How Mail Service Attacks Work

Mail service attacks may occur at any point in the mail routing and delivery cycle. For example, someone may abuse an Internet facing smart host to forward malicious e-mail to the Internet, spoof a source address to falsely indicate another party, or even attempt to collect and then possibly sell a collection of a company's valid e-mail addresses. Each of these attacks has a completely different attack approach and also a different intended result. While one attack type may look to propagate unwanted spam throughout the Internet, another may seek financial gain by intercepting sensitive e-mail messages.

Regardless of the intent or the method of manipulation, all attacks depend on having an accessible component of the mail flow architecture to manipulate. With so many interconnected mechanisms involved in e-mail message delivery, if a single element is breached, it has the potential to impact mail flow as a whole. In order to understand how mail service attacks work, you must first understand how mail flow functions.

Mail Flow Architecture

So, let's begin by discussing the sending of an e-mail message and each of the steps involved. When a user decides that he would like to send a message, they start the communication process by opening their e-mail client. The e-mail client is one of the components involved in message flow and the three common client access methods include mobile devices, Web-based clients, and full installation clients.

Once logged into the e-mail client of choice, the user must address the message with the properly formatted e-mail address of the recipient, such as “[email protected].” All e-mail addresses are composed of two parts: a username and a domain name. In the example above, the portion to the left of the @ symbol, “smeekers,” is referred to as the username, and the portion to the right of the @ symbol, “hotmail.com,” is referred to as the domain name. Both the domain name and the username can be the targets for mail service attacks.

Once a message has been addressed, the user clicks on Send in their client, and the e-mail message is picked up by the mail server to be processed for delivery. The mail server will take the message into a queue and determine where to send the message by passing the message through a routing process. The domain name portion of the e-mail address is typically examined first and is used to determine the next hop for the message. For instance, if the domain name is internal to the organization, the server will route the mail to the appropriate mailbox by next examining the username value in the e-mail address. This will allow the server to decide to which mailbox the e-mail message should be delivered to complete the routing.

If the domain name is not an internal namespace, the mail server will either query DNS for the MX record associated with the domain in order to determine which server should receive e-mail for the domain namespace or it may be configured to forward Internet-bound traffic to a configured smart host. A smart host is a system that acts as a proxy, usually residing in the perimeter network, which is responsible for forwarding mail to Internet facing addresses. Once the next hop has been identified, the server will route the mail message accordingly. This process is repeated for each mail message that is submitted to the mail system for delivery.