Five strokes to handle mail server attacks easily

There are many forms of attack on the mail server: There are attacks using buffer overflow vulnerabilities, denial of service attacks, directory collection attacks, and so on. Strengthening mail servers, using mail filtering tools, using managed services, and installing integration software can terminate the attack on the mail server from different sides. These measures are described in detail in this paper.

Consolidating a mail server, first installing a Mail filtering Network tool in front of it, or using a managed mail filtering service will help mitigate attacks from spammers and other sources.

As attacks against end users and their desktop systems increase, direct attacks on mail servers have decreased (although this reduction is relative). However, the server is still vulnerable, as attackers continue to find vulnerabilities in Microsoft's Exchange server or even sendmail. Here's a look at two common attacks and ways to reduce or terminate the mail server's exposure to these attacks.

One of the root causes: buffer overflow vulnerabilities

A buffer overflow occurs when a software program, such as a mail server software, stores more data in a data buffer than the initial allowable amount, and is not prepared for unexpected input. An attacker could exploit this flaw to allow the mail server to perform other programs that it did not plan to execute. The security of the entire system can be compromised if the mail server is privileged to run. Even if the mail server is not privileged, an attacker can compromise its security and gain full control over its resources.

Although a buffer overflow is caused by accidental programming errors, it is a common security vulnerability for data integrity. When a buffer overflow condition occurs, the extra data contains code that is designed to trigger a particular behavior, such as sending new instructions to the attacked server that could corrupt the user's files, modify the data, or expose top secret information.

In the past, attackers have often used buffer overflow vulnerabilities to enable worms to traverse different servers on the Internet, proving their ability. But lately, buffer overflow vulnerabilities have a clearer goal. They allow attackers to compromise the mail server so that they can then use the mail server to send spam.

This attack can lead to two serious consequences. First, the security of the mail server is compromised, meaning that the attacker can read the company's mail. The result could be catastrophic. Second, attackers can use the company's server resources to send spam messages. This can lead to a bad reputation for the company and breach of ISP contracts, which often means termination of service.

Hardening the mail server (and any other public server) is important to prevent buffer overflow vulnerabilities and other forms of attack. Other protective measures may also be taken.

One Response: Server reinforcement

The best way to reduce the security of your mail server and to be threatened is to harden the mail server itself. In any case, reinforcement is worth trying to make. In hardened servers, especially those on the Internet, few services are compromised, and those services are often "differentiated". Reinforcement usually requires the following measures to be taken:

• Physically ensure the safety of the computer;

• Update operating system and application software;

• Enable logging to record administrator access and use of resources;

• Remove unnecessary applications, services, and tools;

• Enable local Firewall service;

• Restrict the use of privileged accounts.

By hardening the servers, they can significantly reduce their vulnerability. But just consolidating mail servers is usually not enough. A better solution is to provide additional filtering of mail traffic before the message actually arrives at the server, while hardening the server.

You can filter messages in advance by using network Tools, management services, and software that is integrated into existing messaging systems such as Microsoft Exchange. Keep in mind that defenses are broken down into tiers-for example, consolidating internal mail servers and deploying Network tools that have been strengthened by vendors to protect the environment.

The second answer: Network Tools

The Mail Filtering Network tool is deployed in front of the internal mail server. These tools typically provide two types of firewalls: packet filtering firewalls and application-level firewalls. Network tools that act as packet-filtering firewalls allow only valid TCP/IP traffic to ports used by mail services such as SMTP, typically POP3 and IMAP. The tool as an application-level firewall ensures that the sending server uses SMTP correctly, and follows the relevant IEEE Requests for Comments (RFCS) and conventions (such as: Support for reverse DNS settings).

Network tools are not susceptible to attack for several reasons. First, most of the tools are running on highly customizable operating systems. These operating systems have banned the vast majority of additional services that may have enabled attackers (or customized the operating system from the very beginning, specifically for the use of the tools).

Second, engineers strictly adhere to best practices when reinforcing tools.

Finally, a tool allows only restricted types of traffic to and from the mail server (that is, traffic related to mail transmissions), and even such communications are carefully checked.

Coping with the third: managed services

With a managed service, all messages are first sent to a offsite service that filters messages, which then forwards valid messages to the company's mail server.

To use this strategy to effectively prevent attacks that use the mail protocol directly, the internal mail server must receive only the connections that are initiated by the managed service and not receive any other connections. However, these services are only valid for incoming mail communications. Outgoing mail communications are also sent directly to other servers on the Internet to activate possible vulnerabilities that use the Mail protocol (for example, a receiving mail server can attack a buffer overflow vulnerability in the sending mail server software during SMTP transport).

Response to the four: integrated software

Finally, you can install the integration software to help protect your mail server. This locally installed software is capable of guarding against network attacks and making the server more secure. The integration software is typically run at the application layer (that is, SMTP) to protect the server from vulnerability attacks. Some integration software replaces the server's local TCP/IP stack with a customized, hardened version.

However, it is more common to collaborate with local filtering software and mail software than to create a wall between the messaging software and the external system. When an attacker can access a mail server directly (for example, if an internal, trusted user initiates an attack), the integration software with this approach can work.

Response to five: denial of Service attacks and directory collection attacks

Denial of service (Denia1 of Service,dos) attacks can degrade the ability of the target system. For example, a mail server, an attacker tries to slow it down or paralyze it. Attackers initiate denial of service attacks in several ways, including consuming network resources and initiating directory collection attacks.

When an attacker implements a denial of service attack through network resource consumption, the attack is often concentrated on all accessible access connections that consume the target machine. Because SMTP is a TCP protocol, a successful vulnerability attack only requires that the number of TCP connections that an attacker requests is more than the number of TCP connections that can be obtained. In other words, the attacker creates more connections to the mail server than the mail server can handle. This way, the mail server can no longer accept a valid entry connection from a legitimate mail server.

There's almost no way to find a server-based solution to prevent denial of security service attacks. Most mail servers run on commonly used operating systems that do not adjust to prevent denial-of-service attacks. Even on a hardened UNIX system, different network settings are required to improve the ability of the server to tolerate a large number of denial of service attacks. As a result, companies typically buy systems that are specifically created to detect and prevent denial-of-service attacks, or that can accept a much larger number of simultaneous, reinforced filtering tools than are commonly used mail servers. This filtering device is usually better able to detect denial of service attacks and take defensive measures.

Directory collection attacks are resource-intensive attacks initiated by spammers to determine the available valid addresses for future spam messages. When a directory collection attack occurs, the mail server load increases significantly, affecting the transmission of valid messages. In addition, the local mail server attempts to return a non-delivery report for an invalid address to the From address used by the spammer.

Return Non-delivery reports generate additional outgoing mail traffic, which consumes expensive bandwidth, thereby increasing the load on the mail server. Because most of the from addresses used by spammers are fake, the transport Non-delivery report always times out and requires the mail server to try the transfer later. In short, directory-gathering attacks are a costly form of attacking mail servers.

Unfortunately, there are few ways to mitigate the risk of directory collection attacks. One solution is to use a managed service. Generally managed services maintain more mail servers than a company can deliver, so directory-gathering attacks do not significantly affect message transfer, "he asked."

Another solution is to install front-end filtering tools optimized for such attacks. Maintain a list of legitimate mail users in the tool (access to the internal directory via a static list or Lightweight Directory Access Protocol) so that the filter will not be sent to a ineffective