|
Qmail Non-Delivery Notification DDoS Security Issue
|
|
Secunia Advisory:
|
SA11302
|
|
|
Release Date:
|
2004-04-08
|
|
Popularity:
|
11,200 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | qmail 1.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
Stefan Frei, Ivo Silvestri, and Gunter Ollmann recently published a paper describing a way to utilise certain mail servers for DDoS (Distributed Denial-of-Service) attacks on other systems.
The paper discusses the way certain mail servers are configured, how NDNs (Non-Delivery Notifications) are returned, and the content of these when a local user doesn't exist.
Many larger corporations set up external mail servers to accept all mails for domains, they're responsible for, without checking whether the recipients exist or not. This may be a problem since some mail servers return a NDN for each non-existent user and includes the original email text and attachments.
This may potentially be exploited to conduct a DDoS against a victim by sending emails with the victim specified as the sender to multiple non-existent recipients on a domain, which a mail server exhibiting this behavior is responsible for.
This will result in the mail servers acting as a sort of multiplier, since a NDN is returned to the victim for each non-existent recipient in the email.
The problem may especially affect qmail, since it by default exhibits this inappropriate behavior when returning NDNs. At the same time, 550 errors aren't returned when a recipient doesn't exist. Mails are instead accepted, and NDNs are then later returned if the users don't exist.
Solution:
Use a default domain wide account for each domain listed in rcpthosts to prevent your mail server from being used as a platform for DDoS attacks.
Provided and/or discovered by:
Stefan Frei, Ivo Silvestri, and Gunter Ollmann.
Original Advisory:
http://www.techzoom.net/paper-mailbomb.asp
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
Today
|
New advisories:
|
14 |
|
New vulnerabilities:
|
21 |
|
Updated advisories:
|
26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
