POP3 and (password) security... (Part 2)

After writing "POP3 and (password) security", I received few e-mails asking me about potential consequences of someone knowing (learning) your e-mail passwords…

Well, it depends on the (e-mail) system. Most obvious consequence is that someone other than you can now read your e-mail. Every one of us now has to decide if that is bad and how bad.

<funny mode = "on"> 
Personally I wish someone would guess my password and read my e-mail in hopes of this person responding to some of them instead of me... ;-) ...

Next thing we have to ask ourselves is, where else do we use this same username and password? At time where single-sign-on systems are more and more popular, one password is used to access your e-mail and other (corporate) systems that might be holding sensitive data. 

Last but not least; and too often underestimated consequence. Some e-mail systems are configured (some of them by default) to allow relaying of any e-mail if clients successfully authenticate. 

What is e-mail relaying?
In general, e-mail servers will only accept inbound e-mail messages where "Mail to:" ("rcpt to:") filed matches domain name that e-mail server is "responsible" for. In my case this would be anything ending with "@krneki.net". E-mail messages that have destination address anything other than "@krneki.net" should get rejected.

Knowing username and password would allow anyone to authenticate against e-mail server (SMTP service) and submit messages destined to any domain other such as "@gmail.com" making server accept and relay messages to other e-mail servers. 

This is bad for few reasons:

  • It will consume all available resources (e.g. hard disk space)
  • It is very likely that your public IP address will end up on spam list (black list) preventing delivery of our legitimate e-mail messages to our partners and customers

Such attacks against e-mail servers are not uncommon and are popular enough to get mentioned on Wikipedia!

Add comment