Secunia Logo
 
Qmail Non-Delivery Notification DDoS Security Issue
Secunia Advisory: SA11302
Release Date: 2004-04-08
Popularity: 11,200 views

Critical:
Less critical
Impact:
Where: From remote
Solution Status: Unpatched

Software:qmail 1.x

Subscribe: Instant alerts on relevant vulnerabilities


Description:
Stefan Frei, Ivo Silvestri, and Gunter Ollmann recently published a paper describing a way to utilise certain mail servers for DDoS (Distributed Denial-of-Service) attacks on other systems.

The paper discusses the way certain mail servers are configured, how NDNs (Non-Delivery Notifications) are returned, and the content of these when a local user doesn't exist.

Many larger corporations set up external mail servers to accept all mails for domains, they're responsible for, without checking whether the recipients exist or not. This may be a problem since some mail servers return a NDN for each non-existent user and includes the original email text and attachments.

This may potentially be exploited to conduct a DDoS against a victim by sending emails with the victim specified as the sender to multiple non-existent recipients on a domain, which a mail server exhibiting this behavior is responsible for.

This will result in the mail servers acting as a sort of multiplier, since a NDN is returned to the victim for each non-existent recipient in the email.

The problem may especially affect qmail, since it by default exhibits this inappropriate behavior when returning NDNs. At the same time, 550 errors aren't returned when a recipient doesn't exist. Mails are instead accepted, and NDNs are then later returned if the users don't exist.

Solution:
Use a default domain wide account for each domain listed in rcpthosts to prevent your mail server from being used as a platform for DDoS attacks.

Provided and/or discovered by:
Stefan Frei, Ivo Silvestri, and Gunter Ollmann.

Original Advisory:
http://www.techzoom.net/paper-mailbomb.asp


Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. Linksys WRT160N Cross-Site Scripting Vulnerability // 123 views
2. Sun Java JDK / JRE Multiple Vulnerabilities // 94 views
3. IBM Rational ClearQuest Multiple Vulnerabilities // 70 views
4. ClamAV "cli_check_jpeg_exploit()" Denial of Service Vulnerability // 60 views
5. IBM Rational ClearCase Cross-Site Scripting Vulnerability // 44 views
6. flamethrower Insecure Temporary Files // 37 views
7. Debian update for flamethrower // 35 views
8. VLC Media Player Real Demuxer Integer Overflow Vulnerability // 31 views
9. bcoos "cid" SQL Injection Vulnerability // 29 views
10. Zaptel "ZT_SPANCONFIG" IOCTL Privilege Escalation Vulnerabilities // 27 views