Experts warn of e-mail-bombing campaigns


28 August 2006

Despite the recent media furore created by the conviction of teenager David Lennon for e-mail-bombing his ex-employer, he was a “rank amateur” and firms should be prepared for more sophisticated and insidious attacks, say security experts.

Lennon, 19, was convicted under UK’s Section 3 of the Computer Misuse Act of bringing down the e-mail server of UK insurer Domestic & General in 2004 by sending five million e-mails reading ‘You will die in seven days’, a quote from The Ring.

Domestic & General claimed that the attack cost the company £30,000 (€44,400) in lost business. 




Although Lennon could have received a five-year jail sentence under the Act, the judge handed down a two-month curfew and an electronic tagging order.

Some observers believe that Lennon got off lightly. But so did his employer, according to security experts who deal with increasingly sophisticated e-mail-bombing and denial of service (DoS) attacks and theft of intellectual property and personal data by insiders.

“[Lennon’s] attack was relatively simple: it would have come from a single IP address making it easy to block and easy to identify where it came from,” said Matt Sergeant, senior anti-spam technologist at security firm Messagelabs

Lennon used a commercial mass-e-mail package called Avalanche. The software is no longer available but was used legitimately by electronic direct mail agencies.

Even though he spoofed the e-mail addresses of employees of Domestic & General and Microsoft chairman Bill Gates, tracing the sending IP address was a relatively easy task. 

Modern mail-bomb and DoS attackers are professional cyber-criminals who rent zombie networks from black-hat hackers, launching concerted attacks from multiple IP addresses using innocent PCs infected with Trojans.

Sergeant said that he has seen networks of 10,000 zombie PCs offered for as little as £50 (€74) a day.

Targeting web-dependent businesses, the criminals then extort money by offering to cease the attack if the company pays a protection fee.

“Often these are small companies that cannot deal with such attacks themselves. They are dependent on their website for their livelihood and so they pay up,” explained Sergeant.

Security software which monitors e-mail connections can only go so far, and companies should also deploy humans to monitor the monitors, looking for e-mail spikes and unusual traffic.

If they cannot afford to employ security personnel directly, this can be outsourced to IT security firms which will perform the task remotely.

However, a bigger risk than external attack by dedicated cyber-criminals or ex-employees is the theft of data by disgruntled current employees, according to Ken Rutsky, executive vice president of worldwide marketing at Workshare

Rutsky recommends the use of security software which helps to enforce network access policies, warning employees that certain actions, such as copying a customer list to a USB data-stick, will be audited automatically.

Such a deterrent could eliminate more than 90% of accidental or malicious data theft, said Rutsky.

However, all security experts warn against over-reliance on technology. Security is a management issue which starts with establishing, communicating and enforcing data access policies.

Lennon’s case has taken so long to reach a conviction because a judge threw it out in November 2005 ruling that, because Domestic & General’s mail server was set up to receive e-mail, Lennon had not abused it by sending e-mail, albeit five million of them in a few hours.

Read More:

Comments are closed.

Back to Top ↑