Title

The E-Mail server is not protected by having connections from “Sender Filter” sources dropped by the Edge Transport Server role (E-Mail Secure Gateway) at the perimeter. (Cat II impact)

Discussion

SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. It is recommended that “drop connections” action be taken when inbound requests are from addresses that match sender filters (such as those on Block List) and be performed in the perimeter network by an E-Mail Secure Gateway server, because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. If the other party has other messages to send, it must re-initiate the Simple Message Transfer Protocol (SMTP) connection to start sending the next message (as opposed to simply continuing the current connection). This will slow down the rate at which this blocked sender is able to send messages to the server, further mitigating the potential for a Denial of Service attack.

Check Content

Interview the E-mail Administrator or the IAO. Request documentation that indicates connections from sources matching sender filters are dropped on an Edge Transport Role (E-mail Secure Gateway) server outside the enclave at the perimeter. Criteria: If incoming connections from “sender filter” sources are dropped, this is not a finding.

Fix Text

Implement perimeter-based protection in the form of a Secure E-mail Gateway that performs, among other protections, dropping connections when the address matches “sender filter” sources, for SPAM elimination prior to forwarding message traffic to mailbox servers.

Additional Identifiers

Rule ID: SV-20294r1_rule

Vulnerability ID: V-18675

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.