Secunia

Stefan Frei, Ivo Silvestri, and Gunter Ollmann recently published a paper describing a way to utilise certain mail servers for DDoS (Distributed Denial-of-Service) attacks on other systems.

The paper discusses the way certain mail servers are configured, how NDNs (Non-Delivery Notifications) are returned, and the content of these when a local user doesn't exist.

Many larger corporations set up external mail servers to accept all mails for domains, they're responsible for, without checking whether the recipients exist or not. This may be a problem since some mail servers return a NDN for each non-existent user and includes the original email text and attachments.

This may potentially be exploited to conduct a DDoS against a victim by sending emails with the victim specified as the sender to multiple non-existent recipients on a domain, which a mail server exhibiting this behavior is responsible for.

This will result in the mail servers acting as a sort of multiplier, since a NDN is returned to the victim for each non-existent recipient in the email.

The problem may especially affect qmail, since it by default exhibits this inappropriate behavior when returning NDNs. At the same time, 550 errors aren't returned when a recipient doesn't exist. Mails are instead accepted, and NDNs are then later returned if the users don't exist.

Solution
Use a default domain wide account for each domain listed in rcpthosts to prevent your mail server from being used as a platform for DDoS attacks.

Provided and/or discovered by
Stefan Frei, Ivo Silvestri, and Gunter Ollmann.

Original Advisory
http://www.techzoom.net/paper-mailbomb.asp

Deep Links
Links available in Customer Area