CHAPTER 4 - Exchange Server – Mail Service Attacks

Abstract

This chapter reviews defenses that can be enacted to protect the environment against the most common mail service attacks. Microsoft Exchange Server integrates into Microsoft Active Directory (AD). User accounts are created and stored centrally in AD while Exchange Server maps its mailbox-specific information to user accounts, which exist in the AD database. In addition to relying on AD services, Exchange Server requires other infrastructure services such as Domain Name Services (DNS). Also, for sending and receiving e-mail, Exchange Server takes advantage of industry standard protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3), and Internet Message Access Protocol (IMAP4). Cache poisoning attacks, buffer overrun attacks, and spoofing are some of the mail services attacks. Cache poisoning attacks function by intentionally causing a DNS server to cache misrepresented information, such as the wrong Internet Protocol (IP) address for a particular domain name. Buffer overrun attacks often execute code on the targeted system. Another common action performed by attackers is called spoofing. When attackers want to make their origin difficult to trace, they generally hide their source address information by spoofing. Spoofing involves replacing the address information in the e-mail message so that invalid or fictional addresses are displayed instead of the legitimate source address.