Now, let me introduce attacks being discussed: 1. Internet Worms and virii. 2. Trojan content attacks. 3. Vulnerability exploitation attacks. 4. Information gathering attacks. 5. Address spoofing attacks. 6. Social Engineering attacks. 7. Denial of Service attacks. Lets explain every of this groups. Worms and virii. First, catch the difference between worm and virii. Internet worm usually tries to reproduce itself via Network. Usually worm comes with standalone message while virus infect some useful file you may need to receive. That's why worms usually may be safely filtered without warning to end user, while files infected by virus normally require user to be notified. Of cause you may think that antiviral products should be used to stop worms and virii. Few questions about antiviral products are: 1. Does antiviral product guarantee protection for you? Answer is: NO. Antivirus can only guarantee that known virus or worm will be caught. Even if you update you virus bases daily it may pass 48 hours between worm will be in-the-wild and your antivirus may catch this worm. 2. Should you use antiviral products? Answer is YES. They will help you to identifying malware content is worm or virii and to disinfect infected files. There is one good thing in virii and worms: they are known to be a good security indicator. If your network can be successfully attacked with worm it may be attacked be anyone. No more discussing virii and worms in this paper. Trojan content. We can subdivide trojans into 2 groups: public trojans and private trojans. Public one can be found on all these 3uPerM3G4H4xO2 websites :) It can be used by scriptkiddie to get your dialup, e-mail or ICQ password. In enterprise you should expect private trojan, that is trojan never detected by any antiviral software and may be specially written for you. After installation trojan may perform any actions: steal passwords, send keystrokes back to master or perform any master's command. If computer has no access to internet trojan may wait for commands in e-mail message. Such message may look, for example, like usual spam with attached gif. Vulnerability exploitation attacks. Any program has bugs. Some of these bugs are security related. Attacker can use these bugs to put MUA software into performing some actions and may be to get a control over user's machine. Vulnerability exploitation may be combined with trojan content to make this content executed automatically without user's intervention. You can find a lot of exploitation scenarios for Microsoft Outlook Express or Microsoft Outlook. But don't believe that holes are only in Microsoft products. Information gathering attacks. The aim of information gathering attack is to make mail software to "call back" to attacker bringing information about user and his job functions, software used, system and network configuration. How this can be obtained? Embedding elements from outside sources into e-mail or making MUA to launch browser and visit some site where user will be registered. Example is image embedded into HTML messages and located on outside server. This easy trick in most cases allows to discover operation system, MUA version and in some cases details about user's mailbox, for example user's login and physical location of mailbox (see "Netscape 4.7x information retrival" article on http://www.security.nnov.ru/advisories/netscape1.asp Tricking software into sending reply. Reply message will help attacker to discover OS, software and in many cases user's occupation. For example try to spam some organization on Easter holidays - you'll get a lot of data about it's organizational structure :). Address spoofing attacks. An example of address spoofing attack can be found in "Microsoft Outlook Express address book vulnerability", http://www.security.nnov.ru/advisories/msoeab1.asp But in many situation it's possible to do a nearly same attack without exploiting some vulnerability by using some social engineering tricks. The purpose of attack like this is to make user to send information on the e-mail different from one he wants to send. Social Engineering attacks. I think there's no need to explain what social engineering is. In many cases easiest way to get some private information from user is to fool user into sending this information to you. The target of this attack is user, that's why this attack is so hard to detect and protect. Denial of Service attacks. Denial of service attack via e-mail may be subdivided into 3 groups: attacks based on software vulnerabilities, attacks based on software misconfiguration and DoS against user. In fact, DoS is mostly result of bad administration, even if it's caused by software bug. Most often attack is mailbobmbing - sending a large amount of e-mails. In my test no MUA (I've tested Microsoft products, The Bat! and Mozilla) was not able to process mailbox with 100000 messages via POP3. Putting 100000 messages into mailbox not always require sending 100000 message over Network. Sometimes it's possible to do with a single message, for example see "mailbox format incompatibility in (WU)imap with mail.local" and different "unsafe fgets()" attacks in http://www.security.nnov.ru/advisories/ We will divide attacks into 2 classes: virii, trojans and exploits we will call active content attacks and Information gathering, address spoofing and social engineering we will call passive content attack. Active content is content which tries to get control under user's host. Passive content is one which does not any actions but tricks user into doing it behalf. So, to protect against attack of the first class we need to secure our desktop computer, while defense against second one lies in defending the user. It's bit harder to classify DoS attacks. We will not talk about this kind of attacks specially but will back to 'em from time to time.