Bugtraq mailing list archives
Norton AV 2002 rewriting SMTP, breaking TLS
From: "Dale Clapperton (lists)" <lists () blackbird net au>
Date: Wed, 17 Jul 2002 23:00:22 +1000
Hi all Sending this to bugtraq at the suggestion of a collegue on an ISP mailing list in this neck of the woods. Norton Antivirus 2002 appears to be transparently intercepting and rewriting SMTP transactions from desktops on which it is installed. In particular, it intercepts the "STARTTLS" command and returns a bogus "500 Unsupported command." response. The STARTTLS command is never sent to the SMTP server, and the response is not generated by the SMTP server. This has the effect of breaking encrypted SMTP sessions. Email clients will issue the "STARTTLS" command, recieve the bogus error from NAV, and usually abort the sending action with an obscure error message, the exact nature of which can generally only be revealed by enabling SMTP transaction logging in the mail client, or using a packet sniffer to watch the conversation. The user disabling the Norton AV process in the taskbar has no affect on this, the Administrator user (on Win2k, have not tried on other platforms) has to specifically disable outbound email scanning. What the desktop sees: << 220 mailserver.example.com ESMTP Postfix
EHLO TEST
<< 250-mailserver.example.com << 250-PIPELINING << 250-SIZE 10240000 << 250-VRFY << 250-ETRN << 250-STARTTLS << 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 << 250-XVERP << 250 8BITMIME
STARTTLS
<< 500 Unsupported command.
QUIT
<< 221 Closing connection. Good bye. What the SMTP server sees:
220 mailserver.example.com ESMTP Postfix
<< EHLO TEST
250-mailserver.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 250-XVERP 250 8BITMIME
<< QUIT
221 Bye
Notice that the 221 message is also rewritten (for no apparent reason). I presume that Norton AV is doing this interception and rewriting at a network level to foil virii/worms which use their own SMTP implementations to spread via email. However, the way in which they are doing this is quite insidious. I've not seen it mentioned anywhere in the program or the documentation that it intercepts and rewrites SMTP transactions. I would hope that, at least, when their interception returns a bogus 500 response to a STARTTLS command that they could cause some kind of error to be displayed in a dialog box etc, or return a more meaningful error such as "500 Norton Antivirus has disabled use of TLS", instead of invisibly causing the use of encrypted SMTP to break for no apparent reason. Dale Clapperton
Current thread:
- Norton AV 2002 rewriting SMTP, breaking TLS Dale Clapperton (lists) (Jul 18)
- RE: Norton AV 2002 rewriting SMTP, breaking TLS Russell Mann (Jul 19)
- <Possible follow-ups>
- RE: Norton AV 2002 rewriting SMTP, breaking TLS Owen, Greg (Jul 19)
- Re: Norton AV 2002 rewriting SMTP, breaking TLS Adam Shostack (Jul 22)