How to Turn an Email Server Rogue - HCCI-214 Session 5

Can your email server be programmed for evil?  Chances are it's already happened!

It may sound like a pulp 60's spy novel, but the truth is your technology can be turned against you at any time.  Whatever benefit any automated system provides to your organization, there are those who would like to subvert its automatic behavior to their own nefarious uses.  Having laid the groundwork in previous sessions for the potential methods that a competitor might use to gain access to confidential strategic data at your organization, we will now begin to pull resources together into what a real life attack might look like.

The Secret Lives of Email Servers

By definition, an email server is a treasure trove of corporate information.  More than anything else, it is a repository for proprietary data, highly sensitive corporate communications, and the collective virtual identity of all who use it in the form of your staff directory.  Worse, your email server is not a wall.  Email servers are not designed to keep things out.  By definition, email servers are configured to allow the right people to have access to data at the right times.  What if someone approached your email server in a way that it was not designed to be used?  What if someone found a nefarious use for the natural and useful actions that your email server performs every day?  That use already exists and it is known as a Directory Harvest Attack or DHA.

How to Harvest an Email Directory

A Directory Harvest Attack (DHA) consists of a few components.  The first is a list of email

GSA Verifier (above) is one of the most affordable
and widely used email verifier softwares, a
perennial favorite of cyber-criminals.
addresses located at your company.  The second is the verification protocols of your corporate email server.  Historically, email servers have performed a service for outsiders by verifying email addresses without the need to actually send an email (and thus tip management off that an attack is in the works).

The way it works is simple: An attacker uses commonly available software to submit addresses to the email server and the server reports back whether or not the username is valid.  This is a completely legitimate and valuable role played by the email server.  The problem occurs when an enterprising outside agent submits thousands of potential email addresses to your email server over time and, sorting the good from the bad, ends up with a complete copy of your corporate directory.

That directory could be used in several ways.  For example, spammers routinely carry out such attacks and use the resulting email lists as fodder for their sales campaigns.  That's not entirely accurate of course, as many times the mailing list is acquired by a third party then sold on to several spammers over and over again.  Spammers and criminals will even sell lists of email addresses (and often other more illicit data) based upon how long the data has been available, how old it is, and how many times it has been sold.  Thus like a used car, the list loses value as it is resold, since email addresses are increasingly likely to have become invalid either as a result of time or as a result of having been abandoned due to too much spam.

A far more interesting and devastating mode of attack is carried out by using the vast array of email addresses garnered through a directory harvest attack as the fodder for a more sophisticated infiltration techniques.  It works like this: the attacker does some simple programming to make the corporate directory appear to be a legitimate personal address-book exported from their own email account.  Armed with this, the attacker can approach employees of the organization with valid requests for connection of LinkedIn, Facebook, and other social networks.  The attacker provides a seemingly legitimate backstory: perhaps they are an IT staff member in a distant regional office and they're looking for employees to log into a beta (test) version of a new patient electronic health records server, test it, and fill out a brief survey.

The odds of success are incredibly in favor of the attacker in such a scenario.  If the attacker approaches 200 employees, only 25 accept his connection request, and only 5 of those actually access the fake test server, he's still stolen 4 more account logins than he actually needs to remotely access and download company data.  Have you ever forgotten your password?  Maybe you tried to log into your email several times, with several variations on your password and you username.  That's what the attacker is looking for.  Employees try to test the new EHR server, put in their usernames and probably try a couple different passwords, then return to the attacker complaining that it didn't work.  It's too late though, the attacker has everything they need to access millions of dollars worth of corporate data.  2 days later someone has figured out this new LinkedIn presence isn't legitimate, but it's too late, the cat is already well out of the bag and on to be sold via various corporate data blackmarkets.

An online search for email verification will turn up any number of tools which allow a user, typically a spammer, to submit a list of email addresses and have the valid ones sorted from the invalid.  While individual email addresses can be submitted to a server manually using utilities included with Microsoft Windows as well as easily accessible from Mac OS or Linux, most attackers will choose the automate the email verification process.  If they can get lists of employee names from your corporate website or via a company search on LinkedIn, they may work out the pattern of email addresses that your company uses and construct a series of likely valid addresses.  Use of a list such as this constitutes a targeted Directory Harvest Attack.  Without such a list, attackers may simply go through every possible combination of letters that could form a valid username, which is known as a brute force Directory Harvest Attack.  Brute force Directory Harvest Attacks are the less preferred method as they are more likely to trigger security measures and draw attention to the attack.  Finally, attackers may not attempt to validate email addresses indepedently at all.  Websites like LinkedIn and Facebook do not penalize a user for importing email addresses that are invalid.  An attacker will know which addresses were valid when they find those users on those social networks, though obviously this technique misses any valid email addresses that were not used to create social media accounts.

5 Free Online Email Verifiers (2016)

How to Keep Your Email Server Loyal

Email servers do not need to verify addresses.  Indeed, this service is only a benefit to those outside the organization.  It is unlikely that a potential client will fail to call or take other means to initiate contact with your business simply because they struggle to find a valid email address.  In fact, corporations frequently remove all email addresses from their websites to evade both spammers and job applicants, yet find themselves besieged by both regardless.  Thus you should speak to your IT administrator or email contractor about eliminating your email server's email verification service today.

Other steps to keep your email directories private can include:

  1. The Dread Pirate Roberts.Org - Consider using only role-based email addresses for public facing emails.  Those role-based addresses should then be forwarding only addresses which send email to employees charged with public relations.  In this day and age, there is little reason that your CEO needs to have salespeople soliciting them via a public or easily guessed email address.  Emptying your spam folder on a daily basis is not an essential function of strategic management for the modern executive.
  2. Break All the Rules - ajones, bjones, cjones, asmith, bsmith, etc., etc.  Look familiar?  There are perhaps tens of thousands of last names common to a given country, including a variety of spellings.  There are on the other hand only 26 letters in the alphabet.  The First-Inititial-Last-Name username for email has had its day.  Consider other combinations, such as Full-First-Name-Last-Initial.  Again, we no longer need email addresses to be human readable or memorable as email clients do the majority of the work for us.  Many of us haven't memorized a telephone number since the majority of the US got their first cellphone in 2004.  It's simply not necessary as the cellphone now remembers all of your contacts for you.
  3. Stop Putting Your Passwords Online -  Most people consider passwords a private matter, but consider this: to impersonate your CEO online, you need their username and their password.  Preventing employee usernames from becoming common knowledge by assigning a different user login id than the email alias adds an additional degree of complicacy for potential attackers to navigate.  If a user's email is, consider making their corporate login randy.johnson or something similarly different.  This is not a panacea, but at the same time there is no reason to make it easy for attackers either.
  4. Double Your Pleasure, Double Your Security - Two-factor authentication's time has come.  Passwords are no longer sufficient security for corporate logins (they never were, but better security has gotten easier and more affordable).  Our entire scenario above is thwarted, albeit uncomfortably far along, if employees need to use a second physical device to log in to their corporate accounts.  This device could be a company issued cellphone, a USB stick, a fingerprint, anything that prevents an attacker from impersonating a user without physically holding that device.