How should large financial institutions use hosted filtering?

This post is an opinion piece that reflects what I think are best practices. Should large financial institutions use hosted email services? Services like ours (Forefront Online Protection for Exchange, FOPE)? Why am I even asking this question?

I ask this question from a security perspective. The advantages of moving to hosted services are plenty:

• You no longer need to use your own email infrastructure to host your mail. This saves disk space and bandwidth.

• You can also just outsource your mail filtering to the cloud but still host your own mail on your own mail servers. This saves bandwidth and having to constantly upgrade your spam filters.

  

I’m not going to go into all the advantages because there are plenty. I work for the division that does hosted filtering and that’s how I make my living. It’s a good thing to do in many cases for inbound mail.

However, for outbound mail, the situation is different. Outbound mail is the opposite of the above: mail comes from your mail server, flows through us, and then goes to the Internet. The advantages of this, from a spam filtering perspective, is that we do outbound spam management and can typically ensure better outbound IP reputation and therefore improve (but not guarantee) better delivery. There are other advantages, but for spam that is one of the biggest ones.

The reason I ask the question above is because for inbound mail, multiple customers (everyone who wants to use hosted mail) use the same set of resources (our mail servers) as everyone else. This doesn’t matter because our service is designed to scale for inbound mail. If we ever start experiencing high traffic load, we just add more servers. Everyone’s mail flows through us, we scan it, and then deliver it to them.

For outbound, we are similarly using the same set of resources, but that also includes outbound IP addresses. This means that everyone sharing the same outbound IP reputation, and depends upon how well we maintain our outbound IP reputation.

We have spent a long time coming up with ways to reduce the amount of spam that comes out of our network. However, if one customer sends spam, it can end up degrading the deliverability of everyone’s mail. That’s part of the price that comes with using a shared set of IP addresses. Fortunately, we’re very good at keeping our IP reputation clean.

Customers using us put two sets of IP addresses into their SPF records:

1. Their own IP addresses from their on-premise mail servers – When the mail server connects to us, we perform an SPF check to ensure that the customer is not spoofing. If so, we take action upon the mail.

2. Our service’s outbound IP addresses – When the mail relays from us to the Internet, the 3rd party receiving the mail performs an SPF lookup on our IP addresses since that was the last hop that went to the world.

   

This means that every outbound customer mail goes through two SPF checks: once by us, and once by the final, intended recipient (it could actually be more SPF checks depending upon how the recipient has things set up).

This is all well and good when it comes to security, but remember, we are a shared IP service for outbound. What happens if Customer A is behaving but Customer B has become compromised and is sending out spam? And they send out spam by spoofing Customer A?

In the case of a zero-day spam campaign, before the filters have had time to catch up and catch the spam using some other method, this outbound spam will leak to the world. 3rd party filters on the Internet will do an SPF check and it will pass because it came from shared IP space.

So, the decision of whether to use shared IP space for outbound mail is complicated and involves various tradeoffs:

1.
What is the probability your brand will be spoofed?
I have my own personal domain. But I’m also just about a nobody. If you say my name to the average person on the street, pretty much no one would recognize it.

But if you are a large organization like Apple or Microsoft or UPS, then you are a target for spoofing. Spammers like to use those because people will recognize the brands and are more likely to take action to get something they want (such as a free iPod) or avoid something they don’t (such as getting locked out of their bank account).  
  
If you are a big, recognized company, then the odds that you will be spoofed go up. This means that there may be times when a spammer – either by maliciously signing up for the service or by compromising another customer – will spoof your brand and emit mail from the same set of IPs that you do.  
  
For large filtering services, remember that there are many, many other customers sharing that same IP space and many of them don’t have the same security policies that you do. While you may not get compromised, they might get hacked much more frequently and send spam from these compromised accounts.  
  

2. Do you care if your brand is spoofed?
   How closely do you care about whether or not your brand is spoofed? If someone spoofs my personal domain, I don’t care that much. I never send mail from it, I don’t sell anything, I’m just not important enough for someone to be fooled if my domain is spoofed.

   That’s all well and good for small companies, but what about large companies? If US Bank is spoofed, what kind of damage can occur? Obviously, if people fall for phishing scams, that costs people real money and real damage is done to US Bank’s brand. Same with Paypal. Same with Facebook.

   The cost associated with a successful spoof should be a determining factor about whether or not you should use shared IP space. Financial institutions need to adhere to tighter security requirements because of the downside of phishing.

One thing I don’t say is a determining factor is how good your hosted spam filtering service is at catching spoofed mail. Our service is very good at it, but we’re not perfect. No one is, because spammers have the advantage of testing their spam campaigns and tweaking them to avoid filters. Leaks sometimes occur especially if a large service has hundreds of thousands of customers. For this reason, I don’t personally recommend that financial institutions use outbound mail services that use shared IP space unless they are willing to accept the risk it entails.

So what can they do?

There are a couple of options:

1. Send mail from your own dedicated email infrastructure – High risk institutions can send mail from their own dedicated infrastructure. This means that if anyone ever tries to spoof them, since the sending IPs will not be in the SPF record (other than a rogue internal server), 3rd parties will not give it an SPF pass.

   I realize that this trades off the convenience of hosted filtering for maintaining your own infrastructure. You must weigh the costs of security (and people potentially falling for phishes) against the costs of hardware maintenance.

2. Send mail from a shared service if they can give you a dedicated IP address – Some shared IP services do provide you with dedicated IP addresses. If they do, you can just put that into your SPF record and then even if someone else spoofs you, it won’t matter because the IP it is coming from is not in your SPF record.

Those are the two best options that I see, and they are the ones that I recommend for organizations that are at high probability and high cost for spoofing.

There are a couple of technologies in the future that can assist with the problem of spoofing and shared IP services but they still a bit of a ways off from realization:

1. Email over IPv6 – I’ve written about email over IPv6 in the past and the risks it entails, but it does solve this spoofing risk. Every filtering service could simply provider their customer with its own dedicated IPv6 addresses from which to send mail. That solves the problem of shared IPs because everyone has their own.

   On the other hand, there are significant challenges to email over IPv6 that I’ve written about previously on this blog.

2. DMARC – DMARC is a new standard this year that is designed to combat certain types of phishing. If an organization said “I always sign with DKIM, and I always send mail that passes an SPF check” then on the receiver’s side, the SPF check is not the only thing to count on. If the message passes SPF but fails  DKIM, the message can be rejected. The spoofer will not succeed. This solves the problem of shared IP space because it relies on a technology (DKIM) that is not dependent upon IP addresses.

   The drawback of DMARC is that it’s still new and is not widely deployed. It is still too early to depend upon it because many email receivers are still not using it.

Those are my views to the problems of sending email through a shared outbound IP service, some workarounds, and future solutions.