Modernizing Authentication — What It Takes to Transform Secure Access
With last week’s release of a new set of “Best Common Practices”(BCP), the gurus of the anti-spam and anti-phishing world have given everybody who runs email systems a handy list of chores, just in time for Spring Cleaning.
It remains to be seen whether corporate email administrators will even notice this excellent guide to the health and hygiene of email infrastructures, much less heed the advice. Unfortunately, the consequences of not having an email infrastructure that is sufficiently “ship-shape” are increasingly glaring and occasionally dramatic.
The recent BCP document was issued by the Messaging Anti-Abuse Working Group (MAAWG), a coalition of Internet service provider and email marketing experts who are some of the brightest minds in the messaging security business – their inability to come up with a catchier group acronym notwithstanding.
Much of their guidance document focuses on steps that large volume senders, such as email marketing service bureaus and consumer-facing e-commerce companies, can take to increase the odds of their email reaching the in-boxes of recipients without unwanted detours or delays caused by over-zealous anti-spam settings.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
But many of the fundamental recommendations aren’t limited to email service bureaus and fall into the category of sound email administration policy, regardless of whether your system transports a thousand messages a day or a million messages an hour.
Among the recommendations are the creation of basic privacy and acceptable use policies, proper configuration of mail systems including dedicated IP addresses for outbound email servers and properly configured reverse DNS, and adherence to popular email authentication standards like Sender ID and Domain Keys Identified Mail (DKIM).
As an erstwhile email system administrator myself (thankfully responsible for only my own email and that of a few family members), I have been working through these recommendations and doing a little Spring housekeeping on my own email infrastructure.
Out of the dozen or so MAAWG recommendations that were relevant to my own puny email infrastructure, I have been able to get many of them implemented in a matter of just a few hours. Just think, if I had actually known what the heck I was doing, it might have only taken minutes!
Admittedly, for some more complex email infrastructures, implementation of the MAAWG BCP may take more than a few hours. But in chatting with a number of knowledgeable system administrators, I have also come to realize that a number of these recommendations are things that fall into the category of “stuff that should have been done correctly in the first place.”
As I scratch my increasingly graying head, and occasionally pull out my hair trying to make sense of various obtuse Unix commands and configurations, I have to keep reminding myself that for many system admins, a lot of this Internet email stuff is still pretty new territory.
Many small and mid-sized companies relying on turn-key and hosted solutions for critical systems like email, but there are still plenty of IT managers who took on the task of building and operating their own infrastructures as cost saving measures. As a result, there are plenty of people whose job description includes “email systems administrator” have never seen, much less edited, a raw configuration file on a Unix-based email server.
Luckily for those of us who took on sysadmin duties as a hobby, the default configurations for many systems proved good enough to get mail flowing relatively reliability, even if all the T’s aren’t crossed and I’s aren’t dotted. Such was the legacy of that old adage in email circles: Be conservative in what you send and liberal in what you accept.
But as more and more ISPs and corporations tighten their approaches to fighting abuses like spam and phishing, the leeway that once allowed the default configuration of a cobbled-together hobbyist’s Linux box to work is rapidly disappearing.
Spammers and phishers have been abusing the openness of email systems for more than a decade, relying on the fact that even badly configured systems can get mail delivered. As a result, redefining loose standards as security risks means it is going to be increasingly difficult for mail to “just work” in the way it used to.
This message was brought home to me a few years ago when a pal helped me tweak the anti-spam settings on my own email server. With just a few configuration changes, I was able to avoid processing a surprisingly large amount of spam just by tightening the restriction on what kinds of “From:” lines, and other mail delivery “handshake” features were deemed acceptable.
Of course, I also quickly found that a few of my regular email correspondents could no longer reach me either. That’s when I began to realize just how many sites, even some run by highly skilled admins, were – and are – still relying upon the kindness of strangers to get their email delivered.
Unfortunately, in this age of massive messaging abuse, kindness is in short supply because being too permissive in your email policies means exposing your network to increasing amounts of trouble.
Having done my share of spam-related consulting over the years, the scenario that ends in an overhaul of an email infrastructure is familiar. Starting with vague complaints from frustrated users about the occasional missing email, it may take weeks or months before patterns begin to emerge in what had been dismissed as “transient glitches” and “user error.”
But all too often what really forces the issue is when suddenly the CEO can no longer email his daughter at college or his golf buddies because all your corporate email is being flagged as spam. Suddenly you’re faced with the realization that sloppy configuration and poor email hygiene has made the rest of the world think you’re a bum.
Luckily for you, you read this column and know all about MAAWG’s recommended best practices and have a game plan for sharpening up your own systems so that as other sites tighten down their policies, your network will look like a source of reputable and responsible mail.
Whether you’re a small business or a major email service bureau, the ability to get mail delivered reliably is a critical business function. The practices recommended by MAAWG are becoming an increasingly critical component to building and maintaining a reputation as a legitimate mailer, regardless of the quantity of mail your system generates.
MAAWG’s guidance is an excellent resource for administrators who are savvy enough to make use of it. The BCPs are a good roadmap for how to improve the way your network appears to the rest of the world, and whether or not you’re losing email today, you can be certain that will change if you’re not keeping up with the times.
The credibility of MAAWG as an industry body can also help build consensus within your organization to undertake what can sometimes be the challenging process of getting old and disparate systems updated and reconfigured.
So roll up your sleeves, grab a broom and a copy of MAAWG’s recommendations, and get started on your email infrastructure Spring Cleaning! You’ll be glad you did.