Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I found this today and iam reporting it to you first!!! (fwd)

From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Sat, 4 Sep 1999 14:21:53 -0400

Scenario: mail from Scenario: mail from non-existent@domain1 to Scenario: mail from non-existent@domain1 to 
non-existent@domain2,
through SMTP servers that accept mail for non-existent addresses.

The poster suggests that the resulting bounce message will loop.
However, the poster fails to reveal the reasoning behind this.

Whatever reasoning the poster used, it is invalid with any reasonable
mail system, because it is the mail system that chooses the bounce
message originator address; the bounce message originator address
is not under control by the attacker.

In other words, the suggested loop does not exist.

        Wietse

Technical Incursion Countermeasures:

You can do a variation on this one (well sort opf - is a logstanding prob)

basically find two sites whose FW is conf'd to accept all mail and forward
it to the real mailserver. If this mailserver bounces invalid addresses
then you're on your way...

spoof a mail from an invalid address on one end to an invalid address on
the other. and sit back..

the first site will accept the mail (this is the fault - it should reject
if it is to comply with the IETF standard) and pass it inward, the
mailserver then sends an error message to the "sender"  and the same
process occurs at the other end...

Rate of messages depends on bandwidth - but you can expect at least 1/sec...

Of course you can multiply it if you send it to a list of recipients.. :}

cheers,

Bret

Technical Incursion Countermeasures
consulting () TICM COM                      http://www.ticm.com/
voice mail/fax: (+65)459 6373(UTC+8 hrs)

The Insider - a e'zine on Computer security Call for papers Vol 3 Issue 2
http://www.ticm.com/info/insider/index.html
Previous By Date Next
Previous By Thread Next

Current thread: