[CrackMonkey] One more for the .muttrc from Hell

Don Marti dmarti at zgp.org
Mon Sep 25 11:33:28 PDT 2000 

----- Forwarded message from Lee Ann Goldstein <leeann at RAND.ORG> -----

Date:         Sun, 24 Sep 2000 20:00:01 -0700
From: Lee Ann Goldstein <leeann at RAND.ORG>
Subject:      Re: Possible Exchange 5.5 Server DoS
To: BUGTRAQ at SECURITYFOCUS.COM
Delivered-To: dmarti at zgp.org
Approved-By: aleph1 at SECURITYFOCUS.COM
Delivered-To: bugtraq at lists.securityfocus.com
Reply-To: Lee Ann Goldstein <leeann at RAND.ORG>

--Your message was: (from Christer Enberg)
>
> This happend early this morning on one of our mailservers running Exchange
> 5.5 on WinNT4 OP5.
> Suddenly the Information Store (STORE.EXE) crashed with a strange error
> saying something in the way of
> "Error while processing an email message", restarting both the server and
> all of Exchange's components
> has no effect at all. The only way of solving this problem as I discovered
> is to shut down all Exchange Services
> and Totally remove the content of the IMCDATA directory containing the mail
> queues and then restart exchange.
>
> It seems that the attachment line is the problem, by removing the attachment
> and sending the mail nothing happens.
>
> Anyone know of some more information about this "DoS" attack or how it can
> be prevented,
> I have not seen any off things in the mail that would bring an Exchange
> server to a stop.

I want to confirm that we had this exact problem with our Exchange
news server last week- a message with a null MIME header would repeatedly
crash the Information Store. Fortunately, Exchange did not accept the
message, so all we had to do was remove the offending message from our Unix
news hub. ("all" - they had to use a packet sniffer to identify the message)

I am including the message (indented with "> " but otherwise intact) below.

> This message has been sent to Microsoft who has not yet given any answer.

Our support vendor is also working with Microsoft on this.

Lee Ann

--------------message start
> Path: lumberjack.rand.org!new01lax-pilot.pilot.net!cyclone01-oak.pilot.net!cyclone00a-oak.pilot.net!news-out.cwix.com!newsfeed.cwix.com!newsfeed.gamma.ru!Gamma.RU!feed2.onemain.com!feed1.onemain.com!cyclone-sf.pbi.net!216.65.16.3!news-in.nibble.net!nntp-relay.ihug.net!ihug.co.nz!sn-xit-02!supernews.com!sn-inject-01!corp.supernews.com!not-for-mail
> From: bugsgamma at gamma.freedom.net
> Newsgroups: alt.alt.test
> Subject: sdkjfhklsjdfhlkjsafhdlkhdsaf
> Date: Thu, 14 Sep 2000 12:27:04 -0400
> Organization: Posted via Supernews, http://www.supernews.com
> Lines: 19
> Message-ID: <ss1uv0qqct678 at corp.supernews.com>
> X-Complaints-To: newsabuse at supernews.com
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary = ""
> Xref: lumberjack.rand.org alt.alt.test:17492
>
>
>
> Zero-Knowledge MIME Encapsulated Message
>
>
> --
> Content-Type: text/plain
>
>
>
>
>
>
>
> ________________________________________________________________________
> Total Internet Privacy -- get your Freedom Nym at http://www.freedom.net
>
>
> ----
--------------message end

--
Lee Ann Goldstein, Computing Services
RAND Corp., Santa Monica, CA 90407-2138
leeann at rand.org

----- End forwarded message -----

-- 
Don Marti                                This email brought to you
dmarti at zgp.org                           by the number 67 and the 
http://zgp.org/~dmarti/                  operator XOR.
whois DM683     Software patent reform now: http://burnallgifs.org/

More information about the Crackmonkey mailing list