My recent posts have discussed identifying commonalities in new occurrences of spam, and concerns to keep in mind regarding indirect attacks using email as a vector. A strong perimeter defense and solid virus protection, along with an effective anti-spam solution can lull us into a false sense of security. The seemingly constant stream of unwanted mail begins to look like little more than an annoyance and not a continuing threat. In this post let’s examine technically other methods of attack, how to recognize them, and ways and means to defend against them.

Attacks against email servers, systems, and infrastructure are in many ways similar to attacks against other Internet-facing services, but are different in several important ways. Just as a concerted attack that brings down your Web servers stops communication with customers, vendors, and others on the Internet, the same is true for email communication attacks.

Email is such a lifeblood of business communication that if it fails it could be considered a critical failure. If your business relies on email for critical types of communication and seldom has problems, it may not be immediately obvious to you or those trying to communicate with you that the communication channel has failed. Of course, if you receive lots of email and suddenly it stops coming, it may be obvious very quickly that there is a problem. You might not notice though, if internal mail is fine but Internet emails slow or stop. Let’s consider what sort of attacks specific to email we need to be aware of, as well as more generic attacks that can target any Internet-facing system.

1. Denial of Service (DoS) Attacks (total connections)  – If you have experience administering Internet systems you are likely aware of the threat of DoS attacks. Your firewall should have the ability to mitigate or prevent these sorts of attacks by slowing the rate or total number of connections inbound to your email servers. Some types of servers can handle more connections than others. For example, a Web server that serves up simple (mainly text/HTML) Web content that isn’t graphics or media-content heavy can handle many more connections than a server that streams media. Servers can be tuned to end connections sooner and other connection-increasing settings, as well, but the firewall is where your best protection resides. SMTP servers often can have long wait times or receive files that transmit slowly, so lasting connections are a known problem, as we’ll see in the next type of attack.
2. DoS (attachment content & size) – Related to the DoS attack based on overloading the server with connections, an SMTP server can be overloaded with transfers of large attachments or ones that upload so slowly that the connection lasts far longer than is reasonable. The transfer taxes resources on the server that will not be released until finished. Other attacks may involve transferring attachment files that contain payloads that crash anti-virus or content-scanning modules, or otherwise harm or crash attachement spooling or queues. Zipped attachments that are corrupt or maliciously modified are problematic as well.
3. Mailbox stuffing or rejection overload (server sends bounce/reject mail/NDR reports in Exchange) – Some attacks intentionally overload or “stuff” particular mailboxes that are known to exist or are discovered to be valid. If the spam filtering does not block the messages, a massive, overwhelming number will be present and can crash the server or the mail client. A related type of attack is to forge the sending headers and attempt to send mail that will fail, generating a bounced (or rejected) email report message, such as an NDR report in Microsoft Exchange. An unwitting victim is subject to a flood of failure emails for mail they did not send. Modern mail servers are less likely to fall prey to this sort of manipulation, but it is sometimes possible.
4. SMTP Auth Attacks (Exchange) – Some mail servers are used by remote users, and to prevent unauthorized users from relaying mail via the SMTP server, it is set up to require authentication. SMTP authentication is only as strong as the password used. A weak password on a known account can make the SMTP server as exposed as an open relay–with a false sense of security. A better method for allowing remote users to send mail is either a strongly secured interface, perhaps a Web mail interface requiring strong authentication such as client certificates or USB tokens, or better yet access to email only via VPN.

Hopefully you won’t run into the worst of any of these sorts of attacks. Before you do, consider your options to prevent them from harming your email connectivity. If you don’t have a strong firewall with good defense against DoS attacks, you really should get one. Email security monitoring and alerting solutions can help detect the other types of attack before they get out of hand.