[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] SMTP non delivery notification DoS/DDoS Attacks

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] SMTP non delivery notification DoS/DDoS Attacks
From: "Stefan Frei" <stefan.frei@xxxxxxxxxxxx>
Date: Mon, 5 Apr 2004 20:26:08 +0000

Dear list members,

My colleagues and I have been doing some research into a mail-related 
vulnerabilities over the last month or two.  We discovered that a problem 
exists within the way non-delivery notifications are sent from many SMTP mail 
servers.  This problem can be successfully (and rather easily) turned into an 
effective denial of service (DoS).  The vulnerability affects many of the 
popular SMTP commercial offerings, but is dependant upon their configuration.  
In general, larger organisations tend to be more vulnerable.

The authors had planned on releasing this analysis after the Easter break.  
Unfortunately we have noticed that a popular vulnerability discussion forum has 
already begun discussing the vulnerability in a such a fashion which may lead 
to attacks over the long weekend.  Therefore we have found it necessary to 
release the paper sooner in an effort to allow developer and administrators to 
secure their SMTP mail services in time.

This vulnerability appears to affect around 30% of our main study group (the 
Fortune 500), and has significance to all essential e-mail communications.  The 
authors have proved that this vulnerability can be easily exploited and can be 
used to DoS almost any SMTP service on the Internet.  By utilising multiple 
vulnerable STMP servers, a distributed DoS is possible, and can be used to 
cause the loss of mail services (and in extreme cases all Internet 
connectivity) to any organisation.

Paper Abstract:
Analysis of e-mail non-delivery receipt handling by live Internet-bound e-mail 
servers has revealed a common implementation fault that could form the basis of 
a new range of DoS attacks.  Our research in the field of e-mail delivery 
revealed that mail servers may respond to mail delivery failure with as many 
non-delivery reports as there are undeliverable Cc: and Bcc: addresses 
contained in the original e-mail. Non-delivery notification e-mails generated 
by these systems often include a full copy of the original e-mail sent in 
addition to any original file attachments. This behaviour allows malicious 
users to leverage these mail server implementations as force multipliers and 
flood any target e-mail system or account.

The paper is available from:

http://www.techzoom.net/mailbomb























































--

best regards 

Stefan Frei
--------------------------------------------------------------
frei@xxxxxxxxxxxx [techzoom.net]
--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] MCSE training question
Next by Date: Re: [Full-Disclosure] Training & Certifications
Previous by thread: [Full-Disclosure] Format string bug in IGI 2: Covert Strike 1.3
Next by thread: [Full-Disclosure] MDKSA-2004:026 - Updated mplayer packages fix remotely exploitable vulnerability
Index(es):
- Date
- Thread