providers such as Postini have responded.
Intrusion Prevention
In 2004, conventional approaches to SMTP perimeter protection, such as IP address blocking that relies on known spammer addresses, were no longer effective in blocking bot-net, directory harvest, and denial of service attacks. Most spammers now distribute their attacks across unique, ever-changing source IPs. While it's possible to generate updated blacklists, by the time a suspect IP address is identified and _Éëí=mê~ÅíáÅÉ incorporated into the filtering software, the spammer has attacked, harvested and moved on. The feedback oÉëéçåëÉ=íç=bã~áä loop and subjective nature of these network blacklists and reputation services suggest that they are ill pÉÅìêáíó=qÜêÉ~íë=C equipped to deal with the new attack profiles. Rapidly evolving directory harvest and DoS attacks oÉÖìä~íáçåë cannot be stopped by traditional content filtering methods since there is little or no "content" in the message. Nor can spam messages that minimize or eliminate "content" in an email be reliably blocked by content filtering without increasing the risk of false positives to unacceptable levels. Thus, during 2004, the conventional approach to blocking spam and viruses through content filtering was no longer sufficient for coping with newly evolved spam and hacker tactics.
Postini Response: As an email security managed service, Postini performs real time inspection of every IP address that it processes through its service. Postini uses patent-pending IP analysis based on more than two-dozen variables to determine if the behavior of the sender exhibits the characteristics of a spam, virus, or email attack. Based on this analysis, Postini is able to recognize malicious behavior and block connections before messages reach email servers. Processing more than 400 million inbound SMTP connections every day from 10 to 15 million distinct IP addresses, Postini currently blocks more than half of SMTP connections while the balance of messages are then screened at the content level. This multi-layer approach incorporating real-time IP analysis has proven effective in combating the shifting tactics of spammers during the year. See appendix B.
22 Encryption
As the use of email communications by organizations worldwide has grown, efforts to secure the transmission of these billions of messages have lagged far behind. An email message transmitted over the Internet without encryption is similar to sending a postcard by snail mail—just about anyone who is interested can read the message. However, new regulations, legal liability issues, customer confidence and evolving email threats in 2004 have raised the importance of secure email transmission among IT security managers and email administrators.
In regulated industries such as healthcare and financial services, companies are required by law to protect messages that contain sensitive information such as patient records or personal financial data. In the U.S., the Health Insurance Portability and Accountability Act, mandates that personally identifiable patient data must travel through secure channels. The Graham-Leach-Bliley Act requires that confidential information must be sent securely. Likewise, Canada and Europe have similar and in some cases more stringent regulations for transmitting data.
On a broader scale, consumers have consistently expressed concern about the privacy and confidentiality of data stored and transmitted by companies they deal with over the Internet. As business relationships and partnerships are increasingly forged over the Internet, securing those partner communications became more important during 2004.
Postini Response: In late 2004, Postini introduced support for secure email transmissions based on the Transport Layer Security (TLS) encryption standard. Unlike many other public key infrastructure (PKI) encryption technologies, encrypted emails processed by Postini still pass through its managed service data centers and are automatically scanned to block spam, viruses, and enforce content policy and compliance. Thus, Postini is able to support encrypted email transmission while preserving the administrator's ability to filter out unwanted or malicious messages and prevent email content policy violations.
23 Policy Compliance & Enforcement
As most major enterprises have addressed the problems of spam and viruses for their email systems, their attention has turned increasingly to enforcing email policy compliance among employees, and business partners. A host of regulations governing the use of email, plus the potential for legal liability, have moved email policy compliance and enforcement up the list of priorities for security and email administrators.
Postini Response: Postini's secure email boundary services provide both inbound and outbound email policy enforcement capabilities. Outbound email filtering from Postini enables organizations to scan outbound messages for viruses and apply content policies, to protect both customers and partners and ensure that corporate policies regarding appropriate use are observed. Inbound anti-virus scanning prevents viruses from entering a corporate network through the gateway. This additional layer of protection helps to prevent the spread of viruses, adding to the security and stability of your network.
