Child pages
  • 1999 CERT Tech Tip: Email Bombing and Spamming

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

Original publication date: Apr 26, 1999

Revised: August 14, 2002

HTML
<a name="Introduction"></a>
<hr size=2 noshade align=left>

This document provides a general overview of problems associated with
electronic mail bombing and email spamming. It includes information
that will help you respond to and recover from this activity.
<p>

<a href="#Introduction">Introduction</a>
<p>

<dl>
I. <a href="#I">Description</a><br>
</dl>
<dl>
II. <a href="#II">Technical Issues</a><br>
</dl>
<dl>
III. <a href="#III">What You Can Do</a><br>
  <ol type="A">
  <li><a href="#III.A">Detection</a></li>
  <li><a href="#III.B">Reaction</a></li>
  <li><a href="#III.C">Prevention</a></li>
  </ol>
</dl>
<dl>
IV.  <a href="#IV">Additional Security Measures That You Can Take</a><br>

</dl>
<p>
<hr size=2 noshade align=left>

<a name="I"></a>
<h3>I. Description</h3>

   Email bombing is characterized by abusers repeatedly sending an
   email message to a particular address at a specific victim site.
   In many instances, the messages will be large and constructed from
   meaningless data in an effort to consume additional system and
   network resources.  Multiple accounts at the target site may be
   abused, increasing the denial of service impact.
<p>
   Email spamming is a variant of bombing; it refers to sending email
   to hundreds or thousands of users (or to lists that expand to that
   many users). Email spamming can be made worse if recipients reply
   to the email, causing all the original addressees to receive the
   reply. It may also occur innocently, as a result of sending a
   message to mailing lists and not realizing that the list explodes
   to thousands of users, or as a result of a responder message (such
   as <i>vacation(1)</i>) that is setup incorrectly.</p>

<p>
   Email bombing/spamming may be combined with email spoofing (which alters
   the identity of the account sending the email), making it more difficult
   to determine who actually sent the email. For more details on
   email spoofing, see</p>
<p><dl><dd><a href="http://www.cert.org/tech_tips/email_spoofing.html">http://www.cert.org/tech_tips/email_spoofing.html</a></dd></dl></p> 

<a name="II"></a>
<h3>II. Technical Issues</h3>
  <UL>
	<li>If you provide email services to your user community, your users are vulnerable to email bombing and spamming.</li>
	<li>Email spamming is almost impossible to prevent because a user with a valid email address can spam any other valid email address, newsgroup, or bulletin-board service.</li>
	<li>When large amounts of email are directed to or through a single site, the site may suffer a denial of service through loss of network connectivity, system crashes, or failure of a service because of</li>
	<UL>
		<li>overloading network connections</li>
		<li>using all available system resources</li>
		<li>filling the disk as a result of multiple postings and resulting syslog entries</li>
	</UL>
  </UL>

<a name="III"></a>
<h3>III.  What You Can Do</h3>
<ol type="A">
  <a name="III.A"></a>
  <h4><li>Detection</li></H4>
		If your system suddenly becomes sluggish (email is slow or doesn't appear to be sent or received), the reason may be that your mailer is trying to process a large number of messages. 
  <a name="III.B"></a>
  <h4><li>Reaction</li></H4>
    <ol type="1">
		<li>Identify the source of the email bomb/spam and configure your router (or have your Network Service Provider configure the router) to prevent incoming packets from that address.

			<p>Review email headers to determine the true origin of the email. Review the information related to the email bomb/spam following relevant policies and procedures of your organization.</p></li>

		<li>Follow up with the site(s) you identified in your review to alert them to the activity.  Contact them to alert them to the activity.
			<p><i>NOTE:</i><dl><i>When contacting these sites, keep in mind that the abuser may be trying to hide their identity.</i></dl></p>
			<p>We would appreciate it if you sent a copy of your message to cert@cert.org; this facilitates our work on incidents and helps us relate ongoing intruder activities.</p>
			<p>If you have a CERT reference number (e.g., CERT#XXXXX) for this incident, please include it in the subject line of all messages related to this incident. (NOTE: The CERT/CC assigns this reference number, so if you do not have one, one will be assigned once we receive the incident report.)</p>
			<p>To find site contact information, please refer to
			<p><dl><dd><a href="http://www.cert.org/tech_tips/finding_site_contacts.html">http://www.cert.org/tech_tips/finding_site_contacts.html</a></dd></dl></p>
		</li>

