COMMAND

    Hotmail

SYSTEMS AFFECTED

    Hotmail

PROBLEM

    Philip  Stoev  found  following.   Hotmail  can  act as email size
    amplifier with a  factor of at  least 1000, allowing  flooding and
    mail-bombing a victim while using a negligible amount of your  own
    bandwidth. If it were  a smurf-like amplificaton, Hotmail  will be
    No. 5 in the ranks smurf amlifiers.

    An issue exists  in the way  Hotmail handles the  "attfile" hidden
    form field  on their  Compose Message  form.   Normally, this form
    field contains information on the attachments that are to be  sent
    with  the  message  being  composed.   The  problem  is that it is
    possible  for  this  form  field  to  reference  one  and the same
    attachment  several  times,  which  will  make  Hotmail  send this
    attachment as many times as desired with the outgoing mail.

    The  amplification  occurs  because  the  attachment  is  actually
    uploaded only once,  while Hotmail sends  it several times  to the
    end recepient  (victim).   You can  have a  22k attachment  mailed
    1000 (one thousand) times to the receiver in a single email.   You
    only loose about  100 K of  bandwidth total, while  the victimized
    person needs to loose 22  MB of incoming bandwidth to  receive the
    message (and Hotmail needs to waste at least as much to send it).

SOLUTION

    MS was able to reproduce  the problem.  The Hotmail  Security Team
    has identified the  changes that are  needed, and is  implementing
    the change.   New system software  is loaded every  two weeks, and
    the next scheduled update is 14 November 2000.