Postini outbound email functionality also enables the administrator to automatically block, reroute or copy email matching certain criteria. For example, the enterprise can retain copies of all mail going to regulatory bodies or containing key phrases. Outbound content filtering also prevents confidential or sensitive data from leaving the enterprise network and entering the hands of competitors. With Postini’s inbound policy management, administrators can create email policies for large or unwanted attachments, such as MP3 files.
Postini provides effective inbound and outbound content management that:
z Enforces a corporate e-mail policy against offensive language use
z Prevents employees from sending proprietary content outside the organization
z Prohibits employees from using email for illegal and inappropriate purposes
z Monitors employee communications without altering the disposition of the message
z Preserves network bandwidth by limiting the size and type of attachments that are accepted
24 Authentication and Sender ID
At first glance, proposals for email sender authentication standards to help fight spam and unwanted email seem logical. Sender ID, backed by Microsoft and other industry players, relies on the assumption that legitimate email senders will register their IP addresses, and that an email source that does not match a registered IP address should be rejected. Email authentication proposals to date, however, have proven to be impractical.
Developing an industry standard for such a ubiquitous communications protocol as email communications requires widespread consensus and a long time to gain acceptance. Authentication efforts suffered a setback when in the fall of 2004, the Internet Engineering Task Force (IETF) shut down its "MARID" working group seeking to develop email authentication standards. Unfortunately, spammers and hackers will not wait for a consensus—they are already exploiting the registration of IP addresses to help improve their delivery of junk email.
Assume, for example, that Sender ID exists and that email systems use the Domain Name System (DNS) for authentication. Spammers can and have simply registered their domain addresses (at minimal cost), and thereby become "legitimate" senders. If their domain is found to violate sending guidelines, they can just abandon the domain and register new ones. In addition, not all organizations register their addresses immediately. Those who lag in registering will unknowingly have their email treated as illegitimate or spam.
With Sender ID, mobile users will also have a difficult time sending emails when they are outside of their corporate email systems. If mobile users, for example, have to send messages through the hotel where they are staying or at an internet cafe on the road, their sending domain will not match the IP address of the sending mail servers and will appear illegitimate.
Postini Response: While email authentication standards may provide value for some organizations, current proposals will not have a significant impact in reducing spam. Email authentication approaches, may in some cases, have the unintended consequence of adding to the spam problem since spammers are likely to be among the first to adopt standards and yet continue to abuse the system.
Administrator/User Flexibility
As enterprises implement better defenses in the fight against spam, viruses and other email threats, they now realize that "one size no longer fits all." These organizations are looking for ways to block spam and viruses while flexibly managing the email needs and desires of diverse user groups or individuals.
Postini Response: Postini enables the enterprise to delegate access privileges for multiple administrators across many domains, as well as allowing the email administrator to configure email policy enforcement for inbound and outbound messages according to global, group, or individual user requirements. Individual user quarantines allow for individual adjustments of spam sensitivity by category, approved and blocked sender lists, and a daily quarantine summary email. To meet regulatory requirements that require retention of all email communications, Postini offers a "compliance switch" to assure that any quarantined suspect emails cannot be read by the user unless they are first accepted by the user into the email system and are thus automatically archived.
25 Reporting & Security Management
Most enterprises are seeking to reduce the number of products and services involved in their IT systems. A common management interface and email security platform are preferred to managing and maintaining multiple point products that do not integrate functions.
Postini Response: Postini delivers control and visibility over the entire enterprise email system, not just a single server or single geographic location. Real-time dashboard and reporting provide control over email security configurations—from domains and user groups, to individual users. Through a single web console management interface, an IT staff member can monitor all email flow and traffic conditions, request and view reports from anywhere, implement global policies or customize individual email server configurations.
Email Disaster Recovery
When enterprise email servers experience performance issues or completely shut down, administrators need back up and recovery to preserve legitimate messages. Or, if regular maintenance tasks require a mail server to be taken offline, legitimate email messages must not be bounced back to the sender during the offline period.
