- Can someone find your email without you sharing with anyone ? Like by scanning mail servers or
- In order to disrupt the service can hackers just send thousands of emails to the mail address ?
Hi Amit! Welcome to the community!
Yes in simple terms, your email address can be brute forced by monitoring the response of the mail server.
The attacker uses a common word list or even systematically generates random strings using a brute forcing tool to see if the mail server rejects address. If there is no error, bingo you found an email address.
See here for common SMTP commands to try it yourself manually.
Most mail servers will delay their response to slow down an email harvesting attack. This is called tar pitting.
In terms of performing a denial of service on a mail server that is indeed very possible. It doesn’t even have to be an email protocol. You can flood a server with any request that it needs to process or respond to in an attempt to overwhelm it’s resources. That’s part of the reason we close or block unused ports with a firewall.
Most services will also employ email delivery limits so that a flood of email will be slowed down. Eg. Only allow 10 emails per second from a single source. Once you notice the attack the source can be blocked. An interesting variation is where non delivery reports(NDR) are used instead of emails, this is called a “reverse NDR attack” and it can come from many different sources. The attacker pretends to be the target mail server by spoofing the address it’s coming from. It deliberately sends a flood of emails to addresses that don’t exist at various real domains. The other legitimate mail servers respond the to real (target) mail server with a non delivery report email. This way the flood of connections are coming from various legitimate sources. Tricky!
To combat this most mail servers will stay silent when an incorrect address is used. This puts pressure on the sending server to manage a timeout and slows an email harvesting attack. Also NDR’s are usually disabled now-a-days, so again the the workload is on the originating server to generate an “undeliverable”error and your mail server can’t be leveraged to be a node in an RNDR attack.
It’s also common that mail services proxy their connections through a specialised security service that deals with these types attacks, blocks general spam and inspects for virus payloads.
Hope that answers your question!
Thank you so much @bstimac , this was really really helpful.
Glad it helps. Your question made me recall the good old days being an admin for email servers and all the problems we used to have.
Are you studying for a security certification or were you just curious if it was possible?
I wanted to understand this because I see few architecture patterns where emails are used to share important files and then are used as a trigger for other processes. Like if email received then run process. And thus the questions comes to mind; whether it is secure ? Can it be exploited ? Is it still ok to use it in exceptional cases ?
Using email as a trigger in event driven architecture is a common anti-pattern when other options are unavailable or unknown, it’s something I avoid if I can.
It’s fine if you are simply replicating a current manual process for automation. Of course, you will have the overhead of maintaining the email service that can grow quickly as well as the security considerations you are currently considering.
If you’re creating a brand new solution it’s far better to use protocols as they were intended. E.g. SFTP (or Managed File Transfer for some extra bells and whistles), SMB, NFS etc. to move files around. For events you can use API calls.
Here’s a write up about event driven API’s you might find interesting.