[19866] in bugtraq
MailSweeper for SMTP Security Problem
daemon@ATHENA.MIT.EDU (Russ Hayward)
Tue Mar 27 11:19:51 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <000501c0b685$389d1c60$6291989e@inet0002>
Date: Tue, 27 Mar 2001 07:14:45 +0100
Reply-To: Russ Hayward <bug@EUNOS.DEMON.CO.UK>
From: Russ Hayward <bug@EUNOS.DEMON.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
There appears to be vulnerability with Mail Sweeper for SMTP email by
Content Technologies.
(Tested on Version 4.19, others may be vulnerable)
My test system is -
Windows NT 4 Service Pack 5
MailSweeper for SMTP version 4.1.9
I have two separate incoming and outgoing policies scenarios, I trust (!) my
users and allow all
internal users to send what they like (no restrictions) but restrict
incoming emails with
virus checks, text analysis, exe file checks etc.. etc..
The Incoming scenario applies to this address list *@* --> *@mydomain.com
and the Outgoing Scenario applies to *@mydomain.com --> *@*
The SMTP relay restrictions ensure that only mail destined for the local
domain are forwarded.
The problem occurs when an attacker spoofs an email so the sender appears to
be a user within my
domain i.e. JoeBloggs@mydomain.com and the recipient is the intended victim
i.e. user@mydomain.com
MailSweeper will apply the OUTGOING scenario (i.e. nothing) and forwards the
mail internally to the
intended victim. This email could contain any content.
I notified Content Technologies on the 03/03/2001 and have received no
response.
Regards
Russ Hayward
