Email is a communication channel that is becoming increasingly vital for the management of critical information. People depend on email for order confirmations and receiving and printing travel and event tickets. Additionally, people rely on email for valuable local alerts about weather, traffic, and other emergencies. Users have immense expectations of how their email will perform, even free webmail. They expect to receive all the messages they want and none of the messages they don’t want, within seconds. They also expect to be able to trust the messages they receive.
While society continues to use email to do more urgent things, industry standards, mailbox providers, and technology struggle to keep up. Mailbox providers are challenged with providing a service that is fast, accurate, and protects users from fraud.
New Jersey implemented a vote-by-email process for residents who were displaced by Hurricane Sandy. Voting by email is fraught with challenges and is something that hasn’t been adopted because of the cost to do it safely, accurately, and securely. But tough times call for tough measures, and when residents of New Jersey found themselves displaced from their homes and towns as the Presidential election approached, New Jersey Governor Chris Christie made a tough call. Displaced residents would be allowed to vote for the U.S. President over email.
Using email to submit a vote for the President is undoubtedly serious and requires that everyone involved trust and accept the results. Let’s take a look at what could go wrong in this scenario and what mailbox providers and the email industry can do to protect the American people and our votes.
What Could Go Wrong #1: Users receive fraudulent ballots, phish, malware, etc.
If voting by email becomes mainstream, email users will expect to receive email about it from their election officials. This is the perfect stage for a cybercriminal. Send emails saying voting instructions are attached, and it’s a malicious executable file. Send emails saying to visit a certain link for voting instructions, which leads to a phishing site to gather user credentials. Better yet, send fraudulent ballots and instructions that users will follow and, therefore, not have their vote counted.
What Could Go Wrong #2: Intercepted and Altered Votes
How do you create a system where users trust that their vote is being counted exactly as they intended? There is the potential for fraud in all forms of voting, but the farther a person is removed from the process, the more doubt creeps up. Did my email make it to the right person? Is there any chance my email could be altered or intercepted, and my vote changed? Was my vote even counted? Software exists that can intercept and alter messages during the email transmission, which is invisible to the naked eye. Global operations with a vested interest in a particular election result would go to extraordinary lengths to ensure votes were altered to put their preferred candidate in the lead.
What Could Go Wrong #3: Distributed Denial of Service (DDOS) of Election Mail Servers
If somebody wanted to mess with the U.S. voting process, conducting a DDOS attack on the election mail servers would be a quick way to wreak havoc and cause officials to move to backup measures that would increase the vulnerability of the process. In New Jersey, servers were overwhelmed and eventually disabled due to the volume of emails being processed and the size of the attachments being included on each email (the vote/ballot itself). As a result, one election official posted to his Facebook page that people could send their votes directly to his Hotmail account, which security experts quickly pointed out could be hacked easily by simply finding out the official’s mother’s maiden name.
So, What Can We Do To Protect This Process If (When?) It’s Used Again?
Voting by email is just one example of how email is being used to send more critical information. ISPs, mailbox providers, and others in the email technology and security field should protect these processes, protect end users from fraud, and ensure that email is a reliable mechanism for conducting essential business. After all, whether email gets used for this purpose is not for us to decide. All we can do is make it work better when the time comes. Here at Return Path, we are committed to helping mailbox providers protect their systems and their users.
1. Authenticate Outbound Mail
First, you need to authenticate your outbound mail with SPF and DKIM, and create a DMARC record. This will allow receiving networks to confirm that mail purporting to be from your system is (SPF), that messages have not been altered or intercepted (DKIM), and tells the receiving network what to do with a message that appears to be fraudulent (DMARC). By implementing these authentication measures, you allow receiving networks to protect their users from fraudulent and spoofed emails that look as they are from your system.
2. Check Authentication Inbound
In addition to ensuring that your outbound mail is authenticated, you should be checking authentication on your inbound mail to ensure you’re not delivering spoofed and altered messages to your users.
3. Monitor Your Outbound Traffic
If you’re authenticating your outbound mail but the receiving network isn’t checking authentication inbound, then spam from your network could still reach end users. This not only puts end users at risk but is also a risk to your outbound IP reputation and can cause other networks to block or filter your mail. Wouldn't it be nice to have a tool to help you identify the sources of spam emanating from your network so you can shut down compromised accounts quickly and protect your outbound IP reputation? Return Path will have more to say on this topic in the coming weeks, so stay tuned.
Ready, Set… Protect!
Hopefully I have convinced you that it’s imperative for a mailbox provider to protect its end users from fraud and ensure that fraudulent mail isn’t being sent from its servers. Return Path is here to help you implement these necessary security measures on your system. Please get in touch with us today.