We all tend to take email for granted – until it stops working or gets us into trouble. Actually, these two outcomes are somewhat related, such as when someone sends us a malware-infested phishing lure that can turn our mailbox into a remote-control spambot. This can have disastrous consequences for the entire enterprise and could cause everything from a ransomware attack to the blacklisting of a corporate email domain.
Blacklisting is where a group of Internet providers publish known spam sources listed by their originating IP addresses and domains. The providers receive reports from users who have gotten spammed or who have logged attempted exploits by various security systems. Once listed, customers around the world then proceed to block all emails originating from these address ranges and domains. There are a number of blacklist providers, including the Real-time Blackhole list, the SSL Blacklist at abuse.ch, Cisco Talos (formerly called Senderbase) and Spamhaus.org. DNSlytics can check against 60 DNS-based anti-spam datasets. Just from our descriptions, you can see there are different protocols used to assemble these collections. We will focus on email blacklisting for this blog.
Once an IP address or domain is listed on these services, it isn’t easy to remove it, even long after the spam or malware has been remediated and removed. This then becomes a challenge for corporate IT managers who want to keep their reputations intact. Ideally, you want to prevent your domain and your servers from ever being placed on these blacklists. That means you need to fight with three different activities: protection, response and remediation.
Some other consequences are that all of your corporate email traffic may be blocked by your internet provider, or your domain’s website may not be available. As you can see, this goes beyond just having a piece of malware infecting a single computer, and could harm your business reputation too. Getting your internet presence restored could take months of effort since there are so many different blackhole list operators to work and negotiate with.
The first step is establishing some form of email protection, which can range from running a hosted email service to using a variety of email protection tools. Typically, an enterprise will purchase a series of tools that screen for malware and viruses, classify and quarantine suspect emails and block non-malware threats such as imposter and business email compromises. Some of these tools are built into hosted email services, such as Network Solutions’ various hosted email solutions that come with anti-virus and anti-spam built-in. Others have more comprehensive email gateways that screen for more sophisticated phishing attacks, such as emails posing as coming from a corporate executive. Another class of tools includes encrypted emails, such as the Guard Encryption offered on Network Solutions’ Professional Email Plus Package.
Second is having the ability to respond to any notifications from these tools and being able to analyze and act on suspected emails. This should be part of your security operations procedures, and you should have staff who are trained in understanding the events and being able to troubleshoot and triage them appropriately. The response activity is critical: in many cases, security breaches begin with a single phishing email that can result in a piece of malware being deposited on an endpoint. If this action goes ignored or undetected, an entire network can become compromised. If you don’t have your own security operations staff, you might want to consider employing a managed service provider for this task.
Finally is the ability to remediate any issues found with these products, in case a computer has become infected. This is the domain of endpoint protection products that work in conjunction with the hosted email and email security products. They have the ability to cleanse one or a group of computers that have been compromised with malware or to patch and update computers once an exploit has been discovered.
If you have any additional questions about blacklisting, please reach out to the team at Network Solutions.