E-Mail Bomb Hacks
E-mail bombs hack by creating denial of service (DoS) conditions against your e-mail software and even your network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space. E-mail bombs can crash a server and provide unauthorized administrator access.
An attacker can create an attachment-overload attack by sending hundreds or thousands of e-mails with very large attachments to one or more recipients on your network.
Attacks using e-mail attachments
Attachment attacks have a couple of goals:
The whole e-mail server might be targeted for a complete interruption of service with these failures:
Storage overload: Multiple large messages can quickly fill the total storage capacity of an e-mail server. If the messages aren’t automatically deleted by the server or manually deleted by individual user accounts, the server will be unable to receive new messages.
This can create a serious DoS problem for your e-mail system, either crashing it or requiring you to take your system offline to clean up the junk that has accumulated.
Bandwidth blocking: An attacker can crash your e-mail service or bring it to a crawl by filling the incoming Internet connection with junk. Even if your system automatically identifies and discards obvious attachment attacks, the bogus messages eat resources and delay processing of valid messages.
An attack on a single e-mail address can have serious consequences if the address is for an important user or group.
Countermeasures against e-mail attachment attacks
These countermeasures can help prevent attachment-overload attacks:
Limit the size of either e-mails or e-mail attachments. Check for this option in your e-mail server’s configuration settings, your e-mail content filtering system, and even at the e-mail client level.
Limit each user’s space on the server. This denies large attachments from being written to disk. Limit message sizes for inbound and outbound messages should you want to prevent a user from launching this attack from inside your network. A few gigabytes is a good limit, but it all depends on your network size, storage availability, business culture, and so on, so think through before putting anything in place.
Consider using SFTP or HTTP instead of e-mail for large file transfers. There are numerous cloud-based file transfer services available. You can also encourage your users to use departmental shares or public folders. By doing so, you can store one copy of the file on a server and have the recipient download the file on his or her own workstation.
Contrary to popular belief and use, the e-mail system should not be an information repository, but that’s exactly what e-mail has evolved into. An e-mail server used for this purpose can create unnecessary legal and regulatory risks and can turn into an absolute nightmare if your business receives an e-discovery request related to a lawsuit.
An important part of your information security program is to develop an information classification and retention program to help with records management. Get others such as your lawyer, HR manager, and CIO involved. This helps spread the accountability around and ensures your business doesn’t get into trouble for holding too many electronic records in the event of a lawsuit or investigation.
Connection attacks through e-mail
A hacker can send a huge number of e-mails simultaneously to addresses on your network. These connection attacks can cause the server to give up on servicing any inbound or outbound TCP requests. This situation can lead to a complete server lockup or a crash, often resulting in a condition in which the attacker is allowed administrator or root access to the system.
Attacks using floods of e-mails
An attack using a flood of e-mails is often carried out in spam attacks and other denial of service attempts.
Countermeasures against connection attacks
Prevent e-mail attacks as far out on your network perimeter as you can. The more traffic or malicious behavior you keep off your e-mail servers and clients, the better.
Many e-mail servers allow you to limit the number of resources used for inbound connections. This setting is called different things for different e-mail servers and e-mail firewalls, so check your documentation. Completely stopping an unlimited number of inbound requests is impossible. However, you can minimize the impact of the attack. This setting limits the amount of server processor time, which can help during a DoS attack.
Some e-mail servers, especially UNIX-based servers, can be programmed to deliver e-mails to a daemon or service for automated functions, such as create this order on the fly when a message from this person is received. If DoS protection isn’t built in to the system, a hacker can crash both the server and the application that receives these messages and potentially create e-commerce liabilities and losses.
This can happen more easily on e-commerce websites when CAPTCHA is not used on forms.
Automated e-mail security controls
You can implement the following countermeasures as an additional layer of security for your e-mail systems:
Tarpitting: Tarpitting detects inbound messages destined for unknown users. If your e-mail server supports tarpitting, it can help prevent spam or DoS attacks against your server. If a predefined threshold is exceeded — say, more than ten messages — the tarpitting function effectively shuns traffic from the sending IP address for a period of time.
E-mail firewalls: E-mail firewalls and content-filtering applications from vendors such as Symantec and Barracuda Networks can go a long way towards preventing various e-mail attacks. These tools protect practically every aspect of an e-mail system.
Perimeter protection: Although not e-mail-specific, many firewall and IPS systems can detect various e-mail attacks and shut off the attacker in real time. This can come in handy during an attack.
CAPTCHA: Using CAPTCHA on web-based e-mail forms can help minimize the impact of automated attacks and lessen your chances of e-mail flooding and denial of service. These benefits come in handy when scanning your websites and applications.