Attack Points
In order to launch an attack on a mail service, the attacker will need to select and focus on a section of the mail flow to exploit. For example, many of today's existing mail service attacks focus on ways to allow for malicious attackers to send more mail traffic through the Internet while evading responsibility by making the messages difficult to trace through techniques such as spoofing. While spamming does not represent a direct attack on any piece of the mail flow infrastructure, it instead depicts an abuse of it. Spammers profit by utilizing other companies, resources, and systems to funnel their unwanted e-mail messages out to the world. Depending on the end goal, different attacks will target mail services in varied ways. If we break down the mail flow into key architectural components, it can be summed up to include the following attack points:
In the following sections, we will briefly review each of these and touch upon possible attack mechanisms.
Messaging Servers
Messaging servers are the most commonly attacked piece of the mail flow architecture. Attacks that may be targeted at messaging servers include DoS attacks, mail relay attacks, buffer overrun attacks, mail loops, SMTP Auth attacks, spam, and viruses.
Addressing
Every e-mail message that goes out into the Internet for delivery must be addressed with recipient information. E-mail messages can contain various types of addresses, such as To, From, Carbon Copy, and Blind Carbon Copy. Attackers may choose to manipulate addresses in an e-mail message in a number of ways, all ending in the changes being made to assist them achieve the message routing behavior they zdesire.
Attackers may choose to manipulate source or destination information. Source information if typically changed to make tracking the message back to its point of origination is challenging if not impossible. However, changing source information may have other purposes as well, such as in an NDR attack. Spoofing is the term used to describe the manipulation of address information, and many attacks utilize some form of spoofing as part of their attack approach. Examples of attacks that include spoofing to some degree are NDR attacks, DoS, mail loops, phishing, and spam.
System Users
Every administrator deals with users and all administrators get frustrated with them from time to time? The frustration isn't often unwarranted either. Attacks that target users include phishing and social networking and are much more difficult for messaging administrators to defend against.
Infrastructure Services
Exchange depends on infrastructure services such as AD and DNS to function properly. An attack may seek to disable messaging in an organization, or instead may prefer to redirect, or simply disrupt it. By attacking AD or DNS, they have the ability to indirectly impact Exchange if they are successful.
Some of the common AD attacks include DoSes’ attacks and directory harvest attacks. A DoS attack may also be issued against an e-mail server directly, but by targeting AD, the attacker has the potential to cause problems for many applications, instead of causing problem purely for Exchange.
One interesting thing about attacking the infrastructure services that support mail flow is that this approach allows an attacker to broaden his horizons when searching for exploits. The potential for vulnerabilities across multiple products and services increase the attacker's probability for success. Also, since mail services do have a reliance on these other services, they also create a situation where the messaging administrator now has more to safeguard in order to prevent against these types of attacks.