Using Hotmail as an email amplifier ------------------------------------------------------------------------ SUMMARY Hotmail can be used as an email attachment amplifier with a factor of at least 1000. This allows flooding and e-mail bombing of a victim where the attacker uses a small amount of bandwidth, but effectively 'bombards' the victim. DETAILS A possible security issue arises with the way Hotmail handles the "attfile" hidden form field in the Compose Message form. Normally, this form field contains the information about the attachments that is to be sent with the composed message. However, it is possible for this form field to reference the same attachment several times, which will make Hotmail send this attachment multiple times (as much as desired) with the outgoing mail. The amplification itself occurs because the attachment is actually uploaded only once, while Hotmail sends it several times to the end recipient (victim). For example, you can have a 22k attachment mailed 1000 (one thousand) times to the receiver in a single email. The attack will only consume about 100 K of bandwidth, while the victim will waste about 22 MB of incoming bandwidth (the bandwidth will be used to receive the message, and the Hotmail servers will waste at least as much to send it). Vendor Status: [EMAIL PROTECTED] was informed about the issue on Sun, 29 Oct 2000 and on Tue, 31 Oct 2000. They replied as follows: "Wanted to let you know that we were able to reproduce the problem you reported. The Hotmail Security Team has identified the changes that are needed, and is implementing the change even as we speak. New system software is loaded every two weeks, and the next scheduled update is 14 November. We'll make sure that the change is included in that update." Fix: It seems that there will be no fix until November 14, apart from filtering. Vendors of other web-based email systems and web-to-smtp gateways are hereby advised to check their mail-sending and attachment-uploading code for allowing an attachment uploaded only once to be mailed several times. The following free email providers are not vulnerable: iname.com, dir.bg, abv.bg. The following email providers are still under investigation, but appear not vulnerable: yahoo.com, netaddress.com. Conclusion: Note to developers: Never assume that simply because something is hidden deeply behind your SSL-secured sever, your login form, your dynamic URLs, your redirects, your referrer checks, your hidden form fields, and your cookies, it is safe and nobody will reach it (and eventually try to modify it). Hotmail has all of those and it did not help. -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
