Sonicwall Signatures


  All Categories

Category: SMTP

SMTP Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent SMTP-related intrusions. SMTP or Simple Mail Transfer Protocol is the dominant text-based protocol used to transfer mail over the internet. However, because it is the de facto standard that defines how Mail Transfer Agents (MTAs) "speak" to one another when sending mail, SMTP is widely used by attackers to compromise mail servers. Using malformed SMTP requests, attackers can exploit vulnerabilities in MTAs, causing them to malfunction, and allowing the attackers to execute arbitrary commands on these servers, corrupt or steal sensitive information, or cause the server to crash, shutting down all e-mail communication through that server. The attacks are generally specific to the MTA that is running on the server.

The most commonly used MTA is Sendmail, and so a majority of SMTP attacks target this application. Sendmail is the stantard MTA for UNIX derivative operating systems. Attackers targeting Sendmail can use one of several techniques including:

  • Bounce to Program Attacks: Sendmail treats messages it recieves as data, but in certain instances, attackers can convince send mail to see those messages as code, and make the server run arbitrary commands. Attackers can use two methods to do this. One way is to send mail directly to the "decode" alias on a server, an alias that the server uses as a proxy to pipe uuencoded messages to a decode program. By sending the message straight to the decode alias, attackers can cause the decode program to malfunction, and execute code contained in the message. The second method allows the server to do the rerouting itself. By specifying invalid "mail from" and "rcpt to" fields, the attacker could trick Sendmail into routing the e-mail to a program and running commands, allowing the message to act as input. In both of these cases, attackers can run arbitrary code on a machine, overwrite sensitive files, or make the server crash causing a denial of service for mail clients.

  • Ident Attacks: Later Sendmail versions support the ident protocol which attempts to better identify the sender of an e-mail message by "calling back" to the system that sent it. The server asks the originating system for the name of the owner of the established connection, then waits to see if the originating system has any queries. Attackers can take advantage of this connection and send malformed queries back to the server, possibly enabling them to take control of the machine.

  • Buffer Overflow Attacks: Attackers could cause a buffer overflow by inserting specially crafted input into some fields of a message. Although uncommon, these attacks are also dangerous, allowing attackers to take control of a server.

Sendmail attacks were made all the more damaging, up to the latest version, because it was run by default with root privileges, allowing attackers who compromised the MTA to take full control of the server.

These vulnerabilites, however, are not confined to Sendmail: MTAs that implement SMTP including CSM Mail Server, Microsoft Exchange Server, and NetWin DSMTP server all have similar buffer overflow and request mishandling vulnerabilities.

SonicWALL SMTP signatures are classified from low- to high-priority, and when enabled for prevention, can keep suspicious SMTP requests from reaching a mail server in the first place. Still, it is still important to note that security patches and updated versions for the above software are available from their vendors which close up vulnerabilites to SMTP attacks. SonicWALL signatures should be used in conjunction with, rather than as a replacement for, such critical sotware updates.

  Malformed SMTP ETRN Command
  ClamAV Milter Blackhole-Mode Remote Code Execution 1
  SmarterTools SmarterMail XSS 1
  Malformed SMTP HELO Command 1
  SpamAssassin Milter Plugin Remote Command Execution
  Exim sender_address Remote Code Execution 1
  Microsoft Outlook Elevation of Privilege (CVE-2023-23397) 1
  BitDefender Antivirus Logging Function Format String Attack
  SMTP Server Directory Traversal
  Malformed SMTP Request 2
  Malformed SMTP Request 3
  SMTP Request Smuggling 1
  SMTP Request Smuggling 2
  SMTP Request Smuggling 3
  SoftiaCom WMailserver Buffer Overflow
  Malformed SMTP EHLO Command
  Suspicious email Attachment (SMTP) 1
  Exim sender_address Remote Code Execution 2
  Malformed SMTP Request 4
  Mozilla Thunderbird Content-Type Header Heap Buffer Overflow (SMTP)
  Dovecot with Exim Remote Command Execution
  Malformed SMTP AUTH Command
  ClamAV Milter Blackhole-Mode Remote Code Execution 2
  Malformed SMTP Request 1
  Malformed Content-Type Header in SMTP Request
  Micro Focus GroupWise Internet Agent RRULE Buffer Overflow
  STARTTLS Plaintext Command Injection
  Exim4 string_format Function Heap Buffer Overflow
  Postfix AUTH Command Remote Code Execution 1
  Postfix AUTH Command Remote Code Execution 2
  NJStar Communicator MiniSMTP Server Buffer Overflow 1
  NJStar Communicator MiniSMTP Server Buffer Overflow 2
  Suspicious email Attachment (SMTP) 2
  SMTP VRFY root Command
  Postfix AUTH Command Remote Code Execution 3
  Dovecot rfc822_parse_domain Information Disclosure
  Suspicious email Attachment (SMTP) 3
  Google Docs Phishing email
  Exim receive_msg Function DoS 1
  Exim receive_msg Function DoS 2
  Exim deliver_message Remote Command Execution 1
  Exim deliver_message Remote Command Execution 2
  Exim deliver_message Remote Command Execution 3
  Exim deliver_message Remote Command Execution 4
  Microsoft Outlook Memory Corruption Vulnerability (AUG 19) 1
  Malformed SMTP HELO Command 2
  Malformed SMTP MAIL FROM Command 1
  Malformed SMTP MAIL FROM Command 2
  OpenSMTPD smtp_mailaddr Remote Command Execution
  OpenSMTPD mta_session.c Remote Command Execution
  SmarterTools SmarterMail XSS 2
  Microsoft Outlook Double Free Vulnerability (MS13-068)
  Microsoft Outlook Elevation of Privilege (CVE-2023-23397) 2
  Microsoft Outlook Elevation of Privilege (CVE-2023-23397) 3
  Roundcube Webmail SVG XSS
  Exim AUTH Out-Of-Bounds Write 1
  Exim AUTH Out-Of-Bounds Write 2
  Micro Focus GroupWise Internet Agent iCalendar DoS 1
  Micro Focus GroupWise Internet Agent iCalendar DoS 2

Relevant Information