E-Mail Threats
This newsletter was originally distributed by e-mail. Before you opened it, did you find yourself wondering
if it was safe? Did you catch yourself second guessing the effectiveness of your e-mail
protection? Have you ever wondered what you would do if this is the message that takes down
your PC or your mail server?
Dangerous and unwanted content is often transmitted by e-mail. most of us have first hand
experience with the e-mail we wish we hadn't opened. And, businesses that have been connected
to the Internet long enough can quantify the cost of the one that got through.
In this article we will delve into the hostile world of e-mail and explore the threats your
e-mail server is exposed to every day. We'll see what Spammers do, and why they do it.
What You See Is Not What You Get!
Is it reasonable to assume that your e-mail server's workload is the sum of all of the e-mail
that are sent or received? Surprisingly, if you did that, you would be wrong. At XPMsoftware, we
monitor the aggregate e-mail activity across a many organizations, and we get to see what is
actually going on e-mail wise. While ratios change from site to site, what we see in almost
every case is that wanted e-mail is typically less than 20% of a mail server's e-mail activity.
And, sometimes, legitimate messages account for less than 1% of all e-mail activity.
If the majority of e-mail traffic is unwanted, what unwanted activity am I exposed to, and why
is it being sent it to me?
To answer that question, we need to look at the types of messages that are received by a
typical mail server:
| Message Type | Category or Action | Description
|
|---|
|
Legitimate E-mail | Accept & Tag | E-mail to or from known e-mail peers or other person who have business
with, or people who have an interest in you or your organization.
| | Spam | Reject, Real Time Black Hole (RBL) | Usually marketing messages from people who are
pushing questionable, counterfeit, illegal, immoral or unethical products or services. Often
messages originate from known spam-friendly networks.
| | E-Mail Address Harvesting | Relay | Spammers inundate your mail server with e-mail requests to
random users. They do this using computers that are programmed to guess new e-mail addresses.
The objective of this exhaustion attack is to stumble upon a new victim for their content.
Given enough attempts, spammers eventually succeed.
| | Open Relay Attempts | Relay | Spammers are constantly on the lookout for machines they can compromise to
relay e-mail. If they sent you e-mail directly, you'd most likely black-list them. By using
relays (insecure mail servers or infected PCs), Spammers can hide their identity and their
location.
| | Viruses and Worms | Reject | Because Spammers need relays to hide their true location, they
routinely attempt to compromise mail servers and unprotected PCs. Insecurities in mail servers or PC software allow
spammers to install and control spam engines. If successful, the Spammer takes control of your machine and
uses it to distribute Spam.
| | Denial of Service Attacks | Reject, RBL, Relay | Spam filters interfere with Spammer and are
viewed by Spammers as costing them money. As a result, Spam filters are often attacked by
Spammers in the hope that the filter will become overwhelmed by a huge spike in traffic.
Spammers count on the filter to fail safe (allow all e-mail including spam through the filter).
| | Phishing Scams | Reject | How much is your identity worth? To your bank, your account number and
PIN might be worth $1,000 per day in bank transfers. Phishing is a social engineering attack
that attempts to get people to divulge sensitive personal information through bogus web sites
(made to look like legitimate on-line banks, retailers, service providers, etc.).
|
This chart shows a typical breakdown of wanted vs. unwanted messages on a PerfectMail e-mail
security appliance. It is common for the proportions of e-mail categorized as any Reject,
RBL
and Relay to change dramatically.
On most PerfectMail appliances, Accepted e-mail is normally
under 20% of all e-mail connections (12.13% in this case), while Tag messages (higher scoring
but still accepted) are usually under 1%. Rejected messages (messages refused due to unwanted
content, obfuscation, or unverifiable headers) make up 8.5% of traffic in this example.
Legitimate E-Mail
Surprisingly enough, legitimate e-mail needs to be defined. We define legitimate e-mail is any
e-mail for which you provided (explicit or implicit) permission to receive . You can provide
permission by:
-
Sending an e-mail to someone hoping they respond. When they do respond, that message is
wanted.
