Despite the hoo-hah created by the conviction of teenager David Lennon for email-bombing his ex-employer, he was a "rank amateur" and firms should be prepared for more sophisticated and insidious attacks, say security experts.

Lennon, 19, was convicted this week under Section 3 of the Computer Misuse Act of bringing down the mail server of UK insurer Domestic & General in 2004 by sending five million emails reading 'You will die in seven days', a quote from The Ring.

Domestic & General claimed that the attack cost the company £30,000 in lost business. 

Although Lennon could have received a five-year jail sentence under the Act, the judge handed down a two-month curfew and an electronic tagging order.

Some observers believe that Lennon got off lightly. But so did his employer, according to security experts who deal with increasingly sophisticated email-bombing and denial of service (DoS) attacks and theft of intellectual property and personal data by insiders.

"[Lennon's] attack was relatively simple: it would have come from a single IP address making it easy to block and easy to identify where it came from," said Matt Sergeant, senior anti-spam technologist at security firm MessageLabs. 

Lennon used a commercial mass-email package called Avalanche. The software is no longer available but was used legitimately by electronic direct mail agencies.

Even though he spoofed the email addresses of employees of Domestic & General and Microsoft chairman Bill Gates, tracing the sending IP address was a relatively easy task. 

Modern mail-bomb and DoS attackers are professional cyber-criminals who rent zombie networks from black-hat hackers, launching concerted attacks from multiple IP addresses using innocent PCs infected with Trojans.

Sergeant said that he has seen networks of 10,000 zombie PCs offered for as little as £50 a day.

Targeting web-dependent businesses, the criminals then extort money by offering to cease the attack if the company pays a protection fee.