|Check Point Reference:||SBP-2010-06|
|Date Published:||19 Jan 2010|
|Last Updated:||Friday 01 January, 2010|
|Source:||IPS Research Center|
|Protection Provided by:|
|Who is Vulnerable?||SMTP Mail Servers|
|Vulnerability Description||Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks. SMTP is specified for outgoing mail transport and uses TCP port 25.
There are several serious security limitations with the SMTP protocol that allow malicious attackers to compromise a remote server, gain full access rights or launch denial of service (DoS) attacks.
|Vulnerability Details||IPS offers several preemptive protections against SMTP related vulnerabilities:|
Bad SMTP Server Greeting - An SMTP server greeting which is not "220" could indicate problems in the mail server. In this case, it is best to reject connections made to the server, in order to prevent an attacker from exploiting the situation. By activating this protection, IPS can detect or prevent SMTP connections to SMTP servers which return a bad initial greeting.
Binary Data In SMTP Commands - An attacker might attempt to inject code to the SMTP server by using binary characters as parameters for SMTP commands. By activating this protection, IPS can detect or prevent binary data in SMTP commands.
Microsoft Exchange Server Commands - The XEXCH50 X-LINK2STATE and X-EXPS SMTP commands should only be used between two Microsoft Exchange servers. By activating this protection, IPS can detect or prevent Microsoft Exchange commands.
Non Compliant SMTP - Unexpected characters used in SMTP connections might indicate an attempt to attack the mail server. By activating this protection, IPS can detect or prevent SMTP connections which cannot be inspected because they violate the fundamentals of the SMTP protocol.
SMTP Private Commands - Private-use SMTP commands, as defined in RFC 2821, might unsafe to use. By activating this protection, IPS can detect or prevent private-use SMTP commands.
SMTP Recipients with No Domain Name - Spam solicitors and other attackers may try to perform an Email address harvesting attack by sending emails to addresses which contain only the user portion of the address (without the domain portion). By activating this protection, IPS can detect or prevent attempts to deliver emails to addresses which do not contain a domain name.
SMTP STARTTLS Command - Block attempts to use encrypted TLS sessions for SMT