Feeds

The Joe Job DoS attack

Mail bomb attack brown alert

  • alert
  • submit to reddit

Protecting against web application threats using SSL

A problem with the way that non-delivery notifications are sent by many mail servers could be exploited to launch "mail bomb" denial of service attacks.

Incorrectly configured mail servers may respond to mail delivery failure with as many non-delivery reports as there are undeliverable cc: and bcc: addresses contained in the original email. By forging the source of an email, hackers could bombard systems with spurious emails.

Security researchers have now demonstrated how easy it might be to turn such 'Joe Jobs' into deliberate denial of service attacks.

Hackers could use badly set-up mail servers as multipliers (every bogus message could generate dozens) and flood any target email system or account.

Non-delivery notification emails generated by these systems often include a full copy of the original email sent in addition to any file attachments.

Platform-independent DoS risk

The vulnerability is dependant on the configuration of SMTP servers, rather than software platform. Tests suggest the vulnerability works across the board, independent of mail server package or version.

Gunter Ollmann, professional services director at Next Generation Security Software (NGSSoftware), warns that the problem is easy to exploit. Ollmann, along with consultant Ivo Silvestri began looking at the problem on the instigation of Stefan Frei, a colleague who runs a number of Swiss webmail operations. These services were straining under the load ofbounced messages. Looking at how these messages were generated established the potential basis for deliberate attacks, rather than the accidental bombardment experienced by Frei's services.

Tests suggest that larger organisations tend to be more vulnerable to the "mail bombing" attack.

"This vulnerability appears to affect around 30 per cent of our main study group (the Fortune 500), and has significance to all essential email communications," Ollmann warns.

"We have proved that this vulnerability can be easily exploited and can be used to DoS almost any SMTP service on the Internet. By utilising multiple vulnerable STMP servers, a distributed DoS is possible, and can be used to cause the loss of mail services (and in extreme cases all Internet connectivity) to any organisation."

Action stations

The three researchers had originally intended to publish their analysis of the problem after the Easter break. But talk of the issue on a popular vulnerability discussion forum has prompted them to release their guidance ahead of schedule.

Ollmann isn't aware of any instances where the attack mechanism has been used in anger. But this is no reason for complacency.

Developers and mail administrators are urged to secure their SMTP mail services, as explained here (PDF). The fix is simple enough: don't send the attachment part of non-delivery receipt; and send one email in response to every mail failure, rather than one for every intended recipient. ®

Related Stories

Sendmail suffers second major flaw
Outlook Express becomes attack platform, of sorts
Beware the Habeas Joe Job

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.