Raptor 6.0[1] SMTP-Proxy - Anti-Relay bug

["Holger Heimann" <hh () it-sec de>]

28 Mai. 1999.
I get back to an issue we mentioned here some two weeks ago, concerning a
bug in the Raptor 6.0 and 6.01 Firewall.


Description:
------------
The Raptor 6.0 and 6.01 SMTP-Proxys anti-relay mechanism does not work
properly for some UUCP-Style addresses. Even with a correctly set "Recipient
Domain" in the "SMTP Rules Properties" tab, an outside user can use the
internal Mail-Transfer-Agent (MTA) to send EMails to the internet
("Relaying").

This is at least true for one particular UUCP-Style E-Mail addressing
nomenclature, provided the internal MTA is capable of handling those styles
(which is in turn at least true for probably all flavours of sendmail).

AXENTs Response:
----------------
We explained the details to AXENT/Raptor who (unexpectedly) replied almost
immediately (appreciated).

AXENT confirmed the problem and announced to fix it with the next patch.


What can happen?
----------------
Your Mailserver may be misused as a relay for distributing (many, many)
e-mails to the internet. This would happen on your expenses regarding cost
and reputation (depending on the content).

Since this particular kind of addressing scheme is obviously not handled in
the Raptors SMTP-proxy (read: "probably passed through"), it might be
possible to exploit potential vulnerabilities in the MTA this way also.
However, we do not have any knowledge whether there are related
vulnerabililies in sendmail and other MTAs or not, so this is (for the
moment) theoretical.


How do I know?
--------------
We refrained from offering a online-check via WWW since it could easily be
misused. We also do not want to give the complete SMTP dialog here for a
simple reason: we want to keep script-kiddies from playing around - the bad
guys know what to do, anyway. (But we are sure that somebody will post it to
proof his/her knowledge, anyway).

So, ask your local Firewall guru to check the problem for you.


What to do?
-----------
If you are really concerned about the problem, reconfigure your MTA as far
this is  possible. Sendmail allows to be configured against relaying, other
MTAs probably do also. You have to read the documentation. (Note, that this
is not the solution. It's the Firewalls part to handle such problems!)

The second option is to just wait for the next Raptor patch from AXENT.

If you are paranoid, you may also stop all inbound SMTP traffic, but this
would probably be inadequate, depending on your policy.



With best regards
Holger Heimann
hh () it-sec de

---------------------------------------------------------------------------
Online NETBIOS Vulnerability Check: http://www.it-sec.de/vulchk.html
---------------------------------------------------------------------------
ibh - Ingenieurbuero Heimann                 Phone : +49-(0)731-93579-200
o Sicherheit in der Informationstechnik      Fax   : +49-(0)731-93579-111
o Datenschutz                                EMail : info () it-sec de
o Softwaretechnologie                        URL   : http://www.it-sec.de
Sedanstr. 10, D-89077 Ulm                    Postfach: 2908,  D-89019 Ulm
---------------------------------------------------------------------------