Re: Possible Exchange 5.5 Server DoS

[Lee Ann Goldstein <leeann () RAND ORG>]

--Your message was: (from Christer Enberg)
> This happend early this morning on one of our mailservers running Exchange
> 5.5 on WinNT4 OP5.
> Suddenly the Information Store (STORE.EXE) crashed with a strange error
> saying something in the way of
> "Error while processing an email message", restarting both the server and
> all of Exchange's components
> has no effect at all. The only way of solving this problem as I discovered
> is to shut down all Exchange Services
> and Totally remove the content of the IMCDATA directory containing the mail
> queues and then restart exchange.
>
> It seems that the attachment line is the problem, by removing the attachment
> and sending the mail nothing happens.
>
> Anyone know of some more information about this "DoS" attack or how it can
> be prevented,
> I have not seen any off things in the mail that would bring an Exchange
> server to a stop.

I want to confirm that we had this exact problem with our Exchange
news server last week- a message with a null MIME header would repeatedly
crash the Information Store. Fortunately, Exchange did not accept the
message, so all we had to do was remove the offending message from our Unix
news hub. ("all" - they had to use a packet sniffer to identify the message)

I am including the message (indented with "> " but otherwise intact) below.

> This message has been sent to Microsoft who has not yet given any answer.

Our support vendor is also working with Microsoft on this.

Lee Ann

--------------message start
> Path: 
> lumberjack.rand.org!new01lax-pilot.pilot.net!cyclone01-oak.pilot.net!cyclone00a-oak.pilot.net!news-out.cwix.com!newsfeed.cwix.com!newsfeed.gamma.ru!Gamma.RU!feed2.onemain.com!feed1.onemain.com!cyclone-sf.pbi.net!216.65.16.3!news-in.nibble.net!nntp-relay.ihug.net!ihug.co.nz!sn-xit-02!supernews.com!sn-inject-01!corp.supernews.com!not-for-mail
> From: bugsgamma () gamma freedom net
> Newsgroups: alt.alt.test
> Subject: sdkjfhklsjdfhlkjsafhdlkhdsaf
> Date: Thu, 14 Sep 2000 12:27:04 -0400
> Organization: Posted via Supernews, http://www.supernews.com
> Lines: 19
> Message-ID: <ss1uv0qqct678 () corp supernews com>
> X-Complaints-To: newsabuse () supernews com
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary = ""
> Xref: lumberjack.rand.org alt.alt.test:17492
>
>
>
> Zero-Knowledge MIME Encapsulated Message
>
>
> --
> Content-Type: text/plain
>
>
>
>
>
>
>
> ________________________________________________________________________
> Total Internet Privacy -- get your Freedom Nym at http://www.freedom.net
>
>
> ----
--------------message end

--
Lee Ann Goldstein, Computing Services
RAND Corp., Santa Monica, CA 90407-2138
leeann () rand org