Last Saturday, the email server of a small Internet service provider in the
southwestern United States started to churn out email broadcasts from a
lone user to more than 45,000 email addresses. Naturally, the ISP was
curious who the "spammer" was.
Unfortunately, the spammer employed a simple technique for sending email
from the ISP's server without actually having an account on its system,
making the culprit difficult if not impossible to track down. But some
Internet email vendors, including Netscape Communications and Software.com, are now taking steps to
prevent the hijacking technique--well understood among messaging and security
experts, but still widely disregarded by organizations that run email
servers--from working on their products.
The technique is startlingly easy to exploit, and a potential boon for
email spammers than want to cover their tracks. Users need only to
designate an email server as the outgoing SMTP (simple mail transport
protocol) server in a standard email client such as Eudora. Provided that
the email server is not shielded by a firewall or some other security
mechanism, the user will be able to log on the server through any ISP
such as Netcom or CompuServe to send email to a potentially huge list of users--all without an account
For some spammers, the opportunity to hijack someone else's mail server
further distances them from the hostile responses that almost always follow
spams. In the case of the Southwestern ISP, the spammer, who connected to
the ISP's mail server through PSINet,
entered a false return address and name in his email client. When irate
users began to respond to the spam--a $28.95 offer to convert their
handwritten signatures into a True Type font--the messages bounced back to
the users themselves and to the email administrator at the ISP.
"That was what was mean about the whole thing," said the head of operations
at the ISP, who asked not to be identified in order to avoid alerting a
competitor to his company's misfortune. "Of the 45,000 messages sent out,
probably about 6,000 of them were invalid. We're up to about 14,000
messages to our postmaster."
"There are certain users that have become vigilante anti-spammers. They'll
take a 100 megabyte attachment and return it to the sender."
Although it's impossible to tell how many email servers on the Internet are
vulnerable, it is not difficult to locate servers that are open to
unauthorized use. A CNET reporter, for example, was able to locate and send
email from five separate servers, including several university servers and
one belonging to the White House,
within the span of 15 minutes. Email server names are readily available on
Usenet newsgroup postings.
Some email systems, such as the popular Sendmail program in Unix servers,
already allow administrators to block out unauthorized use, but more
vendors are beginning to fortify their products.
This week, Netscape introduced a beta version of its Messaging Server 3.0,
its first email server to support Authenticated SMTP, a feature that allows
systems administrators to control who sends and receives email using
passwords and digital certificates. And within the next two to three
months, Software.com will allow users of its Post.office server to screen
out selected domain names from accessing the server, according to Andrew
MacFarlane, a product manager at the company.
MacFarlane said that interest in finding a solution for
protecting email servers has grown rapidly, something he attributed to the media attention
paid to spamming. "The last month is when email [about blocking
unauthorized email users] really started coming in," he said. "It's almost
on a daily basis."
In the meantime, it's unclear what legal recourse, if any, an organization
has if an outsider hijacks their server.
"This may be one of the areas where, if you haven't been told you can't,
you can," said Ira Machefsky, a senior industry analyst with the Giga Information Group. "Up until now, the
Internet has been kind of a polite place to do your job. Now you have a
bunch of strangers out there."