[17463] in bugtraq
Re: [phiphi-01-10-00] Hotmail can act as email amplifier
daemon@ATHENA.MIT.EDU (van der Kooij, Hugo)
Thu Nov 2 13:09:42 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10011020834420.5339-100000@bastion.hugo.vanderkooij.org>
Date: Thu, 2 Nov 2000 08:40:53 +0100
Reply-To: Hugo.van.der.Kooij@CAIW.NL
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij@CAIW.NL>
X-To: Philip Stoev <philip@EINET.BG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <005d01c043e4$707cb780$0100a8c0@ntserver1>
On Wed, 1 Nov 2000, Philip Stoev wrote:
> SUMMARY
>
> Hotmail can act as email size amplifier with a factor of at least 1000,
> allowing flooding and mail-bombing a victim while using a negligible amount
> of your own bandwidth. If it were a smurf-like amplificaton, Hotmail will be
> No. 5 in the ranks smurf amlifiers.
...
> STATUS
>
> Secure@microsoft.com was informed about the issue on Sun, 29 Oct 2000
> 23:42:43 +0200 and, on Tue, 31 Oct 2000 18:18:31 -0800, they replied as
> follows:
>
> "Wanted to let you know that we were able to reproduce the problem you
> reported. The Hotmail Security Team has identified the changes that are
> needed, and is implementing the change even as we speak. New system
> software is loaded every two weeks, and the next scheduled update is 14
> November. We'll make sure that the change is included in that update."
>
> I interpreted this reply as a sign that they do not consider this issue a
> serious one, so I decided to disclose it. Please flame me if I am wrong.
They take it seriously but their update schedule does not allow them to do
maintainance whenever a sysadmin wishes.
Loading new code will mean downtime. So they scheduled the update in their
first available service window. However having 1 service window per 2
weeks is not sufficient in case of security problems.
While I guess they need to increase to at least a weekly schedule for
security issues I wouldn't call it 'security unaware'.
Hugo.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
This message has not been checked and may contain harmfull content.
