COMMAND

    SMTP

SYSTEMS AFFECTED

    SMTP

PROBLEM

    Lincoln Yeoh  found following.   Out of  order SMTP  DATA commands
    incorrectly  allow  pass-through  mode   in  some  firewall   smtp
    filters/proxies.

    Lincoln  first  found  this  sometime  in  1996  and  notified the
    relevant firewall vendor.   After about 4  generations it's  still
    not fixed in some versions even today, they did try to patch it  a
    few times but were unsuccessful.

    He recently noticed that  another screen/firewall seems to  have a
    similar problem  - was  trying to  confirm an  email address.  Not
    sure if other firewalls are vulnerable.

    Basically if  you wish  to send  arbitrary stuff  to a  mailserver
    protected by a  vulnerable firewall's smtp  proxy, what you  do is
    send a DATA command  followed by the stuff  you want to send,  all
    in the same tcp/ip  packet, immediately on connection  (before you
    even get the 220 response).  e.g.

        <begin packet>
        DATA
        VERB
        EXPN postmaster
        .
        <end packet>

    You may have to send consecutive  DATA commands to get it to  work
    e.g

        <begin packet>
        DATA
        DATA
        VERB
        EXPN postmaster
        .
        <end packet>

    Note:  In  some  versions  you  require  the  end . to receive the
    response.  In a recent case Lincoln found, you're not required  to
    put stuff all in the same packet.   All you need to do is issue  a
    DATA command.  There appears to be a timeout but just reissue  the
    DATA again and you're back to pass-through mode.

SOLUTION

    Make sure you  are running a  secure and reliable  mail server, or
    use a better smtp proxy.