Return to sender?
Several researchers have identified a new e-mail attack that can be used to swamp enterprise e-mail servers, as well as some secondary systems.
Several researchers have identified a new e-mail attack that can be used to swamp enterprise e-mail servers, as well as some secondary systems. Experiments revealed that nearly 60% of general and 30% of Fortune 500 systems and domains could be leveraged for an attack.
Senior security consultant Stefan Frei, who operates a Swiss e-mail portal, discovered a way that malicious users could swamp e-mail servers and accounts. In early April he reported it in a paper coauthored with software architect Ivo Silvestri of Germany-based ISi Technologie and professional services director Gunter Ollmann of U.K.-based Next Generation Security Software.
Frei noticed that his portal would periodically be deluged for days with traffic for nonexistent accounts. The researchers found that systems were trying to be informative and were generating non-delivery notifications (NDNs) in response to failed spam.
But this behavior can also form the basis for an attack. What's more, because of the way e-mail may be split between servers it can reach even secondary systems. Ollmann said, "The final receiving, or internal, mail server may be overwhelmed as well."
In the report, the trio explained how an attack could happen, beginning with a spoofed e-mail originator at the target. A message is sent to multiple invalid recipients. The system sends NDNs flooding back to the spoofed address. The assault can be further multiplied by adding an attachment to the initial message.
There are plenty of systems to leverage for an attack. "We were rather shocked at these findings. We did not realize that the problem was so widespread," said Ollmann.
The researchers recommend mail server changes to lessen the problem -- such as not accepting mail for invalid recipients, limiting the maximum number of recipients, generating few and small error messages and validating input data. The group is working on pinpointing the worst offending SMTP hosts and generating specific fix information. That should be available soon.
All of these fixes don't help a target ward off an attack. As Ollmann pointed out, about the only option is to block systems at the ISP level by, perhaps, blacklisting offending mail servers. That solution, however, brings its own set of problems.
Jim McGrath, senior director of product management in the security products group at San Jose, Calif.-based NetIQ, has seen NDN floods, but no deliberate attacks. However, he noted that rejecting mail for invalid recipients can be difficult to implement and exposes an organization to directory harvesting attacks.
Rami Habal, senior product manager at Cupertino, Calif.-based enterprise messaging solutions provider Proofpoint, has also seen NDN torrents. His preferred solution is to have gateway servers verify downstream and then reject, if necessary, using SMTP. He said, "If you are generating NDN messages, then it is already too late."
