Gordano Mail Server exploit (NTmail)

["Geoincidents" <geoincidents () getinfo org>]

There is an exploit for NTmail also known as GMS where it is possible to
pass a mail containing content that you have chosen to block to the users on
the system. From my testing it appears to affect versions 5, 6, and 7 of
NTmail and GMS version 8 both with and without the recent base64 patch. (a
patch that was released only after that other exploit was made public on the
security lists)

Example:

You have setup an rwords filter to block webbugs, I'll assume you know what
webbug code looks like, and when an email is set to a GMS server with this
code in it the email is accepted, then scanned, then bounced back to the
sender with a bounced message.

By making both the TO and FROM address the address of your target you can
bypass these filters and the restricted content will be delivered as a
bounced email to the target address and appear to be an email the target
sent out so users are likely to open it to see which of their emails
bounced. Upon opening it the webbug will expose them.

Spammers also can use this technique to deliver their spams, making the
filters on GMS useless for blocking spams.

In my opinion, if the mail triggers the filters it should never, under any
circumstances, be delivered to the users of the system.

To date, Gordano has refused to even acknowledge that this is a problem. I
am hoping that posting this issue to the security lists will at least alert
admins of GMS and NTmail to the problem.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html