[Dshield] Mail AV software

Stephane Grobety security at admin.fulgan.com
Tue Apr 13 13:03:21 GMT 2004


Hello everyone,

As everyone that is running a mail server I would guess, I'm crumbling
under "virus notifications" sent by AV software running on mail
gateway and "notifying me that I have sent a virus". Today, someone
apparently brought this to a new all-time ridicule by also sending
a notice to the "postmaster" address of the domain found in the "from"
Email header field.

Now for the content: I have two remarks:

First, could those of you that are managing mail server that integrate
a virus scanner please DISABLE these notifications ? It's actually
rather important to do so: please read on why.

Second, it has come to my mind that this could be used for a DoS. You
see, if you send the EICAR test file (small false virus file) to these
mail servers, they will generate between one and four new mails: one
to the intended recipient, one to the mail admin of the server, one to
the perceived sender and one to the postmaster address of the
perceived sender.

Of these 4 mails, you can ignore the first two ones: after all, if an
admin is willing to mail-bomb himself with notifications, it's none of
my business. the last two, however, concerns me. You see, I am the one
paying for the bandwidth and storage space used by these useless
mails.

Now comes the first part: take an EICAR test file
(http://www.eicar.org/download/eicar.com it WILL trigger an AV warning
if you download it). It's 68 bytes long and you don't need to attach
it to your mail: just copy and paste the text content of it will
trigger the AV software. Standard mail headers can be trimmed down to
a few hundred bytes and the SMTP part of the transaction is very
small. Now spoof the "from" header to looks like they are coming from
the victim's mail server and send it to the AV-filtered gateway. Bham:
with a single SMTP transaction of a less than a kilobyte of traffic,
you've generated two TCP connections to the target mail server and
forced it to accept at least one mail which will be much larger than
your original one. That's called bandwidth amplification attack in my
book, combined by a rather difficult to avoid mail bombing attack.

The beauty of it is that you don't even need to scan for server to use
in such an attack: if you have a mail address (or better, if you're
reading the "postmaster" mailbox of a domain), then you probably
already have a large database of exploitable hosts. And if you combine
this with one of the large number of open proxy out there (your spam
drop mailbox should be full of it), you can even hide your source IP
very efficiently.

So, I urge the mail admins among you that haven't already done so to
disable these notifications. If someone finds a flaw in my reasoning,
please feel free to comment on or off-list.

Good luck,
Stephane







More information about the list mailing list