How to recognize targeted destination e-mail attacks

Opinion
Oct 13, 20052 mins

* The need to secure against IP harvesting

In late September, Avinti issued a security alert about targeted destination e-mail, a recently discovered threat to messaging servers. This type of attack uses an IP address that has been harvested from a mail server to directly target another IP address. Instead of directing a broad-based attack to harvested e-mail addresses, such as those gleaned during a directory/dictionary harvest attack, this type of threat specifically targets one or more IP addresses. The danger is that improperly configured gateways can forward unfiltered e-mail directly to an e-mail server, thereby bypassing anti-virus and other security defenses. Avinti discovered the threat in one of its customer’s sites despite the fact that the customer had good security defenses in place.

Signs of a targeted destination e-mail attack include e-mail that is sent to specific IP addresses, an increase in the number of viruses caught by desktop-based virus scanners even though gateway-based anti-virus defenses are in place, and incoming traffic from IP addresses that are not from trusted sources.

Despite the potential severity of this threat, preventing it is quite straightforward: if a company has internal, gateway-based anti-virus defenses, the firewall should direct all Port 25 traffic only to the gateway. For organizations that use a hosted messaging hygiene service, the firewall should be configured to accept SMTP traffic only if it comes from the IP addresses specified by the hosted service provider.

The targeted destination e-mail attack is an interesting tactic for targeting organizations, but is fairly easily defeated. However, despite lots of prompting to do so, some organizations do not lock down public connections and so risk being attacked in this way. Further, for companies that maintain backup MX records in the public DNS, there is an additional vulnerability if there are inadequate security defenses for these records.

Many thanks to those at Avinti, MX Logic, Postini and MessageLabs for their input.