Flaw Description

----------------

There is an issue with unpatched copies of Microsoft Small Business Server 2003
that can generate very large amounts of duplicate email. If its POP collector re
ceives an email for a large number of recipients (in the To: or CC: field) it wi
ll deliver the mail to the user within its domain as per usual, but also resend
the email to all the other recipients of the original email. This resent email w
ill appear to be a duplicate of the original email with a couple of small differ
ences - the headers will show the resending SBS 2003 mail server in the routing
information, and one of the email addresses in the To: list (the address of the
user at the domain where the problem server resides) will have the string "mspop
3connector." attached to the front. This is because of the way that the POP conn
ector used by SBS works. It receives the email from the POP account, finds the e
mail addresses that contain its local domain, and adds the string to those addre
sses. It then forwards that modified email to the mail server by SMTP. It is whi
le it does this that it also resends the email out to all the other recipients.
This flaw causes problems when an email has hundreds or thousands of recipients
in the To: or CC: list. Because Microsoft Small Business Server 2003 is a popula
r mail server, there may be many such unpatched servers receiving this one email
. The percentage is usually around 0.5% - 1% of the total number of recipients.
When more than one server has this problem, the email resent by one will be rece
ived and replicated by another.
When only two servers are involved, the replication will typically generate betw
een 200 to 2000 emails to each person on the recipient list. More unpatched SBS
machines increase the number of emails dramatically, and the amount of traffic g
enerated makes it difficult to gauge how many emails can be produced. With ten a
ffected servers, the amounts will be of the order of 100,000 emails each. Indivi
dual SBS machines will generate varying amounts of email depending on their situ
ation, but one report had an affected server with 2.5 million emails in the outb
ound queue.
The sender of the original email will have a major problem as each email replica
ted will still have their address listed as the From: and Reply-to:. When the fl
ood of emails fills up inboxes, and administrators block the sender's address, a
ll the bouncebacks will be sent to the original sender. The amount of returning
email can get into the tens of millions in the particularily bad cases, and is v
irtually never below the 10,000 mark.
The above problems get worse if the email has an attachment. One affected busine
ss had their 512k leased line maxed out for a full 9 days as 20 million emails,
each containing the original 3.4 MB attachment, bounced back.
The PR damage to a company who sent the original email can be major. The vast ma
jority of the recipients will not understand that the reasons behind the replica
tion, and simply get annoyed with the sending company filling up their inboxes a
nd clogging the bandwidth. Threats of legal action have been used, against the s
ender as well as any ISP through which the mail may pass - these threats are wit
hdrawn once they realise the actual cause of the problem. Two of these outbreaks
appeared in The Register, a popular UK IT news site (links below), and the firs
t of these was a story on the local Manchester ITV evening news (see Example-311
150.txt).
http://www.theregister.co.uk/2004/11/30/email-outbreak/
http://www.theregister.co.uk/2005/01/29/bo_mailing_list_chaos/
There are several defining characteristics of these emails.
1. The email address with "mspop3connector." prepended to it. This should never
appear outside of a Small Business Server. Emails routed between networks with t
his string on an email address are duplicates created by this problem. The name
attached to this altered email address is often "IMB Recipient" followed by a on
e, two or three digit number.
2. The large number of recipients. This problem has occurred with To: lists as s
mall as 10, but the amount of email generated at that scale is not a problem. Th
e replication becomes an issue when the list of recipients gets greater than 50.
3. The repeated domains in the headers. As an email is resent from server to ser
ver, the headers will show each step. Identifying unpatched SBS servers is done
by examining the routes that the emails take and noticing email servers that the
email has passed through but should not. If there are lines such as "Delivered-
To:", "X-Original-To:", "X-Mdrcpt-To:", "X-Mdaemon-Deliver-To:" that reference n
either the sender nor the final recipient of the email, then the referenced doma
ins are very likely to be SBS 2003 replicating servers. See examples for a clear
er idea.
There is nothing in the body that could help to identify replicated emails. Note
that the headers can often appear jumbled - this is unfortunately not consisten
t.

Crafting an attack using this flaw

----------------------------------
This flaw can be used for the purpose of DDOSing a mail server with bouncebacks
as well as damaging a company's PR.

1. Get a list of domains which have the Microsoft Small Business Server 2003 run
ning on them. This can be achieved by a particular Google search (see Finding SB
S 2003 link below), or finding a list of businesses that have purchased this sof
tware.
2. Get a list of suppliers/customers/partners of the target company.
3. Construct a "To:" list, aiming to send email to postmaster@ and abuse@ addres
ses for all the domains in the previous two lists. Specific user addresses shoul
d be added if available, especially if they are within the target's domain. Aim
for a few thousand addresses.
4. The email itself should avoid looking like spam to ensure it is not blocked b
y any scanning systems. It should be large however - just under 2MB would probab
ly be a good amount.
5. The email should be sent through a legitimate seeming IP address, and spoofed
so that the "From:" and "Reply-to:" headers are pointing to the domain of the t
arget company.

With a large number (roughly 15) of unpatched SBS 2003 machines in the list, thi
s will cause a damaging amount of replication. Each email address on the list wi
ll receive thousands, potentially tens of thousands, of 2MB emails. The target c
ompany will receive millions of bounceback emails, most of which will be 2MB. A
deliberate use of this flaw as detailed above would be able to reach many more u
npatched SBS 2003 machines, and it is not clear how the problem would scale.

References
----------
Register links of SBS stories
http://www.theregister.co.uk/2004/11/30/email-outbreak/
http://www.theregister.co.uk/2005/01/29/bo_mailing_list_chaos/
SBS Blog story and comments
http://msmvps.com/bradley/archive/2004/05/21/6920.aspx
Finding SBS 2003 - Johnny
http://johnny.ihackstuff.com/index.php?module=prodreviews&func=showcontent&id=76
3
(http://www.google.com/search?q=inurl%3AConnectComputer%2Fprecheck.htm+%7C+inurl
%3ARemote%2Flogon.aspx)
Link to advice for people affected with this issue
http://www.sbslinks.com/popconnector.htm
Microsoft patch
http://www.microsoft.com/downloads/details.aspx?FamilyId=7B1FF109-092E-4418-AA37
-A53AF7B8F6FC&displaylang=en