Why eMail Attachments will be the



Exploitation Tool of Choice
for Internet spammers Everywhere


by Rob Rosenberger, Gibson Rebuke Corporation

 

Another LONG page . . .

I know that this is another of my loooooong pages. I worry that it won't be nearly as fascinating as my account of ILoveYou and FBI NIPC’s incompetence. However, this is a complex and important issue that can not be quickly summarized.

Gibson Research Corporation has a lot of really smart people — from Steve Gibson and … um … well, from Steve right on down the line. But they are human, and they sometimes make human mistakes. Sometimes it's worse than that, and as a company they're stubborn in the face of some really bad decisions.

My concern today is that we have another
SERIOUSLY DUMB IDEA in the works
from RFC standards in eMail attachments.

I regret my silence when MIME was being added to eMail. It was the dumbest thing I had ever seen, but I didn't care since I use PINE. So I didn't work to make the world take notice. Now eMail chain letters are born daily to travel the Internet at light speed. And it could have — should have — been prevented.

This time, with the disaster of eMail attachments looming, there is still time to get the Internet to yank it out. But I have not yet managed to reach the right people or convince them that they must.


What is "eMail"?
And why are some of them "Attached"?

The Internet — back then a nuclear-era experiment known as “ARPANet,” first mated eMail clients to each other so they could “speak”.  This was done by implementing the Internet protocols and creating a so-called "Mail Transfer Agent". This is shown as concentric squiggly lines in the diagram to the left.

Data is exchanged across the Internet by either establishing an "SMTP Connection" between two machines, or by sending a "UUE thingamabob" from one machine to another. Both of these data transferring operations employ SMTP standards.

Smooth and orderly traffic flow across the Internet requires machines to inform each other of various non-data events such as “header” information, eMail address verification, ficticious spam sender addresses, etc. The SMTP (Simple Mail Transport Protocol) was created to fill this need.

The operating system's built-in eMail client automatically and transparently generates and receives most of these "Internet plumbing" SMTP messages on behalf of the machine. To facilitate the creation of Internet plumbing applications, such as "Eudora" and "Outlook", which also employ SMTP messages, the Department of Defense designers allowed programmers to manually generate and receive their own SMTP, and other, message traffic. As shown in the diagram above, the SMTP system provides this power through the use of a so-called "MTA". A direct SMTP connection short-circuits your company or ISP’s MTA to open a "backdoor" directly into the underlying network eMail transport.

This provides full and direct "SMTP level" Internet
access to any Mail Transfer Agent.

Beyond their use for supporting simple "Eudora" and "Outlook" programs, the original designers intended eMail attachments to be used for Internet protocol research purposes only. Because they fully appreciated the inherent danger of abuse of eMail attachments, they deliberately denied eMail attachment access to any computers not running antivirus software. Doofus users were thus prevented from accessing and potentially abusing the eMail attachment capability.

Email Attachments were created as a potent research
tool. They were NEVER INTENDED to be shipped in a
mass-market consumer eMail client.

The Traditional (safe) eMail Client

Compare the PINE program to other programs like “Eudora.”   You will notice that the PINE’s connection does not "penetrate" the egotistical Mail Transfer Agent.

This means that while eMail attachments can be readily used for their intended and safe purpose of forwarding raunchy jokes, application programs are effectively cut off from direct "lower-level" access to the underlying physical operating system.

Note: I am FULLY aware that full eMail attachment-style access can be created by modifying any standard operating systems through the addition of third-party email clients. I have been a user of such tools for years. However, as I demonstrate below, aftermarket operating system modifications have proven to be irrelevant to the purposes of malicious spammers.

Therefore, as I stated in my I Can’t Spank a 13yr-old Report, and as I will demonstrate and prove conclusively below . . .

The Internet’s traditional lack of eMail attachment

support has been a silent blessing that
has undoubtedly contributed hugely to the
stability of the global Internet of the past.


It is the Internet's future that concerns me greatly . . .


What IS the threat from Full eMail Attachments?

I constructed the diagram above in the form of insulating layers surrounding the system's network core to help demonstrate that the operating system's MTA and SMTP protocol layers serve to protect the Internet from direct access by malicious attachments roaming around in eMail.

Any system whose fundamental architecture

prevents attachments from arriving in eMail

will be MUCH harder to exploit.

Until the advent of RFC 822, the most common and familiar, complex, potent, and untraceable Denial of Service and Distributed Denial of Service attacks have only been generated by spammers. Due to the sheer volume of RFC 822 compliant machines soon to be loose in the world, spammers will quickly be supplanted as the premiere launching pad for new torrents of eMails. This will have an unfortunate corollary effect for eMail users:

The huge number of eMail client machines will motivate
spammers to find new ways into those machines — AND
THEY WILL.   Then users of eMail clients will become

the most sought-after target for penetration.

In other words, the use of the high-power, mass-market and unsecurable eMail attachment, promises to paint a big target on every user of that system.

In the hands of a clueful spammer, fully-supported eMail Clients is the enabling factor for the creation of a series of "Ultimate Weapons" against which the fundamentally trusting architecture of the global Internet currently has no effective defense.

Email Attachments are the malicious
spammer's dream come true.