E-mail Security School Final Exam Answers

Final Exam

1.) When are digital signatures and footer stamping incompatible?

A digital signature is something stamped onto a message by the sender. The signature is a cryptographic operation, usually a hash, across the message content, which is then locked with the private key of the sender. The recipient can use the sender's public key to compare a hash they compute with the transmitted hash to see if the message has been tampered with, or isn't from the purported sender at all.

Injecting a footer into a message after it is signed by the sender will invalidate the digital signature. As a result, all recipients of the message think that the message has been tampered with or was forged. If you want to digitally sign messages and have footers, then you need to put the footer into the message before the sender adds their digital signature.

<< Back to quiz

Final Exam

2.) Putting message archiving functionality at the Internet gateway seems very efficient. But what is wrong with this picture?

Message archives can only archive messages that they see. If you are only concerned with archiving messages that pass to and from the Internet, then this might work. However, if your goal in archiving messages is to meet some regulatory requirement, it is likely that you will need to archive messages that are sent internally and never go to the Internet. In that case, you will need to have the archiving function attached to the user's mailbox rather than to a transport path out of the network. Only this can assure that you are copying every message that the user receives. If you are more concerned with archiving every transmitted message, then the appropriate place for the archiving function is the MTA or mailbox server that the user agent uses for message submission.

<< Back to quiz

Final Exam

3.) Encrypted mail can't be scanned by a compliance checker. How do you resolve this issue?

Compliance checking is a policy issue. It's a corporate policy to look into messages and try to see what is going on. If the message is encrypted, then clearly the compliance checker cannot look inside. Hence, this is a policy issue and not a technical issue. There are three scenarios: the policy states that such mail is out of compliance; the policy states that such mail is, by definition, within compliance; or, the policy says nothing about mail that cannot be checked.

If you are lucky enough to have a policy that matches the first or second case, then you simply do what the policy says and don't worry about it. If your policy doesn't mention what to do about mail that cannot be examined, then the appropriate answer is to bring this to the attention of the policy people and have them fix the policy. Solving this problem technically, without policy input, is asking for a slap on the wrist or worse.

<< Back to quiz

Final Exam

4.) Policy says that you will accept 10 messages an hour from someone. What do you do with the 11th message?

Don't accept it. The real answer, of course, is how you don't accept the message. There are two options: temporary refusal (4xx response) and permanent refusal (5xx response). In this case, the most appropriate thing to do is return a 4xx response to the message. You don't want to start bouncing messages because an MTA went down for an hour and has a small backlog for you.

Intelligent MTA design might have an escalating series of responses. For example, you could take the 11th through 1100th message and return 4xx responses, then start sending back permanent refusals (5xx responses) because it's clear that something is wrong on the other end that is not quickly getting better.

In any case, immediately responding with a permanent refusal (5xx) may be more emotionally satisfying, but is not good practice.

<< Back to quiz

Final Exam

5.) Identify the two most common errors associated with keyword searching across e-mail messages.

The two most common ways to search for keyword incorrectly are to ignore case significance and to improperly stem words.

Case significance is the easy one because most keyword searching tools are case significant. You have to turn off case significance anytime you're doing policy-based keyword searches. This is the number one error that most people make.

Stemming is a more significant problem and one that is not handled easily. Without stemming, you have to search for every variation of the word that you're looking for. For example, you can't simply search for 'poop' because you won't catch the important variations 'poopy,' 'poops,' 'pooped' and 'pooping.' If you try to ignore the spaces on either side of a word (or, more precisely, the white space, which can include line breaks, tabs and other formatting characters), you'll end up with every word that has 'poop' in it, such as nincompoop (used to describe the person who wanted you to search for poop). Good regular expression and search engines handle word stemming automatically for you; more primitive ones require you to handle this kind of stemming by yourself.

<< Back to quiz

This was last published in November 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.