		<li>Ensure you are up to date with the most current version of your email delivery software (sendmail, for example) and increase logging capabilities as necessary to detect or alert you to such activity.</li><br>
	</ol>
  <a name="III.C"></a>
  <h4><li>Prevention</li></H4>
    Unfortunately, at this time, there is no way to prevent email bombing or spamming (other than disconnecting from the Internet), and it is impossible to predict the origin of the next attack. It is trivial to obtain access to large mailing lists or information resources that contain large volumes of email addresses that will provide destination email addresses for the spam.<p>
    <ol type="1">

  <li>Develop in-house tools to help you recognize and respond to the
  email bombing/spamming and so minimize the impact of such
  activity. The tools should increase the logging capabilities as well as
  check for and alert you to incoming/outgoing messages that originate
  from the same user or same site in a very short span of time. Once
  you identify the activity, you can use other in-house tools to
  discard the messages from the offending users or sites.</li>

  <li>If your site uses a small number of email servers, you may want
  to configure your firewall to ensure that SMTP connections from
  outside your firewall can be made only to your central email hubs
  and to none of your other systems. Although this will not prevent an
  attack, it minimizes the number of machines available to an intruder
  for an SMTP-based attack (whether that attack is a email spam or an
  attempt to break into a host). It also means that should you wish to
  control incoming SMTP in a particular way (through filtering or
  another means), you have only a small number of systems--the main
  email hub and any backup email hubs--to configure. More information
  on filtering is available from
			
  <p><dl><dd><a href="http://www.cert.org/tech_tips/packet_filtering.html">http://www.cert.org/tech_tips/packet_filtering.html</a></dl></p></li>

  <li>Consider configuring your mail handling system(s) to deliver
  email into filesystems that have per-user quotas enabled.  Doing
  this can minimize the impact of an email bombing attack by limiting
  the damage to only the targeted accounts and not the entire
  system.</li>

  <li>Educate your users to call you about email bombing and spamming.</li>
  <li>Do not propagate the problem by forwarding (or replying to) spammed email.</li>
	</ol>
</ol>

<a name="IV"></a>
<h3>IV. Additional Security Measures That You Can Take</h3>
<ol type="A">
	<li>If you have questions concerning legal issues, we encourage you to work with your legal counsel.
		<p>U.S. sites interested in an investigation of this activity can contact the Federal Bureau of Investigation (FBI).  Information about how the FBI investigates computer crimes can be found here</p>
<p><dl><dd><a href="http://www.cert.org/tech_tips/FBI_investigates_crime.html">http://www.cert.org/tech_tips/FBI_investigates_crime.html</a></dd></dl></p>

<p>For information on finding and contacting your local FBI field office, see</p>

<p><dl><dd><a href="http://www.fbi.gov/contact/fo/fo.htm">http://www.fbi.gov/contact/fo/fo.htm</a></dd></dl></p>

		<p>Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps for pursuing an investigation.</p>
	</li>
	<li>For general security information, please see
		<p><dl><dd><a href="http://www.cert.org/">http://www.cert.org/</a></dl></p>
	</li>
<!--
	<li>To report an incident, please complete and return
		<p><dl><dd><a href="http://www.cert.org/reporting/incident_form.txt">http://www.cert.org/reporting/incident_form.txt</a></dl></p>
	<p>Or use the web-based Incident Reporting Form at</p>
		<p><dl><dd><a href="https://irf.cc.cert.org">https://irf.cc.cert.org</a></dl></p>
	</li>
-->
</ol>

<p><!--#include virtual="/include/footer_nocopyright.html" --></p>

<p>Copyright 2001,2002 Carnegie Mellon University.</p>


<hr noshade width=100%>

<table>
<a name="history"></a>

<tr>
<td>
<font size=3 face="Verdana">
Revision History
</td>
</tr>

<tr>
<td valign=top width=30%>
<font size=2 face="Verdana">
Apr 26, 1999<br>
</td>
<td valign=top width=70%>
<font size=2 face="Verdana">
Converted to new web format<br>
</td>
</tr>
<tr>
<td valign=top width=30%>
<font size=2 face="Verdana">
August 14, 2002<br>
</td>
<td valign=top width=70%>
<font size=2 face="Verdana">
Updated to reflect more current information and resources<br>
</td>
</tr>
</small>
</table>