[11709] in bugtraq
Re: I found this today and iam reporting it to you first!!! (fwd)
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Tue Sep 7 10:04:45 1999
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990904171547.J26571@attic.vuurwerk.nl>
Date: Sat, 4 Sep 1999 17:15:47 +0200
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.3.32.19990902222455.031374f0@localhost>; from Technical
Incursion Countermeasures on Thu, Sep 02, 1999 at 12:01:40PM -0700
On Thu, Sep 02, 1999 at 12:01:40PM -0700, Technical Incursion Countermeasures wrote:
> You can do a variation on this one (well sort opf - is a logstanding prob)
>
> basically find two sites whose FW is conf'd to accept all mail and forward
> it to the real mailserver. If this mailserver bounces invalid addresses
> then you're on your way...
This is not so much a problem with FW's in general.
> spoof a mail from an invalid address on one end to an invalid address on
> the other. and sit back..
>
> the first site will accept the mail (this is the fault - it should reject
> if it is to comply with the IETF standard) and pass it inward, the
> mailserver then sends an error message to the "sender" and the same
> process occurs at the other end...
>
> Rate of messages depends on bandwidth - but you can expect at least 1/sec...
>
> Of course you can multiply it if you send it to a list of recipients.. :}
This trick can only work if the envelope from-address on a bounce is NOT
empty ("<>"). Indeed, in that case a loop will occur.
I think you have found a firewall-SMTP implementation that handles bounces
in some really broken way.
Greetz, Peter
--
| 'He broke my heart, | Peter van Dijk |
I broke his neck' | peter@attic.vuurwerk.nl |
nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |
http://www.nognikz.mdk.nu/ | Hardbeat@undernet - #groningen/#kinkfm/#vdh |
