SMTP non delivery notification DoS/DDoS Attacks

["Stefan Frei" <stefan.frei () techzoom net>]

Dear list members,

My colleagues and I have been doing some research into a mail-related vulnerabilities over the last month or two.  We 
discovered that a problem exists within the way non-delivery notifications are sent from many SMTP mail servers.  This 
problem can be successfully (and rather easily) turned into an effective denial of service (DoS).  The vulnerability 
affects many of the popular SMTP commercial offerings, but is dependant upon their configuration.  In general, larger 
organisations tend to be more vulnerable.

The authors had planned on releasing this analysis after the Easter break.  Unfortunately we have noticed that a 
popular vulnerability discussion forum has already begun discussing the vulnerability in a such a fashion which may 
lead to attacks over the long weekend.  Therefore we have found it necessary to release the paper sooner in an effort 
to allow developer and administrators to secure their SMTP mail services in time.

This vulnerability appears to affect around 30% of our main study group (the Fortune 500), and has significance to all 
essential e-mail communications.  The authors have proved that this vulnerability can be easily exploited and can be 
used to DoS almost any SMTP service on the Internet.  By utilising multiple vulnerable STMP servers, a distributed DoS 
is possible, and can be used to cause the loss of mail services (and in extreme cases all Internet connectivity) to any 
organisation.

Paper Abstract:
Analysis of e-mail non-delivery receipt handling by live Internet-bound e-mail servers has revealed a common 
implementation fault that could form the basis of a new range of DoS attacks.  Our research in the field of e-mail 
delivery revealed that mail servers may respond to mail delivery failure with as many non-delivery reports as there are 
undeliverable Cc: and Bcc: addresses contained in the original e-mail. Non-delivery notification e-mails generated by 
these systems often include a full copy of the original e-mail sent in addition to any original file attachments. This 
behaviour allows malicious users to leverage these mail server implementations as force multipliers and flood any 
target e-mail system or account.

The paper is available from:

http://www.techzoom.net/mailbomb























































--

best regards 

Stefan Frei
--------------------------------------------------------------
frei () techzoom net [techzoom.net]
--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html