Initial Countermeasures

The need to learn the identity of the originator of the message was overshadowed by the revelation that an MTA at Langley AFB was being used to covertly and illegally distribute pornography and hate-mail. Figure one illustrates sample content of the illicit mail covertly relayed via the MTA. The concern for the reputation and brand of the enterprise became the primary requirement. If this underground distribution channel gained high media viability, undermined public confidence could result in potential damage to the organization. The basic requirements of the countermeasures were nicknamed the Black Hole Strategy:

• Do not provide any feedback or error messages to the hackers or mail-bombers;

• Capture and minimize delivery of illegitimate mail using a rules-based filter;

• Copy suspect mail for future analysis, delivering legitimate e-mail robustly and quickly; and

• Keep and maintain all captured messages as potential forensic evidence.

The initial reaction by novice network administrators is to use IP firewalls and routers to block the apparent source addresses of the e-mail bombs. However, experienced network managers familiar with mail-exchange records (MX) [4] and the robustness of the sendmail MTA understand that the address-blocking technique will not work in the vast majority of cases. In fact, chain bombing and other relaying techniques make most attempts to block specific IP addresses relatively futile; traditional firewalls are simply ineffective. Finally, when legitimate relays are used by bombers and hackers, attempts to block these addresses results in self-styled ``denial-of-service attacks''; this is an easily exploitable countermeasure.

It is possible to configure the sendmail anti-spamming features defined under the check_ or checkcompat() rule sets as countermeasures against many e-mail bombing techniques. For example, these features allow sendmail to be configured; to not perform as a mail gateway, limit the size of messages, and reject certain sites known to send e-mail bombs [4]. The checkcompat() routine requires the modification of the sendmail source code and, therefore, is quite difficult for the average systems administrator to implement. Beginning with sendmail V8.8, limited checking and rejecting can be accomplished with four rule sets; check_mail, check_rcpt, check_relay and check_compat. For more information on the features, please refer to the reference [4].

During the Langley Cyber Attack, we found the sendmail built-in functions difficult for the average systems administration to configure. The built-in filtering provisions were not flexible enough to meet all of our Black Hole requirements. In fact, inexperienced users of these rule sets inadvertently configured sendmail to serve as a relay for e-mail error bombs because of the error messages generated by the MTA when under attack. Writing a rules-based filter which processed the mail queue was found to be the best defense against the e-mail bombs during our engagement.

However, sendmail is evolving, and it is of quintessential importance to use the latest release of sendmail in all MTAs. Sendmail developers have been refining the software to provide more user-friendly configuration options that can help mitigate e-mail bombs.