Lotus Developer Domain: Notes/Domino Fix List

Notes/Domino Fix List

SPR # JPAS5C4Q3T

Fixed in 5.0.12 release

Security fix

Product Area: Server

Technical Area: Mail Server

Platform: Cross Platform

SPR# JPAS5C4Q3T - Fixed a potential Denial of Service attack.

Technote Number: 1088982

Problem:
WHAT'S CAUSING THIS ISSUE?

This crash has only been reported to occur on Win32 platforms.

This crash is caused by a malformed inbound message sent by a spammer. The
malformed Spam may be destined for a recipient in the domain of your company,
or it may be a Spam relay attempt. All initial reports indicated that the
inbound email was being addressed only from domains ending in the .FM country
code (this country code refers to the Federated States of Micronesia, and is
also occasionally used by FM radio stations). The Spam attