News Stay informed about the latest enterprise technology news and product updates.

Spammers hijack authentication mechanisms to send malware

Content filtering provider AppRiver reports an attack gaining momentum by using trusted systems to push malware before anyone notices.

Malware writers have created automated attacks that use a company's e-mail authentication system to send spam masquerading as trusted traffic. Once a compromised desktop is shut down, another appears instantly as a new spam relay, suggesting the hacker underground has refined a technique previously seen only on the small scale.

"It's very likely this will be commoditized quickly," said Peter McNeil, chief science officer for Gulf Breeze, Fla.-based AppRiver LLC, a content filtering vendor that blocks spam through its e-mail security managed services. "There are a wide range of people who send out spam through viruses. It starts at the high end, with the people that write viruses and create password cracking software. Once the software's written, it's instantly available to the low-end [script kiddies], where they can just download it. At that point, the capability is largely available to anyone interested in doing it."

McNeil said such tactics have existed on a small scale for some time, but recently a company's e-mail system was compromised and some longtime, well trusted users began sending out millions of e-mails through an authenticated channel. As soon as e-mail administrators realized what was happening, they shut down the compromised account and another instantly took over, shooting out junk e-mail.

McNeil suspects the culprits used run-of-the-mill password recovery or cracking programs or network sniffers to grab the information needed to corrupt the authentication process.

Over time, such an automated attack could make current sender repudiation services ineffective since malicious messages would be difficult to differentiate from legitimate traffic.

"If a trusted system can be used to send out spam and viruses and any other malware, and that's behind a server signed up to be trusted, then that repudiation can be leveraged" to compromise systems, McNeil said.

McNeil advises enterprises to take basic precautions, including blocking port 25 to any external servers and demand authentication to any servers they support. In addition, administrators should carefully monitor messaging systems for any aberrant behavior, such as a desktop that suddenly starts sending out thousands of messages.

"Watch out for any system sending out more e-mail than it should or sending it out to places it normally wouldn't," he warned.

Another potentially effective mitigation is tarpitting, which slows the transmission of e-mail messages sent in bulk through several different methods. The intent is to maintain a high quality of service for legitimate users through selection and exemptions, while blocking any address sending out an unusual message load.

This article originally appeared on

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.