[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : WebShield SMTP infinite DoS Attack

Title: WebShield SMTP infinite DoS Attack
Released by: Scott Pery
Date: 18th August 2000
Printable version: Click here
Description:



A DoS attack is very easy to implement on most WebShield SMTP setups.

Sending E-mail with a "From: " address that includes a period after the

domain name will cause an infinite loop using up resources until the server

will finally crash.  When restarted, the machine will continue to crash

until the offending E-mail is manually removed.





Details:



The problem occurs because WebShield SMTP does not recognize that

"domain_name.com" and "domain_name.com." are equivalent (both are valid

forms of fully qualified domain names (FQDNs); with the period, it is

referred to as a rooted FQDN).  Both forms should work with all mail clients

and servers.  However, using the trailing "." is rarely used (except in DNS

maintenance).



When a WebShield SMTP server is set up to accept incoming mail, it is

typically  configured to recognize at least one local domain.  This is

necessary since  WebShield SMTP is placed before the real SMTP server.  For

example, if you run the domain "domain_name.com", you would configure

WebShield SMTP to send all mail for "domain_name.com" to your real SMTP

server.



The problem arises when mail is sent to "user@domain_name.com.", which is an

acceptable way to address the mail.  WebShield SMTP does not recognize that

"domain_name.com." is a local address (even though it knows that

"domain_name.com" is a local address).  So, it looks up the MX record for

"domain_name.com.", which points to the WebShield SMTP server (it always

will; that's how the mail got there in the first place).  It then sends

itself a copy of the message, adding a "Received: " line (per

RFC821/RFC822).  The message will continue to be sent to itself, growing

each time as a new "Received: " line is added.  As the file gets larger (to

several megabytes), lots of CPU time is required to process and scan the

E-mail, and more and more disk space is used for the E-mail itself and log

files.



In one example, a short E-mail was looped through the WebShield SMTP server

over 37,000 times in under a day, growing to 4 megabytes.  This was using

WebShield v4.5.  This can only be reproduced on a machine that has an MX

record pointing to it (a test machine won't normally be able to reproduce

this).





The Attack:



Send an mail to "anything@domain_name.com.".





Work Around:



The workaround is simple.  In delivery options for Remote Send, under the

Direct Send option, add "domain_name.com." as one of the domain names to

route to the local mail server.  Do this for every domain name your mail

server handles.








(C) 1999-2000 All rights reserved.