Small Business Attack – Spam
We’ve been battling spam for many years now. We all know that the problem exists, and that it can be annoying… but sometimes it seems like the constant complaining of email administrators is even more annoying. Is spam really such a big problem?
Let’s look at it for a minute… The influx of email can slow the mail servers. Manually sorting legitimate email from spam can reduce employee productivity. In some environments, the adult nature of spam can cause HR issues.
So sure, spam can be annoying, but is it really a serious problem?
Though I try to keep this blog from getting overly technical (after all, there are technical security blogs far better than mine), I am afraid that I have to dig a bit into the labyrinthine mess that is SMTP. The Simple Mail Transfer Protocol dates back to 1971 and is the method still used to transfer email today. (Though it has been extended and tweaked many many (many) times.) These days, it is far from simple but it is still deeply flawed.
At it’s heart are three problems:
First of all, the protocol is plain text. This means that anyone who can read the network traffic as it flows from the sender to the receiver can read the message. This allows attackers to read or alter messages as they go by, thereby preventing the receiver from knowing for certain that the messages are private or even reliable.
Secondly, the protocol is honorary. Just as anyone can drop a letter into a mailbox and put on whatever return address they wish, anyone may send an email and forge any From addresses they want.
There are numerous technical measures that can be put in place to limit these two problems. However none of them work perfectly and each them make the maintenance of the system increasingly complex. If too many of them are implemented, you run an increasingly greater risk of email being greatly delayed or simply getting through at all.
Then, we have the final problem. Though it doesn’t relate directly to SMTP, the fact is that email is not human readable (by most humans, anyway), so recipients have to use email clients. As always occurs, a handful of email clients have become the most popular and are analyzed by attackers for problems. Then, email messages can be forged and sent containing malicious code that will exploit a flaw in the email client.
So what does all this mean?
Basically, in addition to spam being annoying and the extensions we’ve built around it making the actual system work poorly, we have a situation where attackers can target specific people and run their own software directly on the targeted workstation.
So how do we protect against it?