Postini Response: Postini ensures the smooth delivery of email by load balancing traffic among specified email servers. This capability helps enterprise administrators handle traffic spikes by managing the availability and reliability of all email servers. In addition, Postini can step in with valuable disaster recovery and business continuity measures to ensure maximum availability of the enterprise's mission-critical email system. In the event of a server outage, Postini will hold emails for up to seven days until email servers come back online, and messages can be delivered. Because Postini does not use a "store and forward" approach typical of other service providers, its patented pass-through process eliminates any performance penalty or security and privacy concerns.
26 Threats Continue to Grow and Accelerate
Email threats will continue to evolve at a faster pace as spammers become more sophisticated and counter measures designed to combat these threats will become available much more quickly. The result is a continued "arms race" according to Richi Jennings of Ferris Research as next generation email security defenses become more robust and ISPs seek to curtail Port 25 abuse by their customers. Meanwhile spammers will step up their own efforts to circumvent email security defenses.
Move to More Holistic Email Security
Companies will move from first generation bñéÉÅí~íáçåë=Ñçê single function "point" email security products/services to next-generation solutions bã~áä=pÉÅìêáíó= that offer broader scope of protection from a single vendor. As part of this transition, administrators will be seeking a single, secure áå=OMMR control console for visibility and management across the entire email infrastructure. Email security, especially for larger enterprises, will move beyond a singular focus on combating spam to encompass more aggressive anti-virus, and defense of denial of service and directory harvest attacks. Enforcement of inbound and outbound email policy compliance will become a major issue along with disaster recovery, archiving and user management capabilities.
"A lot of companies have invested in inadequate spam solutions as shareware or from smaller vendors," according to Matt Cain of META Group research. "They are already moving to broader email security solutions that reduce costs and improve email operations."
27 Content Filtering Alone Not Sufficient
Email security will see an increased focus on IP behavior and reputation analysis of email messages in addition to content filtering as a critical component of multilayer email intrusion prevention. Because bot-nets utilize hundreds of IP addresses to spread spam or launch directory harvest attacks, traditional approaches to IP log analysis have become ineffective. Postini maintains that its patent-pending real-time IP analysis focusing on IP behavior, is superior to any IP reputation approach.
Managed Service Approach Expands
Increased consolidation among email security software vendors will continue as appliance and managed service email security solutions grow in popularity and expand their share of the market. The market for email security products and services will not sustain more than a handful of anti-spam vendors as companies move beyond first generation point products to implement more holistic solutions.
Email security managed services are gaining momentum as a viable alternative to software and appliances for the enterprise market according to Michael Osterman of Osterman Research (www.ostermanresearch.com). "Companies realize that stopping email threats does nothing for the bottom line," Osterman maintains. “For many organizations, using a managed service for email security conserves IT resources and staff that can be better utilized elsewhere."
Gartner indicates that more than three out of four enterprises now consider a managed service as a viable deployment option for email security. Immediate effectiveness, ease of use and scalability, and reduced infrastructure complexity, as well as reduced administrative burden are cited as reasons for evaluating a managed service approach to email security.
"The trend toward managed services will continue to increase," according to Matt Cain of META Group research, "as companies gain a growing comfort level with outside services, a faster time-to-value for the solution, and a simplicity in management and supervision."
Authentication Irrelevant To Spam Problem
Email authentication efforts will continue despite setbacks, but will have only minimal effect on solving the spam problem. While efforts to develop SPF, Sender ID and Domain Keys will continue between larger ISPs, financial services and retail enterprises, one major analyst firm estimates fewer than 15 percent of organizations will adopt any kind of authentication standard. The overall impact on reducing spam will be negligible, and in some instances spammers will actually take advantage of domain registration schemes to propagate spam.
