Vulnerability Note VU#176972
Lotus Domino SMTP Server Allows Anonymous Relay of Quoted Addresses
Lotus Domino includes an SMTP server. Under certain configurations, an intruder may be able to relay mail to third parties through the Domino SMTP server.
An "open" mail server is one that will send mail that is not addressed to and does not originate from a local user. Open mail servers are sometimes called "open mail relays", "mail relays", "third-party mail servers" or similar names. Intruders who wish to conceal their true location often send mail through an open mail server. For more information on open mail servers, see
220 mailserver.example.org Lotus SMTP MTA Service Ready
mail from: firstname.lastname@example.org
rcpt to: <"email@example.com, firstname.lastname@example.org"@example.org>... Recipient ok
Mail in this case may be delivered to email@example.com, apparently from firstname.lastname@example.org in violation of example.org's rules against the relaying of mail.
We have received reports indicating this attack is being actively used by intruders and provide this information to assist in the development of safeguards.
Intruders can use Lotus Domino SMTP servers to relay mail to arbitrary third parties.
Apply an update from Lotus when it is available. Lotus is tracking this issue as SPR# MLOT4THVGP. See their vendor statement for additional information.
Until an update is available, you can avoid this problem through several techniques. First, you can use the anti-relay facilities provided by Domino. By putting a "*" in the "Deny messages from external Internet domains to be sent to the following Internet domains" field you can prevent mail originating externally from being delivered to a third-party site. Second, a third-party mail server (such as sendmail) may be able to filter out certain types of messages. For sendmail 8.10 and later, it has been reported that editing /etc/mail/sendmail.cf file and changing the line that reads "Kdequote dequote" to "Kdequote dequote -S" stops attempts to exploit this weakness.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lotus||Affected||02 Feb 2001||10 Mar 2001|
CVSS Metrics (Learn More)
Our thanks to Kreigh Tomaszewski, James Kersjes, Joe McMahon and Al Wever of Alticor, Inc., and Richard Rongle of Sendmail, Inc., for reporting this problem and providing technical assistance.
This document was written by Shawn V. Hernan
- CVE IDs: Unknown
- Date Public: 01 Mar 2001
- Date First Published: 02 Mar 2001
- Date Last Updated: 10 Mar 2001
- Severity Metric: 2.62
- Document Revision: 6
If you have feedback, comments, or additional information about this vulnerability, please send us email.