The importance of email security is hard to overstate. Many automated business processes depend on email. Sensitive data is transferred to and from your company and stored on your email server. Email is a vulnerable area in your ongoing business operations and critically important in your security planning.
Given email’s extensive use, it is no wonder that email is the most common vulnerability exploited by cybercriminals. In fact, 91% of all cyber attacks begin with a spam (phishing) email to an unexpected victim, so your network and cyber security teams need to be constantly on deck, managing email as a critical but vulnerable resource. Paying attention to the email server, software, logs, and service maintenance, is essential to ensure performance and stability.
This article will look at various ways to apply solid network security practices, thus protecting your email servers and users from cyber threats. Read on to get the clarity and tips you need to ensure your network is safe from spam.
Smaller organizations (1–250 employees) have the highest targeted malicious email rate at 1 in 323. (Symantec, a division of Broadcom) |
1. Have an information security plan in place
Email Security Policies
In all the security policies you create, pay particular attention to creating solid policies around email security. Include in the policy all the organization’s expectations around email security, cybersecurity, and employee obligations regarding the use of email.
Here are two examples of policies created for the internet community to use freely. The first policy was created by the SANS Institute; the second was by Guardian Network Solutions. Many higher education institutions also publish their guidelines for viewing across the web. Do a web search and take a look, as some of these might contain ideas that help you create a better and more complete policy document.
Email Security Best Practices
Cybercriminals are opportunists and most often look for low-hanging fruit so that they can expend as few resources as possible. Even routine, best email security practices will be enough to protect you from most of these types of threats.
If you can employ most of the following email security best practices, you’ll protect yourself from the vast majority of potential email security threats, including a lot of phishing emails:
Best practices for the organization
- Monitor email activity
Email is integrated into our professional lives, as we use it for hours a day and not even think about it. That said, email is the most vulnerable security gateway to your company - Educate your employees on email security best practices
If you truly value security, educate your employees. Every employee is a vulnerability, and if you don’t train, you have a higher probability of getting hacked by an employee that gets duped by a phishing email.
- Use multi-factor authentication
Sometimes this is referred to as 2-factor authentication (a type of multi-factor authentication), by prompting you for two pieces of authentication, usually meaning that in addition to a password, a temporary passcode is then sent to your mobile phone via text message. - Consider utilizing an encryption add-on
Even when you install TLS, it is worth considering adding additional encryption, especially for your most targeted employees in the executive suite and finance. - Get your employees to use your VPN
Make sure you teach your employees how to securely use public networks during their business trips, working from home, or in a coffee shop, by using your VPN. A VPN will protect against cyber criminals listening to sensitive data, using the newest TLS protocol, encrypt and secure the remote user’s activities and communications. - Keep antivirus programs installed
Not only is it the best practice to install antivirus on your mail server, but you should install antivirus on every employee’s machine. This adds an additional security layer and helps catch anything that might have been missed earlier on.
Best Practices for employees
- Don’t mix your email accounts. If you start using your work email address for personal communications or interests, it could open the door to more security risks. Do not mix communications across both channels.
- Use your browser or Gmail in private mode (also known as the Incognito or privacy mode) when composing emails.
- Be careful which devices you use. If your personal device is infected with malware, logging into your professional email account could expose your company to a ransomware attack.
- Be careful which WiFi networks you use if you aren’t using your VPN. Using publicly accessible, unsecured WiFi to log into your email makes you vulnerable.
- Cybercriminals rely on email as their medium of choice for scams. One of the most common email scams is sending an email that mimics the appearance of a trusted authority (like your CEO) to lure you into giving out sensitive information.
- Never open an untrusted attachment since email attachments are commonly used to spread malware. If you’re ever in doubt, call the person if they are trusted, who sent you the attachment and ask them to verify its contents.
- Investigate and report suspicious messages. Sometimes, conducting an online search for the message’s subject line or the message’s contents will lead to many pages identifying the message as a scam. You probably aren’t the first to be targeted. If the message seems to come from a reliable source, call the person if they are trusted who sent you the message and ask them to verify.
- Often cybercriminals will use a shortening service to disguise the “real” link they’re sending you. Fortunately, trusted link shortening services allow you to preview a link before formally clicking it if the sender has added a + symbol to the end of the URL.
- Avoid giving away your email address. Many websites ask for your email address to access their internal content, but avoid it if you don’t have to give it out.
- Never give away personal information in an email. No reputable agent or company will ever ask you to send mail containing personally identifying information over email. If anyone asks you for a credit card number, social security number, birthday or password across email it’s likely a scam.
