|
-
April 7th, 2004, 09:55 PM
#1
Non-Delivery Notification Attacks...
Hey Hey,
I did a few searches and didn't see this posted, so I thought I'd throw it up here.
I just recieved a new email from the vuln-dev digtest and it seems pretty interesting.
Apparently a good chunk (I believe it was around 30% when dealing with Fortune 500 companies) of mail servers will respond with NDNs (Non-Delivery Notifications) if the user doesn't exist. The problem lies in the fact that the server will reply once for each non-existant user in the CC and BCC fields. The NDNs will also include the original message and attachments. If you send one email to 50 invalid users each with a 100K attachment, you lead to the possibility of having 50 emails and 5M of attachments returned to you. That alone would fill the average users mailbox. Now image if you had a mailbomber that spoofed the address or the reply to address. The numbers in the whitepaper are rather large, with a possible data multiplier of over 300, just over 3.5M sent (3.6 to be exact) and 1.1G recieved on the other end. The possibilities for a large DoS or a DDoS (through email virus or worms) is almost endless.
An info page regarding this is: http://www.techzoom.net/paper-mailbomb.asp
The Whitepaper itself is at: http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb
I found it to be a rather interesting read. I'd love to hear other people's opinions. Especially from some of our more well known seniors who stay up-to-date on vulns and usually have more information than the rest of us minions.
Peace,
HT
[Edit]
I attached the whitepaper below
[/Edit]
-
April 8th, 2004, 05:51 AM
#2
[I'm definitely not a senior and may not stay up to date on vulns, but hey, here's my opinion.]
I think it's not something new. Spammers spoof the sender/reply-to address hoping their recepients won't find their real address. Good spammers do that hoping they can blame somebody else.
Also (D)DOSers craft their packets to target by spoofing the source address hoping the target won't know their real source address, and will send replies to the spoofed address (which is actually the REAL target).
Still the white paper is an interesting read...
Peace always,
<jdenny>
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
-
April 8th, 2004, 07:36 AM
#3
Originally posted here by jdenny
[I'm definitely not a senior and may not stay up to date on vulns, but hey, here's my opinion.]
I think it's not something new. Spammers spoof the sender/reply-to address hoping their recepients won't find their real address. Good spammers do that hoping they can blame somebody else.
Also (D)DOSers craft their packets to target by spoofing the source address hoping the target won't know their real source address, and will send replies to the spoofed address (which is actually the REAL target).
Still the white paper is an interesting read...
Peace always,
<jdenny>
Hey Hey,
I total agree that the ideas themselves are not new, however this is the first time I've heard of combining the ideas. It's basically an email Smurf/Fraggle attack. I'd love to throw together some code for this, just for PoC purposes. I think that's how I'm going to spend my easter weekend. If anyone has any mail servers I can use for testing let me know.
Peace,
HT
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote