Gordano Mail Server GMS8 previously known as NTmail has a flaw that makes it possible for anyone to send an email to all users hosted in a domain, this method also gets around all rwords filters and possibly some home made virus filters.
By sending an email using [EMAIL PROTECTED] as the TO and FROM address the email is immediately delivered to all the users in target.domain. By using this technique it is possible to spam the entire email domain with a single email making this a prime target for spammers and virus authors. The issue is two fold, first it's an extension of the identical TO/FROM method I posted 2 weeks ago and which Gordano has chosen to ignore, second it uses a special email account called "everyone@" which is used to email all the users in a domain. The account is usually protected by a password without which you cannot send email to it however because of the way the mail server handled returning email it is possible to get around this protection. This method uses a bug in how NTmail handles bounced email, it unconditionally accepts all bounces even from itself. When an email is bounced the mail server simply delivers it to the return address without any checking to see if it should be a filtered email or if it contains the required password for the everyone account (a special account used to email all users on a system), very handy in that it allows us to get around all the password and filter protection for this everyone@ account. The vendor claims (response included below) that it is a configuration issue but since it is the default configuration and since this exploit makes it possible to get around having to use a password and allows virus or spammers to spam an entire email domain with a single email I don't agree with their conclusion and I believe they need to rethink their position on this. It doesn't seem to matter if the email is sent direct to the target mail server or if it's relayed thru other servers first (thus making this the ideal anonymous email exploit for spammers), the only thing that matters is that the TO and FROM address are identical and as specified above. This is really just an extension of the TO/FROM exploit I posted to the security lists 2 weeks ago but which Gordano has chosen to ignore so far. There are two ways to stop this exploit. If you are not running any list servers then simply stop and disable the list service. On a straight email server the list service is only used to email all users so stopping it will immediately eliminate the possibility of it being exploited. The second way is to setup a redirect so any email where the FROM address is everyone@* gets redirected to a real email account. This will execute before the email makes it to the list service so it can be used to block the exploit. Neither of these methods will block the now 2 week old identical TO/FROM address exploit I mentioned above however it will stop this rather dangerous special case. Geo. -------vendors response when I sent this to their [EMAIL PROTECTED] address--- > This is a configuration issue, as you do not have a support contract I am unable to help you with it. Please refer to the documentation. If you do not have a current copy of the documentation it may be downloaded from our web site http://www.gordano.com Other sources of documentation include the online context sensitive help and extensive Knowledge Base also available on our web site. The Bug Team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
