[16896] in bugtraq
Re: Possible Exchange 5.5 Server DoS
daemon@ATHENA.MIT.EDU (Lee Ann Goldstein)
Mon Sep 25 12:48:33 2000
Message-ID: <200009250300.UAA10134@nightstalker.rand.org>
Date: Sun, 24 Sep 2000 20:00:01 -0700
Reply-To: Lee Ann Goldstein <leeann@RAND.ORG>
From: Lee Ann Goldstein <leeann@RAND.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of Tue, 12 Sep 2000 08:30:48 +0200.
<F1219E765B7FD311889900E01898B1D03E2480@EXECUTOR>
--Your message was: (from Christer Enberg)
>
> This happend early this morning on one of our mailservers running Exchange
> 5.5 on WinNT4 OP5.
> Suddenly the Information Store (STORE.EXE) crashed with a strange error
> saying something in the way of
> "Error while processing an email message", restarting both the server and
> all of Exchange's components
> has no effect at all. The only way of solving this problem as I discovered
> is to shut down all Exchange Services
> and Totally remove the content of the IMCDATA directory containing the mail
> queues and then restart exchange.
>
> It seems that the attachment line is the problem, by removing the attachment
> and sending the mail nothing happens.
>
> Anyone know of some more information about this "DoS" attack or how it can
> be prevented,
> I have not seen any off things in the mail that would bring an Exchange
> server to a stop.
I want to confirm that we had this exact problem with our Exchange
news server last week- a message with a null MIME header would repeatedly
crash the Information Store. Fortunately, Exchange did not accept the
message, so all we had to do was remove the offending message from our Unix
news hub. ("all" - they had to use a packet sniffer to identify the message)
I am including the message (indented with "> " but otherwise intact) below.
> This message has been sent to Microsoft who has not yet given any answer.
Our support vendor is also working with Microsoft on this.
Lee Ann
--------------message start
> Path: lumberjack.rand.org!new01lax-pilot.pilot.net!cyclone01-oak.pilot.net!cyclone00a-oak.pilot.net!news-out.cwix.com!newsfeed.cwix.com!newsfeed.gamma.ru!Gamma.RU!feed2.onemain.com!feed1.onemain.com!cyclone-sf.pbi.net!216.65.16.3!news-in.nibble.net!nntp-relay.ihug.net!ihug.co.nz!sn-xit-02!supernews.com!sn-inject-01!corp.supernews.com!not-for-mail
> From: bugsgamma@gamma.freedom.net
> Newsgroups: alt.alt.test
> Subject: sdkjfhklsjdfhlkjsafhdlkhdsaf
> Date: Thu, 14 Sep 2000 12:27:04 -0400
> Organization: Posted via Supernews, http://www.supernews.com
> Lines: 19
> Message-ID: <ss1uv0qqct678@corp.supernews.com>
> X-Complaints-To: newsabuse@supernews.com
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary = ""
> Xref: lumberjack.rand.org alt.alt.test:17492
>
>
>
> Zero-Knowledge MIME Encapsulated Message
>
>
> --
> Content-Type: text/plain
>
>
>
>
>
>
>
> ________________________________________________________________________
> Total Internet Privacy -- get your Freedom Nym at http://www.freedom.net
>
>
> ----
--------------message end
--
Lee Ann Goldstein, Computing Services
RAND Corp., Santa Monica, CA 90407-2138
leeann@rand.org
