Network Associates WebShield SMTP Trailing Period DoS Vulnerability

A certain configuration of Network Associates WebShield SMTP is vulnerable to a remote denial of service attack. If WebShield and the mailserver are installed on the same machine and the "Direct Send" option has been enabled in the "Delivery" - "Mail Send" configuration in WebShield, this vulnerability can be exploited by sending an email with a dot character trailing the domain name such as ''

In this case, Company XYZ with the domain of is used as an example. The server running WebShield SMTP at Company XYZ does not recognize that '' is equivalent to '' even though both are Fully Qualified Domain Names (FQDN). Therefore, if a remote user attempts to send an email to '' (note the trailing period), WebShield SMTP will not recognize '' as a local domain.

WebShield SMTP will then proceed to look up the MX (mail exchange, enables querying of MX records from a Domain Name Server) record for '' and send itself a copy of the message while adding a 'Received:' line. WebShield SMTP will continue to send itself the email, each time adding a 'Received:' line, indefinitely until either the offending email is manually removed or CPU resources are utilized to such a degree that the application crashes. WebShield will continue this process, even after a reboot, until the offending email is manually removed.

This exploit will only work if a MX record is pointing to the domain.


Privacy Statement
Copyright 2010, SecurityFocus