- Do not reply to scammers and spammers. If you’ve identified a scammer, don’t reply, but forward the message to your cybersecurity team and notify them of the problem.
- Unsubscribe from everything you don’t read. Less email means greater security.
- Periodically review your security and privacy settings. Every few months, take a moment and review all your security and privacy settings in the email solution you use, to check the secondary forms of contact information that can be used to verify your identity and check to see if there were any unauthorized or unrecognized attempts to log into your account.
2. Have network security measures in place
Multi-layered email security is the only way to protect your server to prevent Business Email Comprises (BEC).
As many filters as possible should be configured in cascading order on your email server. One of the biggest problems is that spam is often phishing which contains malicious URLs or attachments that infect the user’s system and usually the entire company, compromising everyone and possibly resulting in a ransomware attack. So protecting mail servers from spam is the most important network security measure that, as an organization, you can take.
- By including your email server in your corporate network perimeter security, you can keep the attack surface of your email server as small as possible. Do this by blocking as much spam as possible with email servers at your edge. After the connection level checks are complete, relay the remaining messages to another email server behind your corporate firewall. This protects the remaining filter processes and user access authentication.
Also, consider using an edge server like Postfix, Exim, or Microsoft Exchange Server in front of any other cloud hosting service as an additional layer of protection. Therefore, all products have vulnerabilities and may not protect your business enough, with a constantly changing landscape, and if your industry or business is specifically targeted. Even the two most well-known gateways, Google’s Workplace and Microsoft O365, have vulnerabilities exploited.
According to a 2021 Verizon report, 90% of confirmed phishing email attacks took place in environments that used Secure Email Gateways (SEGs). |
- Regardless if you have an email server edge server or not, always be extremely careful how you configure mail relay options, to avoid unintentionally becoming an open relay, allowing spammers to relay spam through your mail server.
Settings for relaying mail should always include the IP addresses and domains allowed. Sending email should be intentionally restrictive. - The next step will be to configure all your spam filters to ensure the security of your inbound and outbound mail server and learn how to block spam before it enters the server. We have summarized the spam filter settings below. But, please visit our blog post, “The more Filters, the better” for a more in-depth configuration discussion of this multilayered stack.
- Configure rate limits to prevent an attacker from attempting to bring down the email service through spam floods and DoS/DDoS attacks.
- Configure your PTR record so that your server has rDNS (reverse DNS) correctly configured.
- Configure and use real-time DNS Blocklists (DNSBL) to reject mail. A well-designed suite of blocklists, like Abusix Mail Intelligence will block over 99% of the spam during the connection session, so this is probably the best way to keep your email protected.
- Block inbound IP addresses identified as spamming, compromised, and not configured (or are not configured correctly) for sending an email. Also, block domains identified as spamming.
- Block outbound mail from IP addresses attempting to send outbound email but authenticating from compromised systems. They’re either users with compromised machines OR more likely, compromised machines being used to access a local compromised account – either way, both are bad. This is how to protect an exchange server from spam blocklists .
- Use local inbound blocklists that are already integrated into your server, to give your cybersecurity team a way to block spammers and phishers that uniquely target your specific business, especially since spear-phishing is on the rise.
- Set up email authentication for yourself by creating or updating your DNS TXT records for SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting & Conformance).
- Now configure content filters in your server as your last layer of checks.
- An anti-spam filter will check the message body for spam. Anything that does not pass these ends up in the spam folder.
- Anti-virus will check the attachments for malware. Any messages with malware will usually be deleted by the system and will not end up in the spam folder.
- Specialized, commercial anti-phishing filters will check for phishing URLs in the message body and attachments. These messages will also often not end up in the spam folder but will be deleted by the system.
Tip: Always install open-source filter solutions, even if you install a commercial solution since open source solutions will provide you with a way to customize filtering specifically for your business and integrate 3rd party content blocklists.
- Turn on TLS encryption (Transport Layer Security)
Don’t just use TLS with SMTP between servers; use it with POP3 and IMAP authentication; encrypt everything to dissuade anyone who attempts a man-in-the-middle (MitM) type attack.
