Thursday, April 19, 2007

IT Pro Townhall Meeting in Redmond

This week I've had the opportunity to take part in an IT Pro Townhall meeting up here in Redmond, which gave me the opportunity to "voice my concerns" about the Vista copy protection problem to other IT pros and even a couple of Microsoft folks. We'll see what happens from it.

In any case, I've had a great time meeting a number of people: Jeff Hicks from scriptinganswers.com (Sapien), Jeffrey Snover (Windows PowerShell team), Darren Mar-Elia (gpoguy.com), Mark Minasi (minasi.com), Susan Bradley (sbsdiva.com), Mark Burnett (the LogParser book guy), and last (but not least) Karen Forster, editorial and strategy director for Windows IT Pro magazine (she's the one that recommended me to go to the event). Our last session of the day was a short sit-down with Steve Ballmer, and a few people were able to ask him some questions. It was an interesting and informative event.

Not surprisingly, licensing seemed to be a recurrent pain for us all. One participant made the suggestion that if Microsoft, internally, had to deal with their own licensing schemes that the rest of us are forced to put up with, the problem would go away...

Friday, April 13, 2007

How smart is your spam filter? (Part 2)

Back in February, I wrote about how GFI MailEssentials (a widely-used anti-spam software) can't reject invalid recipients at the SMTP level. It's funny, because I pointed out to them in their product support forum how this has the potential to exploit their software to send backscatter spam. It appears that they don't take input seriously, or they don't understand the problem, because I exploited one of their own servers to send backscatter to myself. Before I explain how I did this, though, I need to provide a bit of detail about the MailEssentials software.

The MailEssentials software has a Bayesian statistical filter that you can "train" to detect legitimate mail versus spam. One way to do this is to forward a message to rcommands@mailessentials.com and include a command at the top of the message. The program detects this outgoing e-mail address, checks the message for the command, and updates the Bayesian database accordingly.

Apparently, the mailessentials.com domain name is protected by MailEssentials, because recently I started getting bogus NDRs (non-delivery reports) when updating my Bayesian database. First, I looked up the MX record for this domain name. Next, I opened a telnet session on port 25 to the highest-priority server. I then entered some SMTP commands to see if I could send backscatter:

HELO myhostname
MAIL FROM: bogus_address
RCPT TO: rcommands@mailessentials.com
DATA
Subject: Bogus NDR test

For bogus_address, I used a gmail.com address. Sure enough, the server accepted my mail, and sure enough, the bogus NDR was sent to the gmail.com address. In other words, I just exploited an anti-spam vendor's server to send backscatter.

This would be funny if it wasn't so frustrating. I've pointed out an exploitable flaw in their product's design, and not only do they not listen, they misconfigure their own server to allow the exploit...

(Update for April 16th: Apparently they finally figured this out and disabled bogus NDRs on their server.)