Many companies have taken a short-term view of the email security problem, tackling only the most obvious problems of viruses, trojans and spam and implementing piecemeal solutions to combat them. What they fail to consider is the growing threat from other sources such as malformed messages and denial of service attacks.
Most email client software has been sufficiently enhanced over the years to accept and "correct" corrupt or badly formatted headers. The majority of the time this is a helpful operation as it ensures speedy email delivery. However, not all anti-virus scanners "see" malformed messages and therefore do not check or scan them. This makes it possible to purposefully construct a malformed message that actually contains malware and deliver it, undetected, right into the heart of the corporate office.
In addition, some malformed messages can force the CPU to run at a hundred percent, thus causing the machine to crash. Email servers process messages with the same amount of fortitude as a dog with a bone, once it's got hold of it, it doesn't let go. A maliciously malformed message may result in a denial of service (DoS) attack, with the affected server unable to move on until it finishes processing, which could be hours.
DoS attacks can take many forms, Dictionary Harvest Attacks (DHA) for instance are used as a means to check for legitimate email address. Thousands of messages are sent to a corporate email server each one with a slightly different spelling to a name, unprotected email servers bounce back unknown recipients, allowing the spammer to collate a database of valid email addresses.
The link for this article located at net-security.org is no longer available.
