Chapter 4. Exchange Server – Mail Service Attacks
Information in This Chapter
In today's world, sending and receiving e-mail messages has become an integrated and critical part of daily communication. Each and every day, billions of messages are sent all around the world among dissimilar e-mail systems, residing on different e-mail platforms, which are then accessed by various types of e-mail clients. Regardless of the many diverse components involved, e-mail flows among the systems relatively seamlessly. There are many technology components that contribute to the successful send/receipt of an e-mail message, including the e-mail server, client, and protocols, each of which may be vulnerable to different types of attacks.
In this chapter, we will review some of the most common attacks occurring today, and also review defenses that can be enacted to protect your environment against them. We will focus our discussion on Microsoft Exchange Server while we touch upon different mail service attacks that may be executed against different parts of the mail flow architecture. Understanding each of the components that must work together for an e-mail to flow will allow you to better understand how mail service attacks may impact your environment.
Microsoft released Exchange Server 4.0 in 1996, and since then it has come a long way to become a solid enterprise messaging and collaboration platform. The current versions of Exchange Server include Microsoft Exchange Server 2003, 2007, and the most recent Exchange Server 2010 that was released in November 2009.
When Exchange Server debuted in 1996, it included a single database store that had user accounts associated with mailboxes. Exchange was originally built to house its own user directory, and this directory was utilized to grant permissions and gain access to mailboxes created in the system. Today, instead of maintaining its own user database, Microsoft Exchange Server integrates into Microsoft Active Directory (AD). User accounts are created and stored centrally in AD while Exchange Server maps its mailbox-specific information to user accounts, which exist in the AD database. As we will see, mail service attacks can focus on nearly any piece of the mail-flow architecture, including directory services. Directory harvest attacks are an attack that attempts to collect information about what is stored in the directory. Specifically, directory harvest attacks focus on determining valid e-mail addresses in the environment. These e-mail addresses can then be targeted with spam and other types of unsolicited e-mails. We will discuss directory harvest attacks in more detail in Scenario 1 of the section “Directory Harvest Attacks” of this chapter.
In addition to relying on AD services, Exchange Server requires other infrastructure services such as Domain Name Services (DNS). Also, for sending and receiving e-mail, Exchange Server takes advantage of industry standard protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3), and Internet Message Access Protocol (IMAP4). SMTP is used to send e-mail messages, whereas POP3 and IMAP4 are used to retrieve them. All the three protocols rely on DNS for name resolution. SMTP uses DNS to determine the target mail server for message delivery by performing resolution of mail exchanger (MX) records. This dependency makes e-mail systems indirectly vulnerable to DNS attacks such as cache poisoning attacks.
Cache poisoning attacks function by intentionally causing a DNS server to cache misrepresented information, such as the wrong Internet Protocol (IP) address for a particular domain name. When a query is issued to determine the MX record for a target domain name, the DNS server will respond with the wrong address due to the poisoned cache in it. Since the mail server is unaware that it has been given misinformation, it will connect to the resolved address and deliver the e-mail messages. In this manner, cache poisoning can allow an attacker to redirect e-mail messages to an unauthorized messaging server. SMTP is also susceptible to more direct attacks, including mail relay attacks and SMTP Auth attacks. We will discuss both these attacks in the section “Dangers Associated with Mail Service Attacks” of this chapter.
POP3 and IMAP4 are the protocols used to retrieve e-mail messages from an e-mail server, and implementations of each have had documented vulnerabilities in the past. Since these protocols are used to access e-mail, the services are listening for client connections, which makes them viable targets for attacks such as a denial of service (DoS) or buffer overrun attacks. DoS attacks occur when an attempt is made by an attacker to overwhelm a target system and cause it to fail. Most of these attacks include sending a flood of requests to the target system, scaled well beyond what the system is design to handle. If the attack is successful, the target system is incapacitated and therefore unavailable to service valid client connections. For more information on DoS attacks, refer Chapter 1 of Seven Deadliest Network Attacks by Stacy Prowell (Syngress, ISBN: 978-1-59749-549-3).
Buffer overrun attacks attempt to achieve the same end result, but the approach is different. Buffer overrun attacks often execute code on the targeted system, which will cause the system to overrun its memory buffer and write data inappropriately into random access memory. The impact can include errors in program execution and conflicts with other system components, ultimately incapacitating the target system. One thing to note with both POP3 and IMAP4 is that they are not enabled by default in the newer renditions of Exchange Server.
