Feeds

The Joe Job DoS attack

Mail bomb attack brown alert

  • alert
  • submit to reddit

Seven Steps to Software Security

A problem with the way that non-delivery notifications are sent by many mail servers could be exploited to launch "mail bomb" denial of service attacks.

Incorrectly configured mail servers may respond to mail delivery failure with as many non-delivery reports as there are undeliverable cc: and bcc: addresses contained in the original email. By forging the source of an email, hackers could bombard systems with spurious emails.

Security researchers have now demonstrated how easy it might be to turn such 'Joe Jobs' into deliberate denial of service attacks.

Hackers could use badly set-up mail servers as multipliers (every bogus message could generate dozens) and flood any target email system or account.

Non-delivery notification emails generated by these systems often include a full copy of the original email sent in addition to any file attachments.

Platform-independent DoS risk

The vulnerability is dependant on the configuration of SMTP servers, rather than software platform. Tests suggest the vulnerability works across the board, independent of mail server package or version.

Gunter Ollmann, professional services director at Next Generation Security Software (NGSSoftware), warns that the problem is easy to exploit. Ollmann, along with consultant Ivo Silvestri began looking at the problem on the instigation of Stefan Frei, a colleague who runs a number of Swiss webmail operations. These services were straining under the load ofbounced messages. Looking at how these messages were generated established the potential basis for deliberate attacks, rather than the accidental bombardment experienced by Frei's services.

Tests suggest that larger organisations tend to be more vulnerable to the "mail bombing" attack.

"This vulnerability appears to affect around 30 per cent of our main study group (the Fortune 500), and has significance to all essential email communications," Ollmann warns.

"We have proved that this vulnerability can be easily exploited and can be used to DoS almost any SMTP service on the Internet. By utilising multiple vulnerable STMP servers, a distributed DoS is possible, and can be used to cause the loss of mail services (and in extreme cases all Internet connectivity) to any organisation."

Action stations

The three researchers had originally intended to publish their analysis of the problem after the Easter break. But talk of the issue on a popular vulnerability discussion forum has prompted them to release their guidance ahead of schedule.

Ollmann isn't aware of any instances where the attack mechanism has been used in anger. But this is no reason for complacency.

Developers and mail administrators are urged to secure their SMTP mail services, as explained here (PDF). The fix is simple enough: don't send the attachment part of non-delivery receipt; and send one email in response to every mail failure, rather than one for every intended recipient. ®

Related Stories

Sendmail suffers second major flaw
Outlook Express becomes attack platform, of sorts
Beware the Habeas Joe Job

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.