Last Saturday, the email server of a small Internet service provider in the southwestern United States started to churn out email broadcasts from a lone user to more than 45,000 email addresses. Naturally, the ISP was curious who the "spammer" was.
Unfortunately, the spammer employed a simple technique for sending email from the ISP's server without actually having an account on its system, making the culprit difficult if not impossible to track down. But some Internet email vendors, including Netscape Communications and Software.com, are now taking steps to prevent the hijacking technique--well understood among messaging and security experts, but still widely disregarded by organizations that run email servers--from working on their products.
The technique is startlingly easy to exploit, and a potential boon for email spammers than want to cover their tracks. Users need only to designate an email server as the outgoing SMTP (simple mail transport protocol) server in a standard email client such as Eudora. Provided that the email server is not shielded by a firewall or some other security mechanism, the user will be able to log on the server through any ISP such as Netcom or CompuServe to send email to a potentially huge list of users--all without an account or password.
For some spammers, the opportunity to hijack someone else's mail server further distances them from the hostile responses that almost always follow spams. In the case of the Southwestern ISP, the spammer, who connected to the ISP's mail server through PSINet, entered a false return address and name in his email client. When irate users began to respond to the spam--a $28.95 offer to convert their handwritten signatures into a True Type font--the messages bounced back to the users themselves and to the email administrator at the ISP.
"That was what was mean about the whole thing," said the head of operations at the ISP, who asked not to be identified in order to avoid alerting a competitor to his company's misfortune. "Of the 45,000 messages sent out, probably about 6,000 of them were invalid. We're up to about 14,000 messages to our postmaster."
"There are certain users that have become vigilante anti-spammers. They'll take a 100 megabyte attachment and return it to the sender."
Although it's impossible to tell how many email servers on the Internet are vulnerable, it is not difficult to locate servers that are open to unauthorized use. A CNET reporter, for example, was able to locate and send email from five separate servers, including several university servers and one belonging to the White House, within the span of 15 minutes. Email server names are readily available on Usenet newsgroup postings.
Some email systems, such as the popular Sendmail program in Unix servers, already allow administrators to block out unauthorized use, but more vendors are beginning to fortify their products.
This week, Netscape introduced a beta version of its Messaging Server 3.0, its first email server to support Authenticated SMTP, a feature that allows systems administrators to control who sends and receives email using passwords and digital certificates. And within the next two to three months, Software.com will allow users of its Post.office server to screen out selected domain names from accessing the server, according to Andrew MacFarlane, a product manager at the company.
MacFarlane said that interest in finding a solution for protecting email servers has grown rapidly, something he attributed to the media attention paid to spamming. "The last month is when email [about blocking unauthorized email users] really started coming in," he said. "It's almost on a daily basis."
In the meantime, it's unclear what legal recourse, if any, an organization has if an outsider hijacks their server.
"This may be one of the areas where, if you haven't been told you can't, you can," said Ira Machefsky, a senior industry analyst with the Giga Information Group. "Up until now, the Internet has been kind of a polite place to do your job. Now you have a bunch of strangers out there."