To contact us:

Phone: +1(604)671-5123

Fax: +1(604)552-8573

Port Coquitlam, B.C.

CANADA  V3B6H2

kendryl.com

Home

Products

Support

Webmail

Projects

Wassup

Reviews

Links

Contact

Forum

AUP

Search

kendryl.net

Privacy

We found this problem several months ago but had kept it hush-hush as we decided what to do with this information. We decided not to release this information in case Spammers will exploit this insecurity. Instead, we decided to report this insecurity to OpenWave (the people that make InterMail) but we could not feed anything back to their Support Department as their Support Email Account required a Support Agreement Number. We did however send our Security Audit Report to their Developer Mail Account.


Without any acknowledgements from OpenWave, we noticed that their own InterMail Mail Server was secured after we sent our email of insecurity report to their Developer Mail Account. A thank you would be nice. We also targeted all major ISPs that use InterMail Mail Servers, namely Verizon and Telus. We sent them security reports with every Klez Virus received.


At time of writing, Verizon has patched some or their many servers, but Telus has not acted on it at all. We cannot sit on this information anymore. How this insecurity works is the lack of SMTP authentication when their servers receives email that is destined for outside their own domain. The problem is the Klez Virus and work alike Virus are able to exploit the InterMail insecurity to the fullest extent, and that is why this Virus is so hard to tame from the wild.


Here is how the Klez Virus exploits this vulnerability.  Let us assume john-doe@xyz-internet.com has a Dial Up account at XYZ Internet, and has been infected by the Klez Virus. The Klez Virus begin by going through the infected computers Windows Address Book (WAB) and harvest the email addresses. The Virus is smart enough to make it's own SMTP connection to a third party server like one that runs InterMail.  For this example, let us assume it is Verizon.  The Virus is also smart enough to transpose the MAIL FROM to that of Verizon.Net - thus making it bogus-user@verizon.net


Insecure InterMail Servers will accept it carte-blanche and relay the Virus to those harvested from the infected PC's WAB. Insecure InterMail Servers do not authenticate SMTP connections or do not enforce "POP Authentication before SMTP".


See below on how a patched InterMail Server should respond:

Connected to smtp1.openwave.com.
Escape character is '^]'.
220 oe-ismta1.bizmailsrvcs.net ESMTP server (InterMail vM.5.01.03.15 201-253-122-118-115-20011108) ready Sat, 3 Aug 2002 16:32:20 -0500
HELO westernstar.kendryl.net
250 oe-ismta1.bizmailsrvcs.net
MAIL FROM: klezinfected@openwave.com
553 Authentication is required to send mail as <klezinfected@openwave.com>
QUIT
221 oe-ismta1.bizmailsrvcs.net ESMTP server closing connection
Connection closed by foreign host.

Here is an example of an un-patched InterMail Server:

Connected to mail.telusplanet.net.

Escape character is '^]'.

220 priv-edtnes11-hme0.telusplanet.net ESMTP server (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) ready Tue, 13 Aug 2002 23:40:26 -0600

HELO westernstar.kendryl.net

250 priv-edtnes11-hme0.telusplanet.net

MAIL FROM: klez-infected-computer@telus.net

250 Sender <klez-infected-computer@telus.net> Ok

RCPT TO: abuse@kendryl.net

250 Recipient <abuse@kendryl.net> Ok

DATA

354 Ok Send data ending with <CRLF>.<CRLF>

Subject: Klez Relay Test

From: klez-infected-computer@telus.net

To: abuse@kendryl.net

Klez Relay Test - awaiting receipt

.

250 Message received: 20020814054109.WUXM22374.priv-edtnes11-hme0.telusplanet.net@westernstar.kendryl.net

QUIT

221 priv-edtnes11-hme0.telusplanet.net ESMTP server closing connection

Connection closed by foreign host.


I hope all InterMail Servers are patched ASAP and maybe we can finally see a reduction to the spread of the Klez Virus.


Disclaimer - This is only a security audit. The above examples are actual SMTP transactions intended to demonstrate this InterMail Vulnerability. The information herein is not intended to be used to carry out exploits on InterMail Servers.

Security Alert - InterMail

will relay for Klez and work-alike Viruses and astute Spammers

Author: Victoria Chan, Chief Security Officer

Date: August 13th 2002