Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Spam relaying via IIS
From: full-disclosure () lists netsys com (Geo.)
Date: Thu, 25 Jul 2002 09:59:35 -0400

On 7/12/02 the below advisory was released by Portcullis, I was wondering if
anyone has heard about a patch for it yet?


                        Portcullis Security Advisory

IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability

Update to Microsoft Security Bulletin (MS99-027):
NT Exchange Server Encapsulated SMTP Address Vulnerability.

Vulnerability discovery and development:

Thomas Liam Romanis (Security Testing Services Manager)
Geoff M Webb (Technical Manager)
James R Turner (Senior Technical Engineer)

Affected systems:

IIS 4.0
Microsoft SMTP Service

IIS 5.0
Microsoft SMTP Service

IIS 5.1
Microsoft SMTP Service not tested yet.


Laurent Frinking of Quark Deutschland GmbH originally discovered this
vulnerability. At that time the discovery concerned all versions of
Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.

Portcullis have discovered that the Microsoft SMTP Service available with
IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP address
vulnerability even with anti-relaying features enabled.
This vulnerability allows hosts that are not authorized to relay e-mail via
the SMTP server to bypass the anti-relay features and send mail to foreign


The anti-relay rules will be circumvented allowing spam and spoofed mail to
be relayed via the SMTP mail server.

Spam Mail:
If the Microsoft IIS SMTP Server is used to relay spam mail this could
result in the mail server being black holed causing disruption to the

Spoofed e-mail:
As the Microsoft IIS SMTP Service is most often utilised in conjunction with
IIS for commercial use this flaw could be used in order to engineer
customers particularly because spoofed e-mail relayed in this way will show
the trusted web server in the SMTP header.


220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready
Tue, 28 May 2002 14:54:10 +0100
250 test-mailer Hello [IP address of source host]
MAIL FROM: test () test com
250 2.1.0 test () test com    Sender OK
RCPT TO: test2 () test com
550 5.7.1 Unable to relay for test () test com
RCPT TO: IMCEASMTP-test+40test+2Ecom () victim co uk
250 2.1.5 IMCEASMTP-test+40test+2Ecom () victim co uk
354 Start mail input; end with <CRLF>.<CRLF>
Subject: You are vulnerable.

Copyright © Portcullis Computer Security Limited 2002, All rights reserved

Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the
express written consent of Portcullis Computer Security Limited.

Disclaimer: The information herein contained may change without notice. Use
of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's risk.
In no event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

John Clayton
Portcullis Computer Security Ltd.
Security Testing Services Team Leader and
Dragon IDS Technical Product Manager

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]