On Mon, Jan 22, 2001 at 09:40:13AM -0500, Andy Abshagen wrote:
> We are in the midst of a security audit performed by Ernst & Young. They are
>claiming something about a DOS situation. What I need to find out is whether there
>are any known DOS situations out there. If so what needs to be done to take care of
>the problem.
There are two "problems" with a vanilla qmail installation I can think of:
1) if an agressor sends zillions of emails to a non-existing local
address qmail-smtpd will - unlike a lot of other smtpds - accept
the messages, pass it through it's delivery mechanism and bounce
them back creating bounce messages itself.
qmail-smtpd cannot decide at SMTP level wether a user exists or not.
It is IMHO a question of definition whether you will call this a
DoS vulnerability.
2) is only applicable if the qmail server is acting as a relay to the final
MTA. If again an agressor sends zillions of emails to (non-existing) local
addresses (even with multiple RCPT TO commands in one SMTP session)
qmail-remote will send one mail per recipient to the final MTA. If this
final MTA is also qmail you again have situation 1) and if the user does
not exist, qmail will return a bounce message for each message
received, regardless what type of SMTP receiver the final MTA is.
This could cause the receiver of the bounces problems and some ppl
claimed that - because of that - qmail could be used to DoS other systems
(e.g. by faking the sender address).
I'd personally not call any of the two situations DoS vulnerabilities,
other might want to. Your mileage may vary.
\Maex
--
SpaceNet AG | http://www.Space.Net/ | Stress is when you wake
Research & Development | mailto:[EMAIL PROTECTED] | up screaming and you
Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0 | realize you haven't
D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
