Text Link Ads

Monday, August 20, 2007

Email Bombs

This article series is intended to help you understand some of the terms and technologies employed by hackers. With this knowledge, you will be better able to ensure that your computer system (or network if you are a system administrator) is adequately protected and safe from prying eyes and unknown fingers.

Imagine, if you would for a moment, a normal, everyday email server. The server might be for a large corporation, let's call it "Xyz", and let's say it handles 20,000 email accounts. This server is both a post office (it stores email messages for people to pick up at their convenience) and a forwarder (this server accepts messages from users and forwards them along to their destination). In technical terms, this means the server handles both POP3 and SMTP.

Okay, this email server receives perhaps 100,000 messages per day from the internet and within the company. Most of these messages get routed to a local mailbox where users can receive them later. It also sends a large number of messages both internally and to the internet.

Now close your eyes and think what would happen if every person in a foreign country, say China with it's huge population, mails ONE email message to that email server. Just one message in a one day period.

The email server would choke and probably crash. It would not help to take the server offline, as SMTP is designed to handle outages - in other words, the email would pile up and as soon as the system came back online it would choke again.

In a nutshell, that is a crude type of email bomb. If you want to get a highly technical description of a real email bomb attack, see "The Langley Cyber Attack". This is a fascinating story of how this sort of thing actually works.

An email bomb is basically an attempt to overwhelm an email server or, more specifically, a single inbox, with so many messages that it becomes unusable. Due to the way current messaging systems work, even shutting off the server or disconnecting it from the network would not help the situation, as the messages would simply wait for the system to come back on line.

Most messages wait for at least several hours, and sometimes they wait for days. After all, the internet was designed to handle the vast outages that occur during nuclear warfare - and a system being offline for a short amount of time is definitely within design parameters.

Many of us have experienced situations similar to email bombs. For example, at my own company we had one system that got infected with "Iloveyou" a few years ago. Before we could identify and shut down that workstation, our email server was overwhelmed with over 50,000 messages!

Since most ISPs restrict the size of email accounts to just a few megabytes, it does not take much to effectively "bomb" an inbox and make it unusable. Your average ISP allows one to five megabytes of messages, which translates to just a few hundreds emails and bang, you inbox is useless. In some cases the ISP will cancel the receiving account, even though the receiver is probably innocent of any crime.

Believe it or not, there are several hacker tools available to automate the process of email bombing someone. These tools sends the email bomb from many different email servers, which makes it very difficult, if not impossible, for the average person to protect himself.

One common and easy way to email bomb someone is to subscribe their email address to many hundreds of mailing lists. Their inbox will become so full as to make it unusable. If you are the victim of this technique, you will find a number of "subscribe" messages in your inbox, and you will be forced to unsubscribe from every one of the mailing lists.

So how do you protect yourself from email bombs? One way is to simply change the name of your email address when you determine that you have been bombed. This, of course, is very inconvenient as now you have to notify all of the people who send you mail of the change. Sometimes, however, it is the best that you can do.

You can read "How to protect yourself from email bombs!", which is a technical, but nonetheless excellent, article describing some techniques for defending yourself.

One of the problems with trying to stop the attacks is that the attacker has more than likely spoofed (hidden or modified) his return address and other identifying information. This may make it impossible to find out the identity of the attacker.

If you feel that you are the victim of an email bomb, do not hesitate to talk to the technical support department of your ISP. They have to handle these kinds of things occasionally, and they may be able to block the messages before they reach your inbox. Of course, there is always the possibility that they will cancel your account - but if your ISP is that hostile perhaps it is time to find a new one anyway.

No comments: