COMMAND
MS mail clients
SYSTEMS AFFECTED
All mail platforms used by MS clients containing MS Outlook 97, 98,
2000, Windows Messaging, or Exchange client
PROBLEM
Bill Brandt found following. MS mail clients may provide a means
for an attacker to multiply the number of messages sent during an
attack by N*(N+1), where N is the number of users in the largest
list group containing an SMTP address.
Bill recently noticed an issue with MS mail clients (Outlook,
etc.). The issue is centered around the use of Read Receipt and
Delivery Receipt tags. MS clients support these features in all
versions; however, in Outlook 97, Outlook 98, and we are told
Outlook 2000 there is no way to disable the response to a read
receipt (Some Outlook Express versions do allow for no response
or a prompt user to respond). In addition, we are not aware of
any way to have the Exchange server prevent these tags from being
used or any way for an admin to disable the delivery receipt
function within the Exchange server. The interaction of this
function with smtp list addresses could cause a serious DoS
exploit against an Exchange mail system or any other mail system
which has a large number of MS client users.
A attacker wishing to cause a DoS attack upon a mailsystem having
MS clients need only obtain the smtp address of a group address
list (ex: allemployees@company.com). Once this smtp address is
known, an email can be crafted which is spoofed to be from
allemployees@company.com to allemployees@company.com with
allemployees@company.com in the receipt header tags. The end is
result is a message which is sent to everyone in the list. In the
case of read receipt (which I have tested), when each user opens
the message, that user's client automatically will force a receipt
message to be sent back to the entire list. An example company of
1,000 employees would see 1,000 emails with 1,000 x 1,000 replies
which results in 1,001,000 messages. In the case of larger
organizations the result can be rather disasterous. Take for
instance an organization that has 100,000 members. Since the
formula for the number of messages is N*(N+1), the resulting
number of messages is 10,000,100,000.
An alternate possibility is a cross attack where a spoofed
messages goes to allemployees@company1.com from
allemployees@company2.com. This results in one company getting N
messages and the other getting N^2 read receipts. Again, in the
case of 100,000 members in the list the result is 100,000 reply
messages that when they reach the end server become 10 trillion
individual replies.
SOLUTION
Since the Administrator of a site (and even the mail user) has no
way to stop a MS client from responding to a receipt request, the
only currently known steps that can be taken are:
1. If your mail system supports a way to strip the receipt header
tags coming in from outside generated SMTP messages, make sure
that the tags are removed. (Note: Exchange does not appear
to support this. If anyone knows of a way to do this, please
provide details)
2. If SMTP access is not essential for a given list, remove SMTP
addresses from that group distribution list. This will
prevent outside users from utilizing the list.
Another thing that will prevent this is to lock down who has the
ability to send mail large distribution lists in an organization.
There's a Delivery Restrictions tab in every DL (and mailbox) for
Exchange. Leaving anyone the ability to send mail to an "all
employees" list is just irresponsible. That's how you end up
with mail storms, which can end up taking down a system.
(especially when users start replying to all with "please stop
mailing me" messages...) MS had an internal mail storm a few
years ago like I've described - it brought their servers to their
knees. The good news is that they developed a tool (originally
known as the Bedlam tool - they've since changed the name to
something more PC) to remove messages such as I've described from
the IS. If you call PSS and tell them you need it, they'll turn
over a copy for free... Some other links:
http://www.aspeonsoftware.com/aspeon_exchangeplus.asp
http://www.slipstick.com/addins/mail.htm
Technet article:
http://www.microsoft.com/TechNet/exchange/technote/msgstorm.asp
has all information on removing messages causing mailstorms.