Small Businesses Remain A Highly Vulnerable Target
As email threats continue to escalate and become more sophisticated, small businesses that often rely on first-generation or open source anti-spam solutions are unable to keep pace. As shown in the 2004 statistics from this report, small businesses can receive up to 10 times the amount of spam per user than larger organizations. With limited staff resources, small businesses will remain particularly vulnerable to spam, viruses and email attacks. 28 Matt Cain, Security Analyst, APPENDIX A: META Group Research www.metagroup.com Report References Richi Jennings, Lead Analyst for Spam and Boundary Services Practice, Ferris Research www.ferris.com
Michael Osterman, Principal Analyst Osterman Research www.ostermanresearch.com
"CAN-SPAM law seen as ineffective," by Grant Gross, ComputerWorld, Dec. 27, 2004.
"Spam in the Wild: The Sequel," by Joel Snyder, NetworkWorldFusion, Dec. 20, 2004.
"Judge awards ISP $1 billion in spam damages," by Grant Gross, ComputerWorld, Dec. 20, 2004.
"Phishing Web Sites Grew by 33 Percent in November," by Paul Roberts, InfoWorld, Dec. 14, 2004.
"UK law failing to nail spammers," by Graeme Wearden, ZDNet UK, Dec. 13, 2004.
"Digital PhishNet launched to combat phishing scams," by Jaikumar Vijayan, ComputerWorld, Dec. 9, 2004.
"Execs warned: Don't ignore spam menace," by Jim Hu, CNET News.com, Dec. 3, 2004.
"Phishing on the Increase, Group Says," by Bob Francis, InfoWorld, Nov. 29, 2004.
"Companies Forced to Fight Phishing," by Brian Krebs, washingtonpost.com, Nov. 19, 2004.
"No Vendor Can Fulfill All of Your Encrypted E-Mail Needs," Wheatman, Hallawell, Grey, Pescatore, Wagner, Kreizman, Gartner Research Note, October 13, 2004
"Secure E-Mail and Public Key Cryptography: Together At Last?" Andrew Conry-Murray, Security Pipeline, October 1, 2004
"Locking Down E-mail," Keith Schultz, InfoWorld Special Report, September 20, 2004.
"EU Legislation No Match for Spam," by Mathew Broersma, eWeek, Aug. 26, 2004.
"First arrests made under CAN-SPAM law," by Robert Longley, usgovinfo.about.com, May 3, 2004.
"Major ISPs sue hundreds of spammers," by Grant Gross, NetworkWorldFusion, March 3, 2004.
29 As the leading email security managed service, Postini is ideally suited to dealing with APPENDIX B: evolving email threats precisely because it sits between the Internet and the enterprise Postini real time email system. Postini catches phishing attempts, viruses, as well as bot-net spam and directory harvest attacks before they can reach an enterprise email network using a IP Analysis patented, multilayer threat prevention approach.
Postini preEMPTTM Process
Internet Connection Content Security Delivery Enterprise Threats Management Eliminates Spam, Assurance Email Spam, Viruses, Stops DoS and DHA Viruses, Phishing, Enables Load Gateway DoS, and DHA and Policy Violations Balancing, Spooling Figure 1 and Flow Recovery Postini preEMPTTM process
Sitting between the Internet and the enterprise's email gateway, Postini blocks spam, phishing, viruses, and email attacks before they have a chance to impact the enterprise.
Management and Reporting Web Console
Postini's preEMPT technology processes email in real time, through a highly secure system architecture that operates with no detectable latency, no data loss, and no security compromises. Emails are initially screened at the SMTP connection point through patent-pending IP behavior analysis that eliminates nearly half the messages. The balance are then screened through Postini's content filtering heuristics to eliminate spam and other threats and enforce policy. All suspect emails are blocked, and legitimate emails are instantly sent to the enterprise destination mail server in real time, from memory. Depending on the enterprise's email security policy, suspicious email is either tagged and delivered or quarantined to a web-accessible storage area for user review.