Since Microsoft has moved to a secure-by-default model, many superfluous components are disabled by default. In most corporate messaging environments, Exchange Server typically is coupled with Microsoft Outlook as a client access system. Microsoft Outlook has the capability to be configured with POP3 or IMAP protocols, but it is more often configured to utilize Messaging Application Programming Interface (MAPI) to gain access to the user's mailbox on the messaging server. Since MAPI is normally in use in Outlook-based corporate messaging environments, POP3 and IMAP4 are typically not required and therefore are disabled on the Exchange servers by default.
Another common action performed by attackers is called spoofing. When attackers wants to make their origin difficult to trace, they will generally hide their source address information by spoofing. Spoofing involves replacing the address information in the e-mail message so that invalid or fictional addresses are displayed instead of the legitimate source address. Spoofing is often used to cover tracks; in addition, it may also be used to gain the recipient's trust. By impersonating a bank, school, or a government agency, the recipient is much more likely to recognize and trust the e-mail message. If the message is considered trusted, the recipients will open the message to read it and perhaps unwittingly unleash a worm, a virus, or the Trojan on their system.
In addition, many other attack types, such as phishing and non-delivery report (NDR) attacks, may utilize address spoofing in order to abuse the trust a user places on a specific source address. Phishing scams will often use address spoofing to impersonate well-known entities and then abuse that trust by attempting to ascertain personal information such as bank account number and credit card information from targeted users. An e-mail message stating “send me your account password” or “please respond with your full account number” is more likely to be trusted if received from a well-known entity such as Capital One or Citibank. By spoofing the source address to a well-known value, users may be compelled to follow the instructions in these bogus spam messages, where if the return address is unrecognized, they are more likely to be hesitant and suspicious.
Some attacks will utilize other attacks’ methods in order to achieve their end results. NDR attacks are a good example of this since they actually depend on address spoofing to accomplish their goal. An NDR is an e-mail message generated by a messaging system indicating that the destination e-mail address does not exist and the e-mail message cannot be delivered. The NDR is generated and forwarded to the sender of the message, indicating that even though the e-mail message arrived successfully at the target messaging system responsible for the domain name, the username indicated on the mail message does not exist in the target mail infrastructure.
When an NDR attack is launched, e-mail messages with spam content are created and addressed to fictional addresses in a target enterprise. The messages arrive at the target, and since the addresses do not exist in the environment, the messaging system will generate an NDR, typically with the original message attached, to be directed back to the source for each of the fictional target mail messages. This doesn't seem like anything out of the ordinary until we study the source address more carefully.
The sneaky part of an NDR attack is that the source address on each of the original messages has been spoofed to represent a legitimate e-mail address existing on some other mail infrastructure. So the outcome of the scenario is that when the NDRs are generated by the target system they will then be transmitted to the spoofed sending address and each NDR, containing the original spam message as an attachment, will be delivered to an unsuspecting user (see Figure 4.1).
FIGURE 4.1. NDR Attack Process
The hope is that the users may mistake the NDR as being a response to one of their own messages and proceed to open it, thereby achieving the goal of presenting the users with the spam message without it being traceable back to the source. In many ways, NDR attacks are similar to mail relay attacks, albeit ancillary. By creating spam messages that contain completely falsified address information, an NDR attack uses one legitimate mail system to deliver spam to another legitimate mail system by way of NDR messages. Essentially, your servers are used as a dispatch point to propagate spam out to the rest of the world, unbeknownst to the system owner.
The principal distinction between an NDR attack and a mail relay attack is the indirect nature of the NDR attack. NDR attacks utilize the innate behavior of a mail system that has received a badly addressed message to respond with an NDR as a means of delivering a spam message, while in a mail relay attack scenario the messaging system must allow for a foreign system to request message delivery to external domains directly. As we will see, mail relay attacks can be destructive to the mail system owner and a nuisance to the recipients targeted by malicious mail relay. In order to reduce the success probability of these attacks, Microsoft has taken steps to make Exchange secure by default. By only trusting other organizational Internet Exchange servers by default, Exchange will not natively relay mail. Connectors must be created to allow for mail relay and as an administrator it is advised to only allow relaying of mail from trusted sources.
In general, as the messaging administrator you should take steps to help prevent against mail service attacks. In the following sections, we will review how mail service attacks work and discuss some of the common mail service attacks, its dangers, and its future outlook in more detail. Finally, we will also review possible defenses that can help you to secure your environment against these malicious attempts.