Security Best Practice: Protect Yourself from Multiple SMTP Vulnerabilities

• R70

There are several serious security limitations with the SMTP protocol that allow malicious attackers to compromise a remote server, gain full access rights or launch denial of service (DoS) attacks.

Binary Data In SMTP Commands - An attacker might attempt to inject code to the SMTP server by using binary characters as parameters for SMTP commands. By activating this protection, IPS can detect or prevent binary data in SMTP commands.

Microsoft Exchange Server Commands - The XEXCH50 X-LINK2STATE and X-EXPS SMTP commands should only be used between two Microsoft Exchange servers. By activating this protection, IPS can detect or prevent Microsoft Exchange commands.

Non Compliant SMTP - Unexpected characters used in SMTP connections might indicate an attempt to attack the mail server. By activating this protection, IPS can detect or prevent SMTP connections which cannot be inspected because they violate the fundamentals of the SMTP protocol.

SMTP Private Commands - Private-use SMTP commands, as defined in RFC 2821, might unsafe to use. By activating this protection, IPS can detect or prevent private-use SMTP commands.

SMTP Recipients with No Domain Name - Spam solicitors and other attackers may try to perform an Email address harvesting attack by sending emails to addresses which contain only the user portion of the address (without the domain portion). By activating this protection, IPS can detect or prevent attempts to deliver emails to addresses which do not contain a domain name.

SMTP STARTTLS Command - Block attempts to use encrypted TLS sessions for SMTP, as defined in RFC 2487. By activating this protection, IPS can detect or prevent SMTP connections which are encrypted.

Unknown SMTP Commands - The default SMTP known commands are EHLO, HELO, MAIL, RCPT, DATA, RSET, VRFY, EXPN, HELP, NOOP, QUIT, BDAT, ATRN, AUTH, ETRN, STARTTLS, TLS, X-EXPS, XEXCH50 and X-LINK2STATE. There is no need for a normal, legitimate sender to use other words as SMTP commands. Such attempt might indicate an attack on the SMTP server. By activating this protection, IPS can detect or prevent SMTP commands which are not selected in the list.

Maximum Bad SMTP Commands Enforcement - An SMTP connection in which there is large number of commands to which the SMTP server returns an error might indicate an attempt to attack the SMTP server. By enabling this protection, IPS will limit the number of bad commands allowed per SMTP connection.

Maximum Data Line Length Enforcement - An attacker might attempt to exploit a buffer overflow vulnerability which may exist in the SMTP server, by sending a long SMTP data line. RFC 2821 defines 1000 as the maximum length of an SMTP data line. By activating this protection, IPS can detect or prevent SMTP data lines which are longer than configured.

Maximum Email Size Enforcement - An attacker might try to send a very large email message in order to exhaust the SMTP server's resources. By activating this protection, IPS can detect or prevent emails which are larger than configured.

Maximum No-Effect Commands Enforcement - An attacker might attempt to use the resources of an SMTP server by sending no-effect commands. This might prevent the SMTP server to close the connection because of a timeout. It may result in denial of service to legitimate users. No-Effect commands in SMTP can be NOOP, VRFY, EXPN, RSET or HELP. By enabling this protection, IPS will limit the number of SMTP no-effect commands allowed per connection.

Maximum Number of Recipients Enforcement - An attacker might try to send an email to a large number of recipients, which may or may not exist on the SMTP server. This might indicate spam or a malware attack on the server. By enabling this protection, IPS will limit the number recipients allowed per email.

Maximum SMTP Command Line Length Enforcement - An attacker might attempt to exploit a buffer overflow vulnerability which may exist in the SMTP server, by sending a long SMTP command. RFC 2821 defines 512 as the maximum length of an SMTP command. By activating this protection, IPS can detect or prevent SMTP commands which are longer than configured.

Maximum SMTP Commands Per Connection Enforcement - An attacker might attempt to use the resources of an SMTP server by sending a large number of SMTP commands per connection. This may result in denial of service to legitimate users. By enabling this protection, IPS will limit the number of SMTP commands allowed per connection.

Use Malicious Code Protector for SMTP - By manipulating the SMTP command argument so that they contain assembler code, an attacker can create a memory corruption that can cause a server to crash or even run arbitrary code. An attack exploiting such vulnerability does not require user interaction. This allows the attack to spread easily via reusable exploit scripts or worms. By enabling this protection, IPS will analyze SMTP command arguments (other than mail data). It assesses the danger, and allows or rejects connections accordingly. Because it analyzes command arguments dynamically, it is able to protect against most future vulnerabilities without the need for patterns or updates.