Feeds

The Joe Job DoS attack

Mail bomb attack brown alert

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

A problem with the way that non-delivery notifications are sent by many mail servers could be exploited to launch "mail bomb" denial of service attacks.

Incorrectly configured mail servers may respond to mail delivery failure with as many non-delivery reports as there are undeliverable cc: and bcc: addresses contained in the original email. By forging the source of an email, hackers could bombard systems with spurious emails.

Security researchers have now demonstrated how easy it might be to turn such 'Joe Jobs' into deliberate denial of service attacks.

Hackers could use badly set-up mail servers as multipliers (every bogus message could generate dozens) and flood any target email system or account.

Non-delivery notification emails generated by these systems often include a full copy of the original email sent in addition to any file attachments.

Platform-independent DoS risk

The vulnerability is dependant on the configuration of SMTP servers, rather than software platform. Tests suggest the vulnerability works across the board, independent of mail server package or version.

Gunter Ollmann, professional services director at Next Generation Security Software (NGSSoftware), warns that the problem is easy to exploit. Ollmann, along with consultant Ivo Silvestri began looking at the problem on the instigation of Stefan Frei, a colleague who runs a number of Swiss webmail operations. These services were straining under the load ofbounced messages. Looking at how these messages were generated established the potential basis for deliberate attacks, rather than the accidental bombardment experienced by Frei's services.

Tests suggest that larger organisations tend to be more vulnerable to the "mail bombing" attack.

"This vulnerability appears to affect around 30 per cent of our main study group (the Fortune 500), and has significance to all essential email communications," Ollmann warns.

"We have proved that this vulnerability can be easily exploited and can be used to DoS almost any SMTP service on the Internet. By utilising multiple vulnerable STMP servers, a distributed DoS is possible, and can be used to cause the loss of mail services (and in extreme cases all Internet connectivity) to any organisation."

Action stations

The three researchers had originally intended to publish their analysis of the problem after the Easter break. But talk of the issue on a popular vulnerability discussion forum has prompted them to release their guidance ahead of schedule.

Ollmann isn't aware of any instances where the attack mechanism has been used in anger. But this is no reason for complacency.

Developers and mail administrators are urged to secure their SMTP mail services, as explained here (PDF). The fix is simple enough: don't send the attachment part of non-delivery receipt; and send one email in response to every mail failure, rather than one for every intended recipient. ®

Related Stories

Sendmail suffers second major flaw
Outlook Express becomes attack platform, of sorts
Beware the Habeas Joe Job

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.