Summary

E-mail bombing and impersonating the sender have become common crimes in cyberspace. The global networking infrastructure is used as a basis to attack the integrity of unsuspecting victims. Disgruntled employees, terrorists and industrial competitors can use network-based e-mail bombing techniques to undermine confidence in organizations of trust. This type of attack on brand integrity has the potential to cause major financial damage to institutions; including financial services institutions, banks, insurance companies, pharmaceutical companies, publishing companies, law enforcement, government institutions, ad infinitum.

Our team uncovered and stopped a covert channel for the illegal distribution of pornography, hate-mail and pranks via standard operational SMTP MTAs. We actively engaged to protect the reputation, integrity, and the brand of the organization. Unfortunately, it is extremely difficult for the general public to differentiate between the abuse of legitimate resources by a hacker, terrorist, or criminal and direct misuse or negligence by an organization or commercial corporation. When the public incorrectly perceives that a large multi-national business is distributing illicit material from its e-mail servers, this perception will undermine the integrity, confidence and trust of the business. The results could be devastating.

Tools for launching e-mail based attacks are dangerous, easy to use, and freely available on the Internet. Cryptographic mechanisms to authenticate e-mail are emerging. However, the ease an attacker might abuse and misuse the e-mail infrastructure of both commercial and federal organizations puts these organizations at significant risk today.

Finally, there exists a perpetual enigma in the Internet community regarding computer and network security. Many professional are of the opinion that ``security through obscurity'' is the better approach to managing information security risks; whereas, containment of vulnerabilities is preferrable to open discourse. On the other hand, there are equally passionate opinions for ``security without ambiguity''; whereas, it pays to have the global community engaged as an open cyber-society, solving security challenges together. It is our hope that this paper helps, in some small way, forward the overall goals and objectives of the Internet community.