If you wish to use more robust encryption, consider using an email encryption gateway like ZixEncrypt, to enable S/MIME or PGP/MIME. Also read the m3aawg TLS recommendations for email here. - Assure strong user Multi-Factor Authentication (2FA/DFA)
Enable Multi-Factor Authentication (2FA/DFA) for all email application users. If you do not have MFA for the mail server, invest in an Identity Access Management (IAM) solution and integrate it with your email server. Using SMTP authentication with usernames and passwords is too vulnerable, which is why webmail applications like Gmail and Microsoft O365 are moving away from it. Also read the m3aawg MFA recommendations for email here. - Reduce the amount of stored data
Data stored on the server is always susceptible to theft. Any unnecessary data stored on the server simply widens the potential attack surface and contributes to the attack damage costs and the likelihood a message may be reused later in a spear phish. The rule is simple: if it’s not needed, throw it away. Store the minimum amount of message data. - Keep your software up-to-date
If you haven’t been checking along the way, review and update every piece of firmware, operating system, software, and service, and if automatic updating is available, turn it on. Do not forget this step because software always contains vulnerabilities, so vendors regularly issue patches as they are identified. Apply patches automatically or set up a watch list to ensure you are aware of all the latest security patches. - Disable all unused interfaces or servicesEnsure you aren’t using unnecessary software and that all open ports are in use and thoroughly protected (for example, via authorization requirements).
- Create a clone of your server
If you have one server and one set of MX DNS records, you need to create a clone of your server, identical to the primary server, with all the same filtering. Also, create at least one other set of MX DNS records, ensuring you update your HostName, PTR, and SPF record for the additional server. Install the second server in a second data center, separate from the first. - Create an automated back for all of your data
Configure a real-time backup of all your mail server data to another location off-site. - And last but not least enable logging
You need to be sure, your cybersecurity team has logs so they can monitor all inbound and outbound traffic for anomalous traffic effectively and you can go back and monitor server performance.
Also take a look at our other articles regarding phishing, the worst type of spam: A Business Guide to Preventing Phishing. |
3. Have cybersecurity measures in place
An excellent way to limit vulnerabilities and keep your users safe is to apply the best practices for email server setup and maintenance that we outlined above. While this ensures no apparent holes in your defenses and provides you with a solid foundation for the most common issues, you still need to ensure you are secure. Thus, you need to implement cybersecurity best practices and processes that monitor everything. By monitoring, vulnerabilities will begin to reveal themselves, and if you get attacked, you will be able to backtrack and understand the exploit better to protect against it happening again.
Monitor incoming message system logs and user authentication sessions. Outbound monitor, message system logs, bounce rates, spam feedback loops, and all direct abuse complaints sent to you directly from your users or your postmaster@ role address. Also, watch how your server settings impact mail flow; often, they are either too loose or too tight, so make adjustments accordingly.
Also, work with your cybersecurity team member who manages your abuse@ role address to be on the lookout for any reported issues about your mail server IP addresses.
Lastly, keep an incident journal of observations you make in your monitoring and server settings. Initially, you won’t want to investigate each detail; you will be hunting for specific vulnerabilities that can be closed with a quick setting.
It’s impossible to weed out every vulnerability, but every cybersecurity breach results from a particular vulnerability. You should do what you can, wherever you can.
4. Network security maintenance and server performance management
Maintenance
Hardware firmware, operating systems, email server, and associated software and services should be checked for security patches and signature/rules and have new ones applied on a yearly cycle at the least for currency, if not quarterly.
Server performance
Regularly monitor connection limits and overall load balancing, including memory, NIC bandwidth, and CPU utilization. If the number of connections, number of simultaneous connections, and maximum connection rate are set high, consider reducing the number to help improve server performance. Remember, you don’t need to allow the number of connections as a large ISP. The only legitimate senders that will use these will use them to send email marketing and newsletters.
In summary
Information security assures that you have the proper security management structure, policies, and best practices in place, and maintaining a set of “better” best practices, sets the vision for future upgrades.
Network security will make sure the server is optimized and since no one solution will catch everything, applies a multi-layered approach. Including Abusix Mail Intelligence in two of your message filtering layers (during the connection session and in content filtering) will catch in excess of 99% of the incoming spam messages. This will leave your filters with more machine overhead, to keep your email protected.
Cybersecurity will continually monitor, since email is the primary attack vector for spam, phishing, and ransomware attacks, you always need to assume you are next.
Additionally, your cybersecurity team will be your lead for employee cybersecurity training, since they are both monitoring industry trends and seeing the attempted attacks on your network. Enabling your human security layer is one of your best sensors to see what is getting through your network security layer and applying more network security for reject, drop, and filtering decisions.
Lastly, maintain and upgrade your network security posture continually, because the cybercriminals shape shift, so you need to be continually upping your game, in response too.