[11719] in bugtraq
Re: I found this today and iam reporting it to you first!!! (fwd)
daemon@ATHENA.MIT.EDU (Wietse Venema)
Tue Sep 7 15:58:39 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19990904182153.04D8545A52@spike.porcupine.org>
Date: Sat, 4 Sep 1999 14:21:53 -0400
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.3.32.19990902222455.031374f0@localhost> from Technical
Incursion Countermeasures at "Sep 2, 99 12:01:40 pm"
Scenario: mail from non-existent@domain1 to non-existent@domain2,
through SMTP servers that accept mail for non-existent addresses.
The poster suggests that the resulting bounce message will loop.
However, the poster fails to reveal the reasoning behind this.
Whatever reasoning the poster used, it is invalid with any reasonable
mail system, because it is the mail system that chooses the bounce
message originator address; the bounce message originator address
is not under control by the attacker.
In other words, the suggested loop does not exist.
Wietse
Technical Incursion Countermeasures:
> You can do a variation on this one (well sort opf - is a logstanding prob)
>
> basically find two sites whose FW is conf'd to accept all mail and forward
> it to the real mailserver. If this mailserver bounces invalid addresses
> then you're on your way...
>
> spoof a mail from an invalid address on one end to an invalid address on
> the other. and sit back..
>
> the first site will accept the mail (this is the fault - it should reject
> if it is to comply with the IETF standard) and pass it inward, the
> mailserver then sends an error message to the "sender" and the same
> process occurs at the other end...
>
> Rate of messages depends on bandwidth - but you can expect at least 1/sec...
>
> Of course you can multiply it if you send it to a list of recipients.. :}
>
> cheers,
>
> Bret
>
> Technical Incursion Countermeasures
> consulting@TICM.COM http://www.ticm.com/
> voice mail/fax: (+65)459 6373(UTC+8 hrs)
>
> The Insider - a e'zine on Computer security Call for papers Vol 3 Issue 2
> http://www.ticm.com/info/insider/index.html
>
>
>
