SMTP, or the Simple Mail Transport Protocol, is the basic foundation of Internet e-mail. Each day, billions of messages are sent over the Internet using SMTP, enabling global communications and commerce. However, like many other tools, SMTP can have a dark side. Policies determining how and where SMTP can be used on networks can make the difference between efficient communication and a security nightmare.
The main problem with SMTP is that, as its name implies, it is simple. It's easy to install an SMTP server on a server or workstation, and start sending and receiving e-mail. While this does not sound like a security problem, think about these possibilities:
- Many of the viruses and worms that plague the Internet strive to install SMTP servers on infected machines. Once installed, these servers are used to send out much of the spam that clogs inboxes. Irate recipients who trace the spam back to its source will look to your company for an explanation.
Learn how to use the IIS SMTP mail relay service to prevent spammers from directly interacting with your Microsoft Exchange Server.
Learn how to fill SMTP gaps
- Other viruses and malware use SMTP to replicate, or send and receive commands and/or pilfered information from infected machines.
- Messages sent directly to or from rogue SMTP servers are not subject to virus and malware scans implemented on official mail gateways. These servers thereby provide a back door into your organization for all sorts of nasty code.
- Many organizations in the financial and health care industries are subject to regulations regarding the security and monitoring of e-mail traffic. Messages from rogue servers may be missed by the compliance department and end up coming back to haunt your organization later.
None of these scenarios are pretty, but they are pretty easy to prevent. An organizational SMTP policy and some teeth to back it up can greatly reduce the risks from unauthorized mail servers.
- Define a small number of authorized gateways that are allowed to communicate via SMTP with the outside world. All processes that need to send mail should be required to forward it through an authorized gateway in order to allow for centralized scanning, compliance review and investigatory access to messages.
- Outbound firewall rules should be configured to allow only the authorized gateways to communicate with outside servers on TCP ports 25 and 465. Attempts by non-authorized machines to communicate on these ports should be investigated to determine whether they are the result of a misconfigured or noncompliant system, or malware.
- It's not a bad idea to conduct periodic scans of internal networks for SMTP servers listening on TCP ports 25 or 465. Being proactive about enforcing the rules can help avoid situations where an "under the radar" legitimate project ends up needing a waiver to policy.
The fight against open SMTP proxies is one where consumer ISPs are out in front of us corporate types. Most providers routinely prevent subscribers from sending or receiving SMTP traffic via servers other than the "official" ones that they provide. While this has obviously not stopped the deluge of spam and malware that clogs the Internet, it has helped to keep the problem under some semblance of control. Corporate policies preventing unregulated SMTP traffic help keep the Internet a useful communications tool and help prevent your organization from running afoul of regulators, other Internet users and customers.
About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.