What E-Mail Hackers Know That You Don't

What E-Mail Hackers Know that You Don’t

This document outlines how hackers are exploiting vulnerabilities in e-mail systems, and describes the widely
available hacking tools they use. As a collection of already published risks to e-mail security, this white paper is
written to educate IT security managers on the challenges they face.
E-Mail Security Challenges
E-mail systems such as Microsoft Exchange, Lotus Notes and GroupWise were constructed with a single purpose
in mind: accept and send the maximum amount of mail, and route that mail as efficiently as possible. Without
question this has succeeded; e-mail is the most commonly utilized business communication tool on the planet, and
its use is projected to continue to rise. In fact, the current volume of e-mail sent worldwide is now more than 50
billion messages per day, with that number expected to double by 2008.
E-mail’s continually burgeoning popularity makes it an increasingly attractive target for individuals seeking to do
harm, either for their own misguided personal satisfaction, or more likely, for financial gain. The first e-mail
hackers found simple vulnerabilities in the operating systems and protocol stacks of e-mail systems, and exploited
these known weaknesses. Now, however, hackers and virus writers have become specialists, constantly
developing new and innovative methods of overcoming the improvements made in today’s security systems. The
game of cat-and-mouse is unlikely to end any time soon, if ever. With every improvement in defensive techniques,
hackers and virus writers modify their tactics in an attempt to circumvent these defenses and wreak havoc on
corporate networks.
Vulnerabilities of E-Mail Systems
Along with the many conveniences and efficiencies that e-mail use brings to an organization, there are some
inherent risks and vulnerabilities:
TCP & UDP Communications Protocols
Internet communications protocols were designed to enable seamless communication among multiple machines.
As a result hackers seek to exploit the open nature of these protocols to attack organizations. The TCP/IP
protocol was designed before there was much experience with the wide-scale hacking that is seen today and as a
result, there are a number of general security flaws.
The first level of attack involves discovering services which exist on the target network. This involves a number of
possible techniques to gather data on the remote network, including:
• Ping Sweeps – Pings a range of IP addresses to find which machines are active. Sophisticated scanners will use
other protocols (such as an SNMP sweep) to do the same thing.
• TCP Scans – Probes for open (listening) TCP ports, searching for services the intruder can exploit. Scans can
use normal TCP connections or stealth scans that use half-open connections (to prevent them from being logged)
or FIN scans (never opens a port, but tests if someone's listening).
• UDP Scans – Sends a garbage UDP packet to the desired port. Most machines will respond with an ICMP
"destination port unreachable" message, indicating that no service is listening at that port. These scans are a little
bit more difficult because UDP is a connectionless protocol.
• OS Identification – Identifies the operating system and applications by sending TCP packets. Each operating
system's unique responses to inputs forms a signature that hackers can use to figure out what the target machine
is and what may be running on it.
Hackers are free to forge and change IP data with impunity
There are a range of attacks that take advantage of the ability to forge (or “spoof') an IP address. While a source
address is sent along with every IP packet, this source address isn't actually used for routing to the destination.
As such, the attacker can forge a source IP address, allowing the attacker to exploit the remote server while
pretending to be someone else.
IP spoofing is used frequently as part of other attacks such as SMURFing, in which the source address of a
broadcast ping is forged so that a huge number of machines that are pinged respond back to the victim indicated
by the address, overloading it (or its link).
LDAP/Active Directory accessibility
Many organizations have inbound e-mail gateways which are tied to LDAP or other types of directories to validate
the legitimacy of the inbound e-mail recipients. If the inbound e-mail address is valid, the e-mail is forwarded on to
the addressee. However, if the e-mail address is non-existent, a response is dispatched to
the sender notifying them of the invalid e-mail address. Hackers exploit this inherent “politeness” of the e-mail
systems to gain access to valid addresses. They then unleash Directory Harvest Attacks (DHA), whereby a
program guesses at possible e-mail addresses within a domain and attempts to send a message to that domain.
In a situation such as this, the e-mail gateway rejects those addresses that are invalid. By process of elimination,
addresses that are not rejected are deemed valid by the hacker, spammer, or virus writer and added to their
database of legitimate addresses.
Servers can be instructed not to reject bad addresses; however, this can result in a never-ending increase in mail
volume which must be processed by the organization.
Social engineering
Unfortunately, the trusting nature of most people makes them vulnerable to social engineering from a hacker. In
these attacks, a hacker may use a tool as simple as an Internet search to find legitimate e-mail addresses within
an organization. The hacker will then send an e-mail to the known valid address in order to elicit a response. If a
response is received, the hacker will examine the headers in order to determine the path followed by valid mail
within the organization. Additionally, this information can be used to set up attacks at the machine level, or over
the phone using more social engineering techniques, to glean login/password information.
Misguided belief in the firewall as adequate protection
A common misunderstanding is that firewalls recognize e-mail-borne attacks and block them.
Firewalls simply control network-based connectivity and usually perform no scrutiny upon traffic coming through
on the standard e-mail port (port 25) through them. The firewall administrator adds rules that allow specific types
of network level traffic to go through the firewall. For example, a typical corporate firewall allows mail traffic to pass
through unimpeded, thus the firewall assumes that any traffic being passed on port 25 is indeed e-mail. This
assumption is extremely faulty as an attacker may also use port 25 to deliver an attack, thus bypassing any
protection the firewall might provide.