Back to Community Threads
1
Can Outbound Gateway vendors be trusted?
Question asked by Douglas Foster - Yesterday at 1:45 PM
Unanswered
Many email filtering vendors act as both inbound gateway and outbound gateway for their clients.  My interest is the outbound gateway role, because it inserts an intermediate organization between the message originator and my MX server.

The client configures the vendor's server into their SPF policy, and the vendor typically adds a DKIM signature as well,, ensuring that the message is dual-authenticated.  However, the dual authentication is only meaningful if the gateway vendor has authenticated sender identity on the message that it received.   If the gateway vendor has been duped into accepting a fraudulently identified message, then I am also a dupe if I accept the message as authenticated.

I have tried asking a few vendors how they authenticate messages that claim to be from their clients.   So far I have these results:

Favorable:
  • Trend Micro reports: "Agents and servers use certificates and authentication keys to authenticate and ensure the connection is trusted."
  • ZixCorp reports:   "Messages are only accepted that are encrypted and verified per an internal keyserver."
Silent:
  • I have asked MimeCast and ProofPoint but have not received a reply.   
Negative from observed messages:
  • Outlook.com can operate as an outbound gateway.  When it does so, it calculates results for SPF, DKIM, and DMARC, and then logs the results in an ARC Set.   Unfortunately, it does not block on authentication failure.  While many authentication failures are false positives, some are malicious impersonations.   This concern started when I was getting a bunch of traffic that impersonated the Health department of the government of Puerto Rico.

  • I have one evidence of successful impersonation through one well-known filtering vendor, who shall remain anonymous for the moment.  I have had great difficulty figuring out how to send abuse reports to them.  Today, I was given a different email address to use, and have resubmitted my evidence.   No acknowledgement yet.
These problems were detected by my content filtering product.   So far no other problematic vendors have been detected, and the volume of exploits is currently low, but I don't expect it to stay that way.
 
Do  you know specific vendors that have good techniques for client authentication, so that they cannot be duped?   Please post those to this message.

Do you know of other vendors that are vulnerable to duping?   Please reply with a Private Message.
  

3 Replies

Reply to Thread
0
J. LaDow Replied
Yesterday at 4:28 PM
We use SMTP2GO for some of our outbound delivery - we haven't investigated the issues you're mentioning directly, but we have no deliverability issues.  They do their own signing and we authenticate our servers to theirs - if they do deliverability DKIM and DMARC are handled by them - with us providing some DNS records so their mails will be accepted on behalf of our domains.
MailEnable survivor / convert --
0
Douglas Foster Replied
Today at 4:52 AM
I checked my email logs.  Everything that I get from SMTP2GO was submitted to them over a private IP, so apparently they set up a VPN connection for every client.   For my purposes as an evaluator, that means that they have authenticated you.   Since they charge a fee to send more than a trivial amount of messages, I expect they have a fairly low spam rate as  well.

Some outbound gateways are intended to detect and block outbound spam caused by a compromise of your environment.   From their website, it does not appear that they provide that feature.

Any shared service creates a risk that an impersonation of your domain, originated by or routed through another client off the same service, will pick up at least SPF PASS for your domain, and possibly DKIM as well.  
0
J. LaDow Replied
Today at 7:30 AM
Authentication is via IP address of sending server, or via username/login.  There is also a send API available (authenticated as well).

They send on a subdomain of your main domain, with you using your DNS via SPF, DKIM, and DMARC to secure the messages. They handle signing of messages that are sent from their servers. There is no way for "another client" to abuse their servers under the disguise of one of our domains (or any other they host). Authentication prevents that and proper DNS guarantees it.

We have had more than one account hacked in the past and been abused to send spam. Their systems caught the issues early on and limited the outgoing mail accordingly. No system is foolproof. Deliverability is good. We have a couple sites that can send upwards of 10k transactional emails a day - and have had no issues.

They have a decent feedback loop system, and their API will even handle NDR tracing if you wanted to take an integration that far. One site we host uses the integration to track underliverable transaction messages from their site and flags the user account attention, etc.

Nothing I post is a "paid" post or content - only from experience.  We've used them for over a decade now without issue. Support is quick as well.
MailEnable survivor / convert --
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

Configure a Smarthost Gateway in SmarterMailSmarterMail > Server Configuration and Management
Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management
Messages from Trusted Senders are going to my Junk folderSmarterMail > Troubleshooting
Sender Verification Shield and Incoming GatewaysSmarterMail > Server Configuration and Management
Cannot Activate SmarterMailSmarterMail > Troubleshooting