OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Outlook Express feature could crash e-mail servers
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Outlook Express feature could crash e-mail servers

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Re: Outlook Express feature could crash e-mail servers
  • From: DBellMOBILE.BAM.COM
  • Date: Wed, 17 Jun 1998 15:50:48 EDT
  • Comments: To: bbbugnet.com
  • Reply-To: DBellMOBILE.BAM.COM
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
IMHO, this is not Microsoft's problem. This problem is part and parcel to
SMTP. Unix admins have worked around this for years by reconfiguring their
firewalls and smtp gateways. This is NOT a 'bug' or 'design problem' in the
client, just an unfortunate fact of the way the protocol was designed. To
fail to post some kind of advisory about this is not to stick one's head in
the sand, it's to accept a known limitation of the smtp protocol. Russ's
post was blunt, but it's about time that the popular press quits hitting
the panic button just to generate headlines, and actually learns something
about computer security.

Ignoring this won't make it go away, however, demanding that MicroSoft fix
what ails smtp is also a waste of time. There are enough
non-standards-compliant utilities out there, we don't need any more, from
Microsoft, or anyone else.



Daniel Bell
-------------
Original Text
From: C=US/A=INTERNET/DDA=ID/bb(a)bugnet.com, on 6/17/98 3:53 PM:
Greetings Russ. Although the impulse of the ostrich is strong,
ignoring problems does not make them go away. In fact, it makes
them more likely to get you.

We hoped our BugNet Alert would get Microsoft's attention and
thereby lead to a fix for the problem, and it appears we have gone a
fair ways toward achieving this positive end. In fact, Harry
Goodwin, Outlook Express product manager, thanked us for our accurate
and responsible coverage of the problem. And thanks to our efforts,
MS promises to make changes.

Thanks for your input. It's always fun to get flamed. Best...

Bruce Brown
BugNet
bbbugnet.com
http://www.bugnet.com/

************

> From:          Russ <Russ.Cooperrc.on.ca>
> To:            NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Cc:            "'bugnetbugnet.com'" <bugnetbugnet.com>
> Subject:       RE: Outlook Express feature could crash e-mail
> servers Date:          Wed, 17 Jun 1998 10:02:26 -0400
>
> Full text of the article in question is at
> http://www.bugnet.com/alerts/bugalert.html
>
> In my opinion, this is yet another example of how stupid the media
> is when it comes to comp.security, and how desperate they are to
> garner headlines with stories of supposed exploits, particularly
> when it relates to MS.
>
> Sending mail to an SMTP server has always been a viable way of
> creating a Denial of Service attack. Writing a program to repeatedly
> send 16KB, or 20MB, messages endlessly is trivial and a ton of mail
> bombing programs exist to do just that. Given the global insecurity
> of SMTP servers, launching such an attack from a high speed link is
> also trivial, meaning anyone can do it regardless of their personal
> connection speed to the net.
>
> Any ISP worried about SMTP from a T1 connection is simply clueless
> to the realities of the 'net.
>
> If someone is going to send a large attachment (and many do,
> frequently), regardless of their motivation, its definitely better
> for the recipient SMTP server to deal with multiple smaller chunks
> than to try and handle a single large attachment (assuming the
> recipient has the ability to easily re-assemble the original
> attachment and the multiple smaller chunks aren't each consuming a
> connection to the recipient SMTP server).
>
> Message Size Limits, be they on Firewalls or SMTP servers
> themselves, are designed to prevent protracted sessions with a
> single message, not to throttle total bandwidth utilization on its
> 'net connection.
>
> If this supposed problem is truly viewed as a potential exploit, the
> place to fix it is in the Firewall or the SMTP server, not the
> client (since 2 minutes of VB programming can recreate the supposed
> exploit code).
>
> Cheers,
> Russ
>
>
> Christel Bronsema
> BugNet
> cbbugnet.com
> http://www.bugnet.com
>
>