Spammers hijack authentication mechanisms to send malware

By Anne Saita, News Director 10 May 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Malware writers have created automated attacks that use a company's e-mail authentication system to send spam masquerading as trusted traffic. Once a compromised desktop is shut down, another appears instantly as a new spam relay, suggesting the hacker underground has refined a technique previously seen only on the small scale.

"It's very likely this will be commoditized quickly," said Peter McNeil, chief science officer for Gulf Breeze, Fla.-based AppRiver LLC, a content filtering vendor that blocks spam through its e-mail security managed services. "There are a wide range of people who send out spam through viruses. It starts at the high end, with the people that write viruses and create password cracking software. Once the software's written, it's instantly available to the low-end [script kiddies], where they can just download it. At that point, the capability is largely available to anyone interested in doing it."

McNeil said such tactics have existed on a small scale for some time, but recently a company's e-mail system was compromised and some longtime, well trusted users began sending out millions of e-mails through an authenticated channel. As soon as e-mail administrators realized what was happening, they shut down the compromised account and another instantly took over, shooting out junk e-mail.

McNeil suspects the culprits used run-of-the-mill password recovery or cracking programs or network sniffers to grab the information needed to corrupt the authentication process.

Over time, such an automated attack could make current sender repudiation services ineffective since malicious messages would be difficult to differentiate from legitimate traffic.

"If a trusted system can be used to send out spam and viruses and any other malware, and that's behind a server signed up to be trusted, then that repudiation can be leveraged" to compromise systems, McNeil said.

McNeil advises enterprises to take basic precautions, including blocking port 25 to any external servers and demand authentication to any servers they support. In addition, administrators should carefully monitor messaging systems for any aberrant behavior, such as a desktop that suddenly starts sending out thousands of messages.

"Watch out for any system sending out more e-mail than it should or sending it out to places it normally wouldn't," he warned.

Another potentially effective mitigation is tarpitting, which slows the transmission of e-mail messages sent in bulk through several different methods. The intent is to maintain a high quality of service for legitimate users through selection and exemptions, while blocking any address sending out an unusual message load.

This article originally appeared on SearchSecurity.com.

Tags: Industry,  User Authentication for Microsoft Outlook and OWA,  Spam and virus protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry Tackling the social messaging dilemma Microsoft drops free migration tool for Exchange 2010 Microsoft reverses support plan for Exchange 2007 on Windows Server 2008 R2 Virtualize Exchange Server 2007 -- without losing your job Exchange Server 2007 SP2 adds auditing, backup Avoid these Exchange Server migration pitfalls Microsoft readies Exchange Server 2010 release candidate Virtualizing Exchange Server 2007 -- Where it works Microsoft updates Exchange Server 2007 SP1 Microsoft fortifies Exchange Server with archiving User Authentication for Microsoft Outlook and OWA Lock down direct file access and protect OWA users Obtaining and verifying SSL certificates in Exchange Server Top 5 Outlook Web Access (OWA) tips of 2008 Manage user rights and access to Outlook Web Access (OWA) mailboxes Create a secure Microsoft Outlook Web Access (OWA) redirect page Why does a security alert pop up when accessing Outlook Web Access? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues Spam and virus protection How to install Forefront Security for Exchange Server Block Web beacons and protect OWA users from spam Controlling spam in Exchange 2007 at the edge transport server level How file-level antivirus software can harm your Exchange Server Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 Spam and virus protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary