Gordano Mail Server GMS8 previously known as NTmail has a flaw that makes it
possible for anyone to send an email to all users hosted in a domain, this
method also gets around all rwords filters and possibly some home made virus
filters.

By sending an email using everyonetarget.domain as the TO and FROM address
the email is immediately delivered to all the users in target.domain. By
using this technique it is possible to spam the entire email domain with a
single email making this a prime target for spammers and virus authors.

The issue is two fold, first it's an extension of the identical TO/FROM
method I posted 2 weeks ago and which Gordano has chosen to ignore, second
it uses a special email account called "everyone" which is used to email
all the users in a domain. The account is usually protected by a password
without which you cannot send email to it however because of the way the
mail server handled returning email it is possible to get around this
protection.

This method uses a bug in how NTmail handles bounced email, it
unconditionally accepts all bounces even from itself. When an email is
bounced the mail server simply delivers it to the return address without any
checking to see if it should be a filtered email or if it contains the
required password for the everyone account (a special account used to email
all users on a system), very handy in that it allows us to get around all
the password and filter protection for this everyone account.

The vendor claims (response included below) that it is a configuration issue
but since it is the default configuration and since this exploit makes it
possible to get around having to use a password and allows virus or spammers
to spam an entire email domain with a single email I don't agree with their
conclusion and I believe they need to rethink their position on this.

It doesn't seem to matter if the email is sent direct to the target mail
server or if it's relayed thru other servers first (thus making this the
ideal anonymous email exploit for spammers), the only thing that matters is
that the TO and FROM address are identical and as specified above. This is
really just an extension of the TO/FROM exploit I posted to the security
lists 2 weeks ago but which Gordano has chosen to ignore so far.

There are two ways to stop this exploit. If you are not running any list
servers then simply stop and disable the list service. On a straight email
server the list service is only used to email all users so stopping it will
immediately eliminate the possibility of it being exploited.

The second way is to setup a redirect so any email where the FROM address is
everyone* gets redirected to a real email account. This will execute before
the email makes it to the list service so it can be used to block the
exploit.

Neither of these methods will block the now 2 week old identical TO/FROM
address exploit I mentioned above however it will stop this rather dangerous
special case.

Geo.

-------vendors response when I sent this to their bugsgordano.com
address---
>
This is a configuration issue, as you do not have a support contract I am
unable to help you with it. Please refer to the documentation.
If you do not have a current copy of the documentation it may be downloaded
from our web site http://www.gordano.com

Other sources of documentation include the online context sensitive help
and extensive Knowledge Base also available on our web site.

The Bug Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]