Friday, October 24, 2014

Would you know if your email server were attacked?

This is a continuation of a series investigating a piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
I had thought part 3 was the end of the story, but there is now more to tell. Last week I received a relatively typical spam message containing a link to view an "invoice" for something I had supposedly purchased. The link instead downloaded a botnet agent - software that would turn my PC into a bot that an attacker could remotely control to do his bidding. Nothing unusual about that approach. The attacker then gave my bot instructions to probe 5,000 domains, looking for mail servers that could be used to relay yet more spam.

Discovering and writing about criminal mischief is great, but if that's where I stopped, I'm just one more source of noise on the Internet. I research with two purposes: to teach, and to fix. Writing this blog series was the teaching part; as for the fixing part, that is where today's story picks up.

The
Internet Engineering Task force (IETF) published a standard almost 20 years ago, specifying a variety of email addresses that every domain or web site should set up. Some of these addresses are dependent on the nature of the site - sales@domain doesn't make sense for a church, nor does support@domain make sense for a family. Other addresses though are appropriate for every domain. Among those are abuse@domain and security@domain, intended as a way for customers, providers, and unrelated parties to let the domain owner know of inappropriate use of their services.

In my mind, attacks against your mail server constitute an inappropriate use of your services, so I tried to contact the abuse account at about 1,000 of the domains that my computer was instructed to probe. Lo and behold, over 50% of my emails bounced back. Over half of domain owners do not have an abuse@domain address - thus there is no way for me or anyone else to let the owners know they are being attacked.

Now here is the cruel irony: larger domains, with IT staff and security professionals, are the most likely to have an abuse account set up. They are also the ones most likely to have their servers well locked-down, and to have systems in place to detect and stop abusive behavior. They are the ones most likely to already know there is a problem, and to have dealt with it before I contact them.

The smaller domains - the small businesses, the family web sites, the churches, the community organizations, the blog sites - are far less likely to have an abuse account set up. They are also far less likely to have full time technology staff, network intrusion sensors, and incident response plans. The ones most in need of a warning are the ones least likely to get that warning.

I don't blame the small businesses, the churches, the families, or the community organizations. If you are a small ice cream shop trying to establish your business, you shouldn't have to learn all about network security. You want to sell ice cream. If you are a neighborhood association wanting to share community events with neighbors, you shouldn't have to become a security expert. You just want to share the news. In both cases, you might go to a GoDaddy, or a 1&1, or a Google Domains, or a SnapPages, or perhaps hire a website designer that would in turn do the same. You would expect the service provider, or perhaps the consultant you hired, to handle that part.

Yet here's the rub: in general, they don't. I set up a domain with Google Domains (it's in early adoption right now, not yet generally available) today ... none of the standard email addresses existed. I had to knowingly create the ones I wanted. I shouldn't have had to do that.

My domain is hosted by Google. In a perfect world, when I set up my domain, abuse@[mydomain] should have automatically been set up, forwarding to a network security account within Google's domain hosting business. They host my domain, they would handle any server security issues, case closed. In a less-ideal world, abuse@[mydomain] should have been automatically set up, in a manner that I can see any messages sent to it. In an even less-ideal world, I should have been given the option to create abuse@[mydomain] as part of the domain creation process. In fact none of these occurred. Out of the box, if my domain (which runs on Google's servers, not my own) is attacked, there's no way for me or my hosting provider to know about it. That is a problem.

What to do about it?

Well, if all you have is an email account with Google, or Yahoo, or your Internet provider, there is nothing you need to do. In the case of "[email protected]," gmail.com is owned by Google, and they handle server security issues. Email to [email protected] would be handled by Google's security team. The issue I speak of is if you have a domain of your own - "[email protected]." 

If you do have a domain of your own, I suggest setting up a few email aliases -  [email protected], [email protected], and if your domain is a web site, [email protected]. You can forward those aliases to your real email account, or set them up as mailboxes themselves - just check them every now and then. With these, there is a way for someone to let you know if there is a problem with your domain.