HELO iss.net
MAIL FROM: "Klaus, Chris (ISSAtlanta)" <CKlaus@iss.net>
RCPT TO: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Subject: ISS X-Force: Multiple vulnerabilities in SMTP protocol

Synopsis:
It has come to our attention that several vulnerabilities 
exist within the SMTP protocol. Vulnerabilities exist which can 
cause spoofed email mails, as well as SPAM relays in misconfigured
servers. We believe this to be a serious issue that requires immediate
attention. 

Affected Versions:
All servers that follow RFC 821.

Description:
RFC 821 outlines a method of exchanging 'E-Mail' over internetworked
computers. 

These vulnerabilities may be exploited using various methods. The most
common method of exploiting the SMTP spoofing bug is to visit the
popular website http://www.cyberarmy.com and search for E-Mail
spoofers and/or bombers.
Another serious threat inherent in this protocol is that which allows
unauthorized users to forward unsolicited commercial email (SPAM). 
There are several programs that exist in the wild which exploit this
vulnerability.

Recommendations:
ISS X-Force recommends that all vulnerable SMTP servers be turned off
immediately. Until vendors issue a patch, ISS X-Force recommends reverting
to traditional pen-and-pencil based methods of communication.

Credits:
This vulnerability was discovered by members of the irc channel #phrack on
the Eris Free IRC network. We'd like to thank everyone who has helped
to investigate this vulnerability in a timely manner.

About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 9,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks, the top 10 U.S.
telecommunications companies, and all major branches of the U.S. Federal
Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with
additional offices throughout North America and international operations
in Asia, Australia, Europe, Latin America and the Middle East. For more
information, visit the Internet Security Systems web site at www.iss.net
or call 888-901-7477.


Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

