Bugtraq mailing list archives
Re: WebShield SMTP infinite loop DoS Attack
From: Ash Hamid <ash_hamid () NAI COM>
Date: Thu, 7 Sep 2000 16:34:19 -0000
The issue listed in the Bugtrack notification with DoS CAN ONLY be reproduced if the following obscure criteria has been met: ~ 1) WebShield and Mail server are on the same box 2) The "Direct Send" option has been enabled In the WebShield Configuration Screen "Delivery" - "Mail Send" Section of the product. 3) DNS has been enabled with a MX record resolving both "mydomain.com" & "mydomain.com." (trailing period) Flow of Mail Message: ~ Mail message received by WebShield which then uses "Direct Send" to resolve the target location, as the trailing period is not recognized by "Direct Send" it is unsuccessful. Then a attempt is made to resolve by DNS, the DNS server does recognize the trailing period and as expected/designed points the mail message back to WebShield thereby generating the loop. In the unlikely event that all three criteria do occur then the problem may be worked around by adding "mydomain.com." (trailing period) entry into the "Direct Send" listing In WebShield thereby allowing resolution of mail. As the work around allows mail to be delivered as expected, no hotfix has been scheduled for this issue. Description:
A DoS attack is very easy to implement on most
WebShield SMTP setups.
Sending E-mail with a "From: " address that
includes a period after the
domain name will cause an infinite loop using up
resources until the server
will finally crash. When restarted, the machine will
continue to crash
until the offending E-mail is manually removed. Details: The problem occurs because WebShield SMTP
does not recognize that
"domain_name.com" and "domain_name.com." are
equivalent (both are valid
forms of fully qualified domain names (FQDNs);
with the period, it is
referred to as a rooted FQDN). Both forms should
work with all mail clients
and servers. However, using the trailing "." is rarely
used (except in DNS
maintenance). When a WebShield SMTP server is set up to
accept incoming mail, it is
typically configured to recognize at least one local
domain. This is
necessary since WebShield SMTP is placed
before the real SMTP server. For
example, if you run the domain
"domain_name.com", you would configure
WebShield SMTP to send all mail for
"domain_name.com" to your real SMTP
server. The problem arises when mail is sent to
"user@domain_name.com.", which is an
acceptable way to address the mail. WebShield
SMTP does not recognize that
"domain_name.com." is a local address (even
though it knows that
"domain_name.com" is a local address). So, it
looks up the MX record for
"domain_name.com.", which points to the
WebShield SMTP server (it always
will; that's how the mail got there in the first place).
It then sends
itself a copy of the message, adding a "Received: "
line (per
RFC821/RFC822). The message will continue to
be sent to itself, growing
each time as a new "Received: " line is added. As
the file gets larger (to
several megabytes), lots of CPU time is required to
process and scan the
E-mail, and more and more disk space is used for
the E-mail itself and log
files. In one example, a short E-mail was looped through
the WebShield SMTP server
over 37,000 times in under a day, growing to 4
megabytes. This was using
WebShield v4.5. This can only be reproduced on a
machine that has an MX
record pointing to it (a test machine won't normally
be able to reproduce
this). The Attack: Send an mail to "anything@domain_name.com.". Work Around: The workaround is simple. In delivery options for
Remote Send, under the
Direct Send option, add "domain_name.com." as
one of the domain names to
route to the local mail server. Do this for every
domain name your mail
server handles.
Current thread:
- Re: WebShield SMTP infinite loop DoS Attack Ash Hamid (Sep 07)
- Re: WebShield SMTP infinite loop DoS Attack Gaspar, Carson (Sep 07)
- <Possible follow-ups>
- Re: WebShield SMTP infinite loop DoS Attack Scott Perry (Sep 12)