To contact us:
Port Coquitlam, B.C.
We found this problem several months ago but had kept it hush-hush as we decided what to do with this information. We decided not to release this information in case Spammers will exploit this insecurity. Instead, we decided to report this insecurity to OpenWave (the people that make InterMail) but we could not feed anything back to their Support Department as their Support Email Account required a Support Agreement Number. We did however send our Security Audit Report to their Developer Mail Account.
Without any acknowledgements from OpenWave, we noticed that their own InterMail Mail Server was secured after we sent our email of insecurity report to their Developer Mail Account. A thank you would be nice. We also targeted all major ISPs that use InterMail Mail Servers, namely Verizon and Telus. We sent them security reports with every Klez Virus received.
At time of writing, Verizon has patched some or their many servers, but Telus has not acted on it at all. We cannot sit on this information anymore. How this insecurity works is the lack of SMTP authentication when their servers receives email that is destined for outside their own domain. The problem is the Klez Virus and work alike Virus are able to exploit the InterMail insecurity to the fullest extent, and that is why this Virus is so hard to tame from the wild.
Here is how the Klez Virus exploits this vulnerability. Let us assume email@example.com has a Dial Up account at XYZ Internet, and has been infected by the Klez Virus. The Klez Virus begin by going through the infected computers Windows Address Book (WAB) and harvest the email addresses. The Virus is smart enough to make it's own SMTP connection to a third party server like one that runs InterMail. For this example, let us assume it is Verizon. The Virus is also smart enough to transpose the MAIL FROM to that of Verizon.Net - thus making it firstname.lastname@example.org
Insecure InterMail Servers will accept it carte-blanche and relay the Virus to those harvested from the infected PC's WAB. Insecure InterMail Servers do not authenticate SMTP connections or do not enforce "POP Authentication before SMTP".
See below on how a patched InterMail Server should respond:
Connected to smtp1.openwave.com.
Here is an example of an un-patched InterMail Server:
Connected to mail.telusplanet.net.
Escape character is '^]'.
220 priv-edtnes11-hme0.telusplanet.net ESMTP server (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) ready Tue, 13 Aug 2002 23:40:26 -0600
MAIL FROM: email@example.com
250 Sender <firstname.lastname@example.org> Ok
RCPT TO: email@example.com
250 Recipient <firstname.lastname@example.org> Ok
354 Ok Send data ending with <CRLF>.<CRLF>
Subject: Klez Relay Test
Klez Relay Test - awaiting receipt
250 Message received: 20020814054109.WUXM22374.email@example.com
221 priv-edtnes11-hme0.telusplanet.net ESMTP server closing connection
Connection closed by foreign host.
I hope all InterMail Servers are patched ASAP and maybe we can finally see a reduction to the spread of the Klez Virus.
Disclaimer - This is only a security audit. The above examples are actual SMTP transactions intended to demonstrate this InterMail Vulnerability. The information herein is not intended to be used to carry out exploits on InterMail Servers.
Security Alert - InterMail
will relay for Klez and work-alike Viruses and astute Spammers
Author: Victoria Chan, Chief Security Officer
Date: August 13th 2002