COMMAND

    WebShield

SYSTEMS AFFECTED

    NAI's WebShield SMTP

PROBLEM

    Scott  Perry  found  following.   A  DoS  attack  is  very easy to
    implement on most  WebShield SMTP setups.   Sending E-mail with  a
    "From: "  address that  includes a  period after  the domain  name
    will cause an  infinite loop using  up resources until  the server
    will finally crash.  When restarted, the machine will continue  to
    crash until the offending E-mail is manually removed.

    The problem occurs because WebShield SMTP does not recognize  that
    "domain_name.com" and "domain_name.com." are equivalent (both  are
    valid  forms  of  fully  qualified  domain names (FQDNs); with the
    period, it is referred  to as a rooted  FQDN).  Both forms  should
    work  with  all  mail  clients  and  servers.   However, using the
    trailing "." is rarely used (except in DNS maintenance).

    When a WebShield  SMTP server is  set up to  accept incoming mail,
    it  is  typically   configured  to  recognize  at  least one local
    domain.  This is necessary  since WebShield SMTP is placed  before
    the  real  SMTP  server.   For  example,  if  you  run  the domain
    "domain_name.com", you would configure WebShield SMTP to send  all
    mail for "domain_name.com" to your real SMTP server.

    The problem arises when  mail is sent to  "user@domain_name.com.",
    which is an  acceptable way to  address the mail.   WebShield SMTP
    does  not  recognize  that  "domain_name.com."  is a local address
    (even though it knows that "domain_name.com" is a local  address).
    So,  it  looks  up  the  MX  record  for "domain_name.com.", which
    points to the  WebShield SMTP server  (it always will;  that's how
    the mail got there  in the first place).   It then sends itself  a
    copy  of   the  message,   adding  a   "Received:  "   line   (per
    RFC821/RFC822).  The message will  continue to be sent to  itself,
    growing each time as  a new "Received:   " line is added.   As the
    file  gets  larger  (to  several  megabytes),  lots of CPU time is
    required to process  and scan the  E-mail, and more  and more disk
    space is used for the E-mail itself and log files.

    In one example,  a short E-mail  was looped through  the WebShield
    SMTP  server  over  37,000  times  in  under  a  day, growing to 4
    megabytes.   This  was  using  WebShield  v4.5.   This can only be
    reproduced on a machine  that has an MX  record pointing to it  (a
    test machine won't normally be able to reproduce this).

    The Attack: Send an mail to "anything@domain_name.com.".

SOLUTION

    The workaround is  simple.  In  delivery options for  Remote Send,
    under the  Direct Send  option, add  "domain_name.com." as  one of
    the domain names to route to  the local mail server.  Do  this for
    every domain name your mail server handles.

    This  issue  CAN  ONLY  be  reproduced  if  the  following obscure
    criteria has been met:

       1) WebShield and Mail server are on the same box
       2) The "Direct Send" option  has been enabled In the  WebShield
          Configuration Screen "Delivery" - "Mail Send" Section of the
          product.
       3) DNS  has  been  enabled  with  a  MX  record resolving  both
          "mydomain.com" & "mydomain.com." (trailing period)

    As the  work around  allows mail  to be  delivered as expected, no
    hotfix has been scheduled for this issue.