Bugtraq mailing list archives
Re: Possible Exchange 5.5 Server DoS
From: Lee Ann Goldstein <leeann () RAND ORG>
Date: Sun, 24 Sep 2000 20:00:01 -0700
--Your message was: (from Christer Enberg)
This happend early this morning on one of our mailservers running Exchange 5.5 on WinNT4 OP5. Suddenly the Information Store (STORE.EXE) crashed with a strange error saying something in the way of "Error while processing an email message", restarting both the server and all of Exchange's components has no effect at all. The only way of solving this problem as I discovered is to shut down all Exchange Services and Totally remove the content of the IMCDATA directory containing the mail queues and then restart exchange. It seems that the attachment line is the problem, by removing the attachment and sending the mail nothing happens. Anyone know of some more information about this "DoS" attack or how it can be prevented, I have not seen any off things in the mail that would bring an Exchange server to a stop.
I want to confirm that we had this exact problem with our Exchange news server last week- a message with a null MIME header would repeatedly crash the Information Store. Fortunately, Exchange did not accept the message, so all we had to do was remove the offending message from our Unix news hub. ("all" - they had to use a packet sniffer to identify the message) I am including the message (indented with "> " but otherwise intact) below.
This message has been sent to Microsoft who has not yet given any answer.
Our support vendor is also working with Microsoft on this. Lee Ann --------------message start
Path: lumberjack.rand.org!new01lax-pilot.pilot.net!cyclone01-oak.pilot.net!cyclone00a-oak.pilot.net!news-out.cwix.com!newsfeed.cwix.com!newsfeed.gamma.ru!Gamma.RU!feed2.onemain.com!feed1.onemain.com!cyclone-sf.pbi.net!216.65.16.3!news-in.nibble.net!nntp-relay.ihug.net!ihug.co.nz!sn-xit-02!supernews.com!sn-inject-01!corp.supernews.com!not-for-mail From: bugsgamma () gamma freedom net Newsgroups: alt.alt.test Subject: sdkjfhklsjdfhlkjsafhdlkhdsaf Date: Thu, 14 Sep 2000 12:27:04 -0400 Organization: Posted via Supernews, http://www.supernews.com Lines: 19 Message-ID: <ss1uv0qqct678 () corp supernews com> X-Complaints-To: newsabuse () supernews com MIME-Version: 1.0 Content-Type: multipart/mixed; boundary = "" Xref: lumberjack.rand.org alt.alt.test:17492 Zero-Knowledge MIME Encapsulated Message -- Content-Type: text/plain ________________________________________________________________________ Total Internet Privacy -- get your Freedom Nym at http://www.freedom.net ----
--------------message end -- Lee Ann Goldstein, Computing Services RAND Corp., Santa Monica, CA 90407-2138 leeann () rand org
Current thread:
- Possible Exchange 5.5 Server DoS Christer Enberg (Sep 13)
- Re: Possible Exchange 5.5 Server DoS 3APA3A (Sep 14)
- Re: Possible Exchange 5.5 Server DoS Lee Ann Goldstein (Sep 25)