30 Patent-pending IP Behavior Analysis at SMTP Connection Level
In many cases, newly evolving threats such as Directory Harvest Attacks, cannot be stopped by conventional content filtering methods typically used in anti-spam software and appliances. Nor can new spam and phishing techniques that reduce or eliminate content in a message be reliably blocked with conventional content filtering. The detection of malicious emails and DHAs needs to occur in real time, at the SMTP connection point, in order to prevent them from ever reaching the enterprise email gateway.
Unlike many anti-spam products or services, Postini is unique in conducting real time inspection of every IP address at the SMTP connection point. Only Postini offers patent-pending IP analysis based on more than two-dozen variables to determine if the "behavior" of the message exhibits the characteristics of a spam, virus, or email attack. Based on this real time, continuous analysis, specific SMTP connection patterns are associated with malicious behavior, enabling Postini to block these connections without having to examine the actual message.
Processing more than 400 million inbound SMTP connections every day from 10 to15 million distinct IP addresses, Postini currently blocks more than half of SMTP connections while the balance of messages are then screened by its award-winning content filtering. This multi-layer approach incorporating real time IP analysis and advanced content filtering has proven to be highly effective in combating the shifting tactics of spammers and in preventing email threats from harming enterprise email systems.
31 Postini Perimeter Manager was Award-Winning Content Filtering Stops Spam, named Product of the Year in the Viruses, And Phishing Attempts Content Filtering category in the Information Security 2004 Once an SMTP connection is validated or the sending IP address has not been "Products of the Year" awards. identified as having engaged in recent damaging behavior, the message data is passed through Postini's Content Filtering (Figure 1) process, where messages are analyzed using thousands of rules, or heuristics, constantly updated to reflect new spam types and email threats. These new rules are always immediately available to protect the enterprise without the need for the IT staff to download or install any software.
Postini Content Filtering Heuristics Catch Threats As They Evolve
Utilizing thousands of heuristic expressions, Postini's content filtering engine assesses each email and computes a statistical probability by correlating a "score" against a configuration setting. This supports granular configuration options by category to "fine tune" filtering by category: spam, virus, phishing, and more. Heuristics are automatically and incrementally modified based on millions of messages each day to block email threats as spammer tactics evolve.
Another unique advantage of Postini's patented method for processing email messages over other managed service providers is Postini's exclusive "pass- through" technology. Postini, in contrast, conducts all analysis of SMTP connections and email messages in real time, so that no messages get stored but rather legitimate emails are instantly passed along to their recipients. This eliminates any concerns about privacy and security, especially for those enterprises in highly regulated industries such as financial services and healthcare.
32 Postini, Inc. is the leading provider of email security and management services that APPENDIX C: protect email infrastructure by preventing spam and attacks from reaching the enterprise About Postini gateway. Postini's patented managed services model utilizes exclusive preEMPT transport and content filtering technology to eliminate spam and viruses, stop DoS and directory harvest attacks, safeguard content, and improve email performance. Founded in 1999, Postini processes more than three billion message connections every week for more than 4,200 companies. By blocking spam, viruses and attacks before they can reach the enterprise email gateway, Postini Perimeter Manager is designed to assure complete email security while saving bandwidth, conserving server capacity and minimizing administrative costs. For more information contact Postini at its Redwood City, California headquarters toll-free at 866.767.8461, or visit www.postini.com
33 PREEMPTIVE EMAIL PROTECTION
Headquarters Postini, Inc., 510 Veterans Boulevard, Redwood City, California 94063 Toll-free 1-866-767-8461 Email [email protected] Web Site www.postini.com For more information or to see if your organization qualifies for our free 30-day, no-risk trial of Postini Perimeter Manager, call toll-free 1-888-584-3150, email us at [email protected], or visit us online at www.postini.com.
© Copyright 2005 Postini, Inc. All rights reserved. CB03-01-0501 Postini, the Postini logo and Postini Perimeter Manager are registered trademarks or service marks of Postini, Inc. preEMPT is a trademark of Postini, Inc. All other trademarks listed in this document are the property of their respective owners.