Messaging Security Threats


Spam continues to be the major threat affecting email systems today.
The term Spam is used to define junk email messages that are usually sent out in high volumes to thousands of users at a time.
SPAM Invasion
Below contains some examples of some HTML-based filter evasion tactics,

  • Tiny or invisible text that is unseen by the recipient but still constitutes the content of the message.
  • Obfuscated URLs which make it harder to create filters that look for specific spam web pages.
  • Embedded HTML comments are another way to introduce an infinite amount of randomization the message
  • This is also the idea behind inserting random strings of characters and inserting white text on white backgrounds

One way spammers deal with the concealment issue is by using open relays or identity-masking relays. One application of such a technique is the misuse of open proxy servers. Open proxy servers are misconfigured or virus-infected computers that allow traffic for virtually any network service to be channeled through a compromised machine.

With image spam, the email advertisement or call to action appears in the form of an image in the message rather than in text.
Image spam is often used in so-called “pump and dump” campaigns. The goal of this activity is designed to boost the price of stocks, once done they will sell their stocks at a profit.

Attachment Spam
Attachment spam is one of the latest methods of method of spamming . In these attacks, spammers use attachments to send images instead of embedding them in the body of the email message.

Malware refers to software designed to infiltrate or damage a computer system, without the owner’s consent. There are many different types of malware that infect email traffic, including  worms and Trojan Horses. Spyware and adware are more recent variants.

Phishing and email fraud attacks
A quickly growing and dangerous type of spam are phishing attacks. Phishing attacks send emails that resemble official messages sent by a real banks, online merchants, or online auction services, usually asking for personal information such as user name and passwords, credit card numbers, and social security numbers.

Directory Harvest Threat
Directory Harvest attempts are a common form of attack. These attacks are designed to “harvest”  or obtain legitimate email addresses within a domain. The spammer will send out a massive amount of emails to randomized addresses. Email addresses are determined “active” if no undeliverable notifications are received by the spammer. Email addresses that are successfully harvested in these attacks are usually later targets for spam advertisements and fraud attacks.

Denial of Service (DoS) Attacks are undertaken with the intent to completely take down an organization’s email system. They work by sending a very large number of emails to an address or domain, in the hopes that the email system is overwhelmed and shuts down.

Bounce / Spam Blowback Attacks
Misdirected bounce attacks are another variant of email attacks that can quickly overwhelm an email system.  This is were a spammer will send a spoofed email. Due to this being spoofer any deliverable notifications will be sent back to the spoofed domain rather then the spammer.


  • SPF (Sender Policy Framework) – This works by verifying which users of a particular domain are able to send emails. SPF records contain a list of verified users and these records are published within the domains DNS Zone.
  • Sender ID – This initiative is derived from SPF but was rejected by the Internet Engineering Task Force.
  • Domain Keys (DKIM) – Developed by Yahoo! and is based on public authentication keys generated by each domain to verify the sender and recipient. Since this also verifies the recipient, it is more secure than other prevention methods, but is also more complicated.
  • Additional Notes – Although these authentication methods can be quite effective in stopping email threats, they can only be truly effective if they are widely accepted throughout the industry.

IM Threats

IM worms, also referred to as SPIM, pose a very unique type of threat to the enterprise for four reasons:
The amount of IM worms has increased alarmingly over the past year. Many organizations are not prepared for IM worms, and malware authors have adopted IM as a method of propagation
IM worms spread more rapidly than older threats. Because of the real time nature of instant messaging, IM worms can spread throughout the enterprise in minutes, rather than hours.
IM worms use social engineering. When you receive an IM worm it typically appears as a message from a contact you are familiar with because you are on their buddy list. A threat on your machine will look on your contact list and start contacting people you know. Most worms include text to tempt the user into clicking on the suspect URL. There is a much greater uptick in people clicking on malicious links (about 30%) because people tend to trust messages from people they’re familiar with.
Worms generally present themselves as URLs with some socially engineered text to temp you to click on the URL. All IM worms tends to follow a very specific behavioral pattern, described below:

  1. The first user to get infected is typically external.
  2. Once a machine is infected, the worm will perform the specific action it was designed to take, and then it cracks open the buddy list of the IM client on that machine
  3. The worm then broadcasts itself as an IM message to everyone on the infected user’s buddy list. Every contact on that buddy list will receive an IM from this contact (someone they know) containing the URL and the tempting text. For example, it might say “Hey, check out the pictures from last weekend!”
  4. IM in intrusive. It will take over the focus controls of the recipient. So, when you receive a worm IM it will always appear immediately on your screen, and you know (and trust) the person who sent it to you because you are on their buddy list. Many people will choose to click on this URL, which will likely download the worm to their PC
  5. Once a worm recipient clicks on the URL and downloads the worm to their PC, the entire process will repeat itself. The worm will be sent to each contact on their buddy list. This is how a worm can propagate so rapidly.
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial