search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Lotus Domino SMTP Server Allows Anonymous Relay of Quoted Addresses

Vulnerability Note VU#176972

Original Release Date: 2001-03-02 | Last Revised: 2001-03-11

Overview

Lotus Domino includes an SMTP server. Under certain configurations, an intruder may be able to relay mail to third parties through the Domino SMTP server.

Description

An "open" mail server is one that will send mail that is not addressed to and does not originate from a local user. Open mail servers are sometimes called "open mail relays", "mail relays", "third-party mail servers" or similar names. Intruders who wish to conceal their true location often send mail through an open mail server. For more information on open mail servers, see

http://maps.vix.com/tsi/ar-what.html

Lotus Domino includes anti-relay provisions to prevent intruders from sending mail through a Domino SMTP server to third parties. However, by carefully constructing a mail message, an intruder can circumvent the safeguards provided by Domino, effectively turning Domino SMTP server into an open mail relay. A portion of an SMTP dialog showing exploitation of this vulnerability may appear as follows:

220 mailserver.example.org Lotus SMTP MTA Service Ready
helo attacker.org
250 kb.cert.org
mail from: spoofed_address@apparently-valid-site.com
250 OK
rcpt to: <"attacker@attacker.org, third-party@thirdparty.org"@example.org>... Recipient ok
250 OK

Mail in this case may be delivered to third-party@thirdparty.org, apparently from spoofed_address@apparently-valid-site.com in violation of example.org's rules against the relaying of mail.

We have received reports indicating this attack is being actively used by intruders and provide this information to assist in the development of safeguards.

Impact

Intruders can use Lotus Domino SMTP servers to relay mail to arbitrary third parties.

Solution

Apply an update from Lotus when it is available. Lotus is tracking this issue as SPR# MLOT4THVGP. See their vendor statement for additional information.

Until an update is available, you can avoid this problem through several techniques. First, you can use the anti-relay facilities provided by Domino. By putting a "*" in the "Deny messages from external Internet domains to be sent to the following Internet domains" field you can prevent mail originating externally from being delivered to a third-party site. Second, a third-party mail server (such as sendmail) may be able to filter out certain types of messages. For sendmail 8.10 and later, it has been reported that editing /etc/mail/sendmail.cf file and changing the line that reads "Kdequote dequote" to "Kdequote dequote -S" stops attempts to exploit this weakness.

Vendor Information

176972
 
Expand all

Lotus Affected

Notified:  February 02, 2001 Updated: March 10, 2001

Status

Affected

Vendor Statement

Lotus is tracking this issue as SPR# MLOT4THVGP and a fix is planned for an upcoming Quarterly Maintenance Release (QMR). When this issue is addressed, it will be posted in the Fix List Database at http://www.notes.net/r5fixlist.nsf. Lotus has documented this issue in Technote # 184810, "Use of Domino SMTP Server as an Open Relay", which is posted to the Knowledge Base at http://support.lotus.com/sims2.nsf/eb5fbc0ab175cf0885256560005206cf/a26c16841a26b2ae85256a02007cdf5d?OpenDocument&Highlight=0,184810.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://maps.vix.com/tsi/ar-what.html

Acknowledgements

Our thanks to Kreigh Tomaszewski, James Kersjes, Joe McMahon and Al Wever of Alticor, Inc., and Richard Rongle of Sendmail, Inc., for reporting this problem and providing technical assistance.

This document was written by Shawn V. Hernan

Other Information

CVE IDs: None
Severity Metric: 2.63
Date Public: 2001-03-01
Date First Published: 2001-03-02
Date Last Updated: 2001-03-11 03:46 UTC
Document Revision: 8

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis