Date: Thu, 28 Mar 2024 14:10:41 -0400 (EDT)
Message-ID: <1738988566.503.1711649441938@windcrest.sei.cmu.edu>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_502_1195612589.1711649441936"
------=_Part_502_1195612589.1711649441936
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
This document provides a general ove=
rview of problems associated with electronic mail bombing and email spammin=
g. It includes information that will help you respond to and recover from t=
his activity.=20
Introduction
I. Description
II. Technical Issues
III. What You Can Do
- Detection
- Reaction
- Prevention
IV. Additional Security Measures That You Can Take
I. Description
Email bombing is characterized by abusers repeatedl=
y sending an email message to a particular address at a specific victim sit=
e. In many instances, the messages will be large and constructed from meani=
ngless data in an effort to consume additional system and network resources=
. Multiple accounts at the target site may be abused, increasing the denial=
of service impact.=20
Email spamming is a variant of bombing; it refers to sending email to hu=
ndreds or thousands of users (or to lists that expand to that many users). =
Email spamming can be made worse if recipients reply to the email, causing =
all the original addressees to receive the reply. It may also occur innocen=
tly, as a result of sending a message to mailing lists and not realizing th=
at the list explodes to thousands of users, or as a result of a responder m=
essage (such as vacation(1)) that is setup incorrectly.
Email bombing/spamming may be combined with email spoofing (which alters=
the identity of the account sending the email), making it more difficult t=
o determine who actually sent the email. For more details on email spoofing=
, see
- http://ww=
w.cert.org/tech_tips/email_spoofing.html
II. Technical Issues
- If you provide email services to your user community, your users are vu=
lnerable to email bombing and spamming.
- Email spamming is almost impossible to prevent because a user with a va=
lid email address can spam any other valid email address, newsgroup, or bul=
letin-board service.
- When large amounts of email are directed to or through a single site, t=
he site may suffer a denial of service through loss of network connectivity=
, system crashes, or failure of a service because of
- overloading network connections
- using all available system resources
- filling the disk as a result of multiple postings and resulting syslog =
entries
III. What You Can Do
- Detection
If your system suddenly becomes sluggish (email=
is slow or doesn't appear to be sent or received), the reason may be that =
your mailer is trying to process a large number of messages.
- Reaction
- Identify the source of the email bomb/spam and configure your router (o=
r have your Network Service Provider configure the router) to prevent incom=
ing packets from that address.
Review email headers to determine the tru=
e origin of the email. Review the information related to the email bomb/spa=
m following relevant policies and procedures of your organization.
- Follow up with the site(s) you identified in your review to alert them =
to the activity. Contact them to alert them to the activity.
NOTE:
When contacting these sites, keep in mind that the abuser may be try=
ing to hide their identity.
We would appreciate it if you sent a copy of your message to=
cert@cert.org; this facilitates our work on incidents and helps us relate =
ongoing intruder activities.
If you have a CERT reference number (e.g=
., CERT#XXXXX) for this incident, please include it in the subject line of =
all messages related to this incident. (NOTE: The CERT/CC assigns this refe=
rence number, so if you do not have one, one will be assigned once we recei=
ve the incident report.)
To find site contact information, please ref=
er to
- ht=
tp://www.cert.org/tech_tips/finding_site_contacts.html
- Ensure you are up to date with the most current version of your email d=
elivery software (sendmail, for example) and increase logging capabilities =
as necessary to detect or alert you to such activity.
- Prevention
Unfortunately, at this time, there is no way t=
o prevent email bombing or spamming (other than disconnecting from the Inte=
rnet), and it is impossible to predict the origin of the next attack. It is=
trivial to obtain access to large mailing lists or information resources t=
hat contain large volumes of email addresses that will provide destination =
email addresses for the spam.=20
- Develop in-house tools to help you recognize and respond to the email b=
ombing/spamming and so minimize the impact of such activity. The tools shou=
ld increase the logging capabilities as well as check for and alert you to =
incoming/outgoing messages that originate from the same user or same site i=
n a very short span of time. Once you identify the activity, you can use ot=
her in-house tools to discard the messages from the offending users or site=
s.
- If your site uses a small number of email servers, you may want to conf=
igure your firewall to ensure that SMTP connections from outside your firew=
all can be made only to your central email hubs and to none of your other s=
ystems. Although this will not prevent an attack, it minimizes the number o=
f machines available to an intruder for an SMTP-based attack (whether that =
attack is a email spam or an attempt to break into a host). It also means t=
hat should you wish to control incoming SMTP in a particular way (through f=
iltering or another means), you have only a small number of systems--the ma=
in email hub and any backup email hubs--to configure. More information on f=
iltering is available from
- http://=
www.cert.org/tech_tips/packet_filtering.html
- Consider configuring your mail handling system(s) to deliver email into=
filesystems that have per-user quotas enabled. Doing this can minimize the=
impact of an email bombing attack by limiting the damage to only the targe=
ted accounts and not the entire system.
- Educate your users to call you about email bombing and spamming.
- Do not propagate the problem by forwarding (or replying to) spammed ema=
il.
IV. Additional Security Measures That You Can Take
- If you have questions concerning legal issues, we encourage you to work=
with your legal counsel.
U.S. sites interested in an investigation of t=
his activity can contact the Federal Bureau of Investigation (FBI). Informa=
tion about how the FBI investigates computer crimes can be found here
- h=
ttp://www.cert.org/tech_tips/FBI_investigates_crime.html
For information on finding and contacting your local FBI fie=
ld office, see
- http://www.fbi.gov/con=
tact/fo/fo.htm
Non-U.S. sites may want to discuss the activity with their l=
ocal law enforcement agency to determine the appropriate steps for pursuing=
an investigation.
- For general security information, please see
- http://www.cert.org/
Copyright 2001,2002 Carnegie Mellon University.
Revision History |
Apr 26,=
1999
|
Convert=
ed to new web format
|
August =
14, 2002
|
Updated=
to reflect more current information and resources
|
------=_Part_502_1195612589.1711649441936--