Bugtraq mailing list archives
Attacks using pop
From: alan () manawatu planet org nz (Alan Brown)
Date: Tue, 4 Jun 1996 17:25:49 +1200
This is a slightly different from of denial of service attack. I haven't been on the list long so I don't know if it's been discussed before. Eudora and Pegasus both have timeouts of around 2-3 minutes when collecting mail via POP. This can cause problems on dialup accounts or on heavily loaded mail servers if the user's mailbox exceeds 2Mb or so. When the user POPs to collect mail, the mailbox is first copied into ~mail/.user.pop (or ~mail/poptmp/.user.pop depending how you've configured at compilation). The original mailbox is then zeroed. If the collecting client times out, the ~/user.pop is appended back onto ~/user. If the client times out while the .user.pop file is being built, ~/user isn't zeroed but ~/.user.pop is still appended See the problem? You end up with a situation like this: 1: Eudora times out while collecting an overly large mailbox 2: Mailbox is appended onto itself 3: Goto 1 The only solution currently is to adjust network timeouts in Eudora and Pegasus. This may be a problem with other POP clients but these are the only 2 used here. We have 2-5 instances of this each month, mostly due to someone being mailed an 8-10Mb file they weren't expecting. (which is another denial of service attack of a type because they're charged per Mb of data sent/received). Usually we only notice this when we run out of disk space and the user's mail and .pop files are corrupted due to lack of space. I've seen one mailbox grow to 420Mb under these conditions. :( AB
Current thread:
- Not so much a bug as a warning of new brute force attack Brett L. Hawn (Jun 01)
- Re: Not so much a bug as a warning of new brute force attack Paul C Leyland (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Christopher X. Candreva (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Richard Ashton (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Jeremy D. Zawodny (Jun 03)
- Reply from the author of popper at Qualcomm Pete Ashdown (Jun 03)
- Attacks using pop Alan Brown (Jun 03)
- Re: Attacks using pop simes () tcp co uk (Jun 04)
- Re: Attacks using pop Alan Brown (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Brett L. Hawn (Jun 03)
- pop3 daemon with syslog logging Gunnar Ingvi Thorisson (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Alan Brown (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Brian Davidson (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Russell Street (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Joe Block (Jun 04)