Spam Might Be Your Biggest Headache, But It's Not Your Biggest Threat
by Peter Cox - Vice-President of BorderWare Technologies - Thursday, 22 January 2004.
In the last few years spam has grown exponentially. Despite changes in the law and the introduction of new regulations, junk email continues to flood in, overloading corporate networks and generally placing a strain on the business operation, not to mention the loss in productivity. Spam is now the number one issue for the majority of IT managers, but by focusing solely on this issue are they in danger of missing the wider issues of email security?

Many companies have taken a short-term view of the email security problem, tackling only the most obvious problems of viruses, trojans and spam and implementing piecemeal solutions to combat them. What they fail to consider is the growing threat from other sources such as malformed messages and denial of service attacks.

Most email client software has been sufficiently enhanced over the years to accept and "correct" corrupt or badly formatted headers. The majority of the time this is a helpful operation as it ensures speedy email delivery. However, not all anti-virus scanners "see" malformed messages and therefore do not check or scan them. This makes it possible to purposefully construct a malformed message that actually contains malware and deliver it, undetected, right into the heart of the corporate office.

In addition, some malformed messages can force the CPU to run at a hundred percent, thus causing the machine to crash. Email servers process messages with the same amount of fortitude as a dog with a bone, once it's got hold of it, it doesn't let go. A maliciously malformed message may result in a denial of service (DoS) attack, with the affected server unable to move on until it finishes processing, which could be hours.

DoS attacks can take many forms, Dictionary Harvest Attacks (DHA) for instance are used as a means to check for legitimate email address. Thousands of messages are sent to a corporate email server each one with a slightly different spelling to a name, unprotected email servers bounce back unknown recipients, allowing the spammer to collate a database of valid email addresses.

A recent report by Osterman Research said that one source estimated that approximately one-third of all email server processing was due to handling DHA. Email servers have finite processing capacity, even if a DHA doesn't make it fall over, it can severely impact on performance, not something many organisations can afford with a mission critical application.

The most common type of DoS attacks result from Buffer Overflow vulnerabilities, which take advantage of discovered weaknesses within an operating system. For example, Microsoft security bulletin MS03-046, the "Vulnerability in Exchange Server Could Allow Arbitrary Code Execution" problem identifies how an attacker can cause a buffer overrun that could permit them to essentially hijack an organisation's email servers and run malicious programs in the security context of the SMTP service. Vulnerabilities of this kind are reported regularly; this is the 46th Microsoft Security Bulletin issued this year alone.

These threats can be thwarted by regular patching, but for the average organisation keeping up to date on all the patches released is time consuming and expensive. Add to that the plethora of different technologies required to protect the server, the chances are that the server will run into difficulties because other applications running on the same system are incompatible. This is a particular problem when Spam, Anti-Virus or content filtering solutions are implemented as 3rd party add-ons or plug-ins on a mail server. There is always a risk that a new security patch cannot be installed because of the presence of the 3rd party product or that installing the patch will stop the product from working. The system administrator is then faced stark with the choice of leaving a critical system unpatched or disabling a security product until an updated version can be supplied.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th