- You respond to an e-mail that someone sends you (you don.t reply to Spam do you?)
- You opt-in to an e-mail newsletter or some other mass mailing from an organization with
which you are familiar
Unfortunately, many marketers believe that e-mail advertising is legitimate as long as the
sender clearly identifies himself, his message and provides instructions for removing your
e-mail address from their mailing list. You must opt-out to stop them.
Legitimate e-mail is usually no more than 5-25% of all e-mail traffic.
Spam
"You need Viagra. Refinance your house. Consolidate debt... Buy my penny stock... Visit my
adult web site. Faux Designer Watches..." Is there anyone who hasn't received such messages?
Spam is a numbers game and the preferred tool for 21st century snake oil marketers. It is
cheap, high volume, nearly immune to prosecution and can be used to pitch absolutely anything.
Spammers spam because people buy! A 2004 study found that more than 4,000,000 Americans
admitted to purchasing products or services marketed by spam.
Always remember, the primary purpose of spam is to get you to open your wallet; everything
else is secondary. And, consider yourself lucky if you end up with a fake product or short a
few dollars on a transaction. Identity theft is rampant and you could loose a lot more than
the cost of an imitation watch (see Phishing, below).
About 10-50+% of all e-mail is unsolicited bulk e-mail - Spam.
E-Mail Address Harvesting
It is estimated that Spammers must send out between 10,000 and 50,000 messages to make one
sale. Since spamming is a volume game, Spammers must constantly improve their e-mail address
lists to solicit new victims.
Spamming is very similar to telemarketing, but far less ethical. Since a Spam campaign is only
as good as the e-mail address list on which it is based, Spam lists must contain a very high
percentage of valid e-mail addresses to be effective. Since people routinely change e-mail
address, Spammers work diligently to add to and update their lists. Spammers harvest e-mail
addresses from web sites, news groups, discussion forums, chain letters - any source they can.
All they really care about is... Is there a pair of eyes watching this e-mail address?
One source of new e-mail addresses that Spammers use (and remains unseen until it is too late)
is e-mail harvesting. Spammers use networks of fast, internet connected computers to send
random e-mail addresses to mail servers. They may have to generate over 10,000 random e-mail
addresses before they get a single hit... but they know that it is just a matter of time before they
find a new victim.
If you've ever seen an e-mail account go from no Spam to hundreds of Spam messages in a day,
then you have seen the result of e-mail harvesting. At its worst, e-mail harvesting is potentially
deadly for your e-mail server. Spammers occasionally ratchet up their harvesting attacks to
the point where the amount of e-mail traffic exceeds your mail server's ability to handle it.
When this happens, you mail server may slow down (taking hours to send legitimate messages) or
even crash.
At XPMsoftware, we've seen e-mail harvesting attacks increase the daily volume of e-mail on
our mail server by 1,000%! We have also seen a single e-mail harvesting engine send over 16,000
e-mail harvesting requests to a mail server an hour (that is about 4.5 per second). It doesn't
take many machines working in unison to overwhelm an unprepared mail server... and an
unprotected mail servers is unprepared.
Depending on circumstances, e-mail harvesting could account for 5-99+% of all e-mail activity.
Open Relay Attempts
To make money at spamming, you need to send out millions of e-mails. If you do that from your
own computer, you risk the wrath of your Internet Provider and all of the people you spammed.
If you take over another person.s machine, you could:
-
Steal their network bandwidth.
-
Steal the use of their computer to do your dirty work.
-
Remain anonymous to the people you annoy.
-
Make money by selling your network of e-mail relays to other spammers
All at little to no cost to yourself!
Spammers are constantly on the search for machines to hijack. One of the
simplest ways to use another machine is to simply ask it to please relay this message.. Mail
relay gateways are deployed by most companies and by ISPs. For example, ISPs often force customers
to relay mail through their mail server as a means to combat spam. Internally, your
organization may run many mail servers but use only one or two to relay through to the
Internet.
Spammers constantly scan for improperly configured mail servers. If they find one that allows
relaying, they may be able to blast a million messages per day through the open relay it
before it is shut down. Open relays are such a problem that there are web sites (called ORBS
or Open Relay Block lists) are dedicated to identifying open relays.
Properly configured mail servers are usually set to query ORB lists as a way defend against Spam.
Since the window of opportunity to abuse an open relay may be very small, Spammers are
constantly checking to see if your server is vulnerable. You can tell if you are being probed
by looking in your e-mail logs for messages where sender name is
"<>" and the recipient isn't in your domain.
Relay probes may make up as little as 5% or as much as 75+% of all of your e-mail traffic.
Viruses and Worms
The 1995 movie Independence Day used the premise of a computer virus to allow human beings to
defeat a superior attacking alien force. Computer viruses and worms are so firmly entrenched in
popular culture that most people cannot remember computing without viruses or imagine using a
computer that is immune to worms.
The reality is that the vast majority of successful exploits are perpetrated upon Microsoft
operating systems. This is not so much an indication of Microsoft security as it is a
reflection of Microsoft's 95+% market share. Like Spam, viruses are a volume game. Virus
writers launch viruses to take over people's PCs. The more PCs you attack, the more
machines you will compromise.
Viruses may occasionally result in data loss or a denial of service of the infected machine.
Their real objective is to take over the machine and place it under the control of the virus
perpetrator. Anecdotal evidence indicates that once in control of a bot army, virus authors
sell access to their enslaved machines to spammers.
There are always active viruses. It is not uncommon for a mail server to receive dozens,
hundreds or more infected e-mail messages per day. Whether those messages cause any harm or
not depends on how well defended your network is to attack. A layered defense with antivirus
capabilities at the edge of your network, at your mail server and on the desktop is the best
way to ensure that viruses are caught and defeated before they cause any harm.
During quiet periods, a mail server may receive a few tens to hundreds of virus infected
messages per day. During virus outbreak periods, you could receive more than that an hour.
Denial of Service Attacks
Why do Spammers occasionally hose your mail server with thousands of messages?
Spammers know that antispam products are programmed to fail-safe, so if an antispam product
fails, all e-mail is passed through to the back end mail server(s). How bad can it get? In one
case, I have seen legitimate e-mail at less than 1% of all e-mail activity. While this number
is extreme, we have observed situations where spammers have increased the volume of malicious
e-mail by 1,000% and sustained the increased traffic for days or weeks.
Phishing Attacks
Phishing is the name given to social-engineering attacks designed to trick the recipient out
of some critical, personal information. Anyone who has received a request to update their
bank records, verify their PayPal™ account or otherwise divulge personal information, has been
exposed to a Phishing threat.
Phishing is possible because anyone can copy any web image into a site they create.
Consequently, it is very easy for a criminal to build a website that looks very much like the
site they are copying.
Recent evidence indicates that Phishing attacks are becoming more focused and sophisticated.
However, there are automated techniques to detect and prevent Phishing messages. Furthermore,
no reputable online property would ever e-mail you asking you to divulge your personal
information.
It is not uncommon for a user to receive 10 or more Phishing messages per day.
Summary
You mail server is exposed to a variety of threats all designed to facilitate the delivery of
Spam. Typically, 80% or more of all e-mail connections to your mail server are unwanted. Mail
servers and e-mail client software contain limited defenses against Spammers and their tricks.
For e-mail to remain effective, a competent antispam and antivirus solutions must be added to
your e-mail infrastructure.
© 2006 by Larry Karnis and XPMsoftware. All rights reserved. Permission is hereby granted to
quote from this article in whole or in part, or to reproduce this article by any means as long as
the the author and XPMsoftware receive appropriate attribution.
About the Author
Larry Karnis is the president of
XPMsoftware, the developer of PerfectMail Antispam and
Antivirus appliances. Larry has spent the last 5 years focused on e-mail security and e-mail
security solutions. Before that, Larry worked as an IT infrastructure and security consultant.
Comments on this article should be directed to
lkarnis@xpmsoftware.com.
| 
Link to Us
Bookmark Page
Print
