X

How a malicious email can spoil the wonder of your server security

Introduction

If you believe that your organization’s network is completely secure then it’s the time to give a second thought. Please note the entire network security lies upon the individual security of each component in your network and any least secured link is more than enough to challenge the overall protective shield. Email is the most used communication method in today’s modern world, especially in the corporate sector. It’s really hard to imagine even a single day without emails and almost every company is employing Microsoft Exchange to deliver this facility. Security threats to the Exchange Email Servers are increasing rapidly with the changing technologies. What will be your reaction to know your network security is compromised just because of the precious Email Server and important data is stolen or its existence is at stake. To avoid any such scenario, one should take necessary precautions discussed herein below to strengthen the security of Exchange Email Server in his/her organization.

How a hacker works?

Before getting to know how you can secure your Microsoft Exchange server, we must know how a hacker works. Hackers know very well about the common pattern of creating the email addresses in an organization’s network that is <firstname>. <lastname>@<domain.tld>. They gather most of the information from the Websites, where a company publicizes some personal and contact information. Most probably, you’re also following the similar rule for creating email IDs in your network. From here, the hackers create a list of possible email addresses to conduct Email Harvesting attacks, also known as Directory Harvesting Attack. They create genuine-alike phishing emails crafted especially for your network, company or staff.

Where malicious code reside in email?

Such emails may contain the malicious code (maybe a URL) inside their body or has a malicious attachment. With/without requiring the recipient’s intervention, the malicious code executes and sometimes you are not even notified that your email server is under attack.

Other methods to collect Information

Even if the hacker doesn’t get to know about any valid email address in your network, he/she has some cards to attack. One of these options is to send a fake email to a wrong email address and get an auto responder reply from the email server retrieving the information in its header, which is more than enough to attack your server.


Figure 1:
Snapshot of an auto responder email <Courtesy: TechNet Microsoft Blog Post on ‘How Hackers Work’)

Nslookup & Telnet

Once the target is identified, the hacker can make use of nslookup and telnet to fetch information about the email server running inside your network. He/she will simply type the following three commands on the command prompt,

  1. nslookup
  2. set type=mx
  3. <domain.tld>

Here the domain.tld can be abc.com or example.net.


Figure 2: nslookup command for Google.com

Now, a hacker tries to connect to your domain through Telnet for determining the nature of the SMTP server platform. The common port number for this method will be 25 as usual allowing him/her to establish a connection. This will let him/her to view the version of Exchange server on the banner. Please note only Exchange Server 2007 doesn’t display its version number by default in banner, whereas you can manually hide this version number in older Exchange editions.

Securing the Exchange Server

The email server administration plays a crucial role in securing Microsoft Exchange Server of your organization. Let us take a look at the best practices an administrator can adopt for this task.

General Precautions

It’s a mandate to encrypt the contact information published online. You can either convert the email addresses to image or remove @ from the email addresses. Be innovative to establish a different strategy for creating the email addresses for your staff instead of just following the traditional way <firstname>.<lastname>.

Update & Upgrade

Install all the latest available security patches and updates for your Exchange server and if possible, upgrade it to the latest available version. This will make your Exchange server ready to create a good line of defense against the hacking attacks.

Use Tarpitting to stop Directory Harvesting

Exchange Server 2007 makes use of internet-facing Hub Transport server, which uses recipient lookups to notify the connected host about the validity of an email address upon receiving any mail. If the recipient’s email address is valid then “250 2.1.5 Recipient OK” SMTP response is sent, or else “550 5.1.1 User Unknown” is sent. This is a compulsory behavior as per RFC for SMTP communication, but clearly responsible for the Directory Harvesting attacks.

If a delay is inserted in sending the invalid email response then it will increase the difficulty, time, and cost for the hacker declining the bad impacts of the attack and still lets you comply with the RFC. This security feature of Hub Transport and Edge Transport server is often termed as tarpitting, which needs Recipient Filter Agent to be installed and activated.

Recipient Filter Agent comes pre-installed on the Edge Transport Server; therefore, tarpitting is already activated on it. However, you have to install the Recipient Filter Agent with Administrative privileges on Hub Transport server for enabling tarpitting in your Exchange server and then you can configure it. Please note Recipient Filter Agent comes pre-installed for both Hub Transport and Edge Transport servers on Exchange 2013.

Using Dual Firewall Topology

Instead of using a single firewall, it’s recommended to use the dual firewall topology and employing the Edge Transport server for securing the default internet-facing Hub Transport server. The following diagram describes how to employ this topology.


Figure 3: Dual Firewall Topology

Here, the main and internal Microsoft Exchange server is hidden behind two firewalls. The External Exchange Server secured behind the internal firewall is, in fact, a relay of the main server. It doesn’t contain any mailbox, any information, or any public folder. It can be easily sacrificed during an attack in order to save the main Exchange server and can be easily rebuilt. When an email arrives through external zone, it is first received by the first external firewall at the default port 25 and then routed to the Edge Transport server. Here, the email is scanned using Content Scanner, Virus Scanner and Anti-Spam. Then it is signed with the digital certificate and routed through the internal firewall to reach the original internal Exchange server. Here, the Administrators can change the port, maybe to 1024.

How to recover a damaged server?

If your server is attacked with the malicious code and all the valuable information is at stake, then the best option is to replace the existing mailboxes with the previously taken latest backup. If you’ve not taken any backup earlier and now mailboxes are corrupted, you can opt for any third party tool.

Conclusion

It’s a mandate to keep your email exchange server updated with all the latest updates, security patches, and fixes. You can even turn on the WSUS (Windows Server Update Service) to automate this task. Encrypting the contact information published on the Websites and usage of tarpitting allows you to defend the email harvesting attack. In addition, you can employ dual firewall topology to defend your main internal Exchange server from malicious email attacks.