Chain Bombs

Most sendmail configurations will process e-mail addresses which are in route address syntax described above. The e-mail bomber exploits the route address functionality to create a very powerful e-mail bomb we refer to as chain bombing. Figure two illustrates the chain bomb vulnerability.

 

Figure 2: Sendmail Route Address Chain Bombing

In the chain-bomb scenario, the e-mail bomber, H_bomber, executes an automated script with a chain of source routed SMTP messages. The e-mail bombs are delivered and queued on the first MTA in the chain, MTA₁. If the attack volume of the e-mail bomb is sufficient to inhibit or deny service to MTA₁, the remaining messages in the outbound queue of the bombing host will be directed automatically to MTA₂. This process continues for all the MTAs.

If MTA₁ successfully queues the e-mail from the bombing host, the bomb is delivered to the next route address in the chain, MTA₂. The process is repeated through all the MTAs in the chain, either successfully queuing the entire e-mail bomb or queuing a percentage of the volume of the bomb; then moving to flood the next MTA in the chain.

Depending on the configuration of the MTAs, service may be denied due to numerous factors. For example, when the volume of the mail in the MTA queue is extremely large; the number of available file descriptors can exceed operating system parameters or the number of open TCP connections can reach system limits. The large volume of the e-mail in the MTA queue must be systematically moved out of the queue, both operational and malicious e-mail, and the MTA restarted or the system rebooted. Sorting malicious from important business e-mail is difficult and very resource intensive.

Examples from the Langley Cyber Attack reveal that unsuspecting mail system administrators often are unaware that the MTA has been attacked by a mail bomb and simply reboots the mail server without clearing the malicious messages from the MTA queue. In this case, the sendmail process will re-initiate the process again, attempting to deliver the bomb to the next MTA in the route address chain.