Norton AV 2002 rewriting SMTP, breaking TLS

["Dale Clapperton (lists)" <lists () blackbird net au>]

Hi all

Sending this to bugtraq at the suggestion of a collegue on an ISP mailing list
in this neck of the woods.

Norton Antivirus 2002 appears to be transparently intercepting and
rewriting SMTP transactions from desktops on which it is installed.  In
particular, it intercepts the "STARTTLS" command and returns a bogus
"500 Unsupported command." response.  The STARTTLS command is never sent
to the SMTP server, and the response is not generated by the SMTP
server.

This has the effect of breaking encrypted SMTP sessions.  Email clients will
issue the "STARTTLS" command, recieve the bogus error from NAV, and usually
abort the sending action with an obscure error message, the exact nature of
which can generally only be revealed by enabling SMTP transaction logging in
the mail client, or using a packet sniffer to watch the conversation.

The user disabling the Norton AV process in the taskbar has no affect on this,
the Administrator user (on Win2k, have not tried on other platforms) has to
specifically disable outbound email scanning.

What the desktop sees:
<< 220 mailserver.example.com ESMTP Postfix
> > EHLO TEST
<< 250-mailserver.example.com
<< 250-PIPELINING
<< 250-SIZE 10240000
<< 250-VRFY
<< 250-ETRN
<< 250-STARTTLS
<< 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
<< 250-XVERP
<< 250 8BITMIME
> > STARTTLS
<< 500 Unsupported command.
> > QUIT
<< 221 Closing connection. Good bye.

What the SMTP server sees:

> > 220 mailserver.example.com ESMTP Postfix
<< EHLO TEST
> > 250-mailserver.example.com
> > 250-PIPELINING
> > 250-SIZE 10240000
> > 250-VRFY
> > 250-ETRN
> > 250-STARTTLS
> > 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5
> > 250-XVERP
> > 250 8BITMIME
<< QUIT
> > 221 Bye

Notice that the 221 message is also rewritten (for no apparent reason).

I presume that Norton AV is doing this interception and rewriting at a
network level to foil virii/worms which use their own SMTP
implementations to spread via email.  However, the way in which they are
doing this is quite insidious.  I've not seen it mentioned anywhere in
the program or the documentation that it intercepts and rewrites SMTP
transactions.

I would hope that, at least, when their interception returns a bogus 500
response to a STARTTLS command that they could cause some kind of error
to be displayed in a dialog box etc, or return a more meaningful error such as
"500 Norton Antivirus has disabled use of TLS", instead of invisibly causing
the use of encrypted SMTP to break for no apparent reason.

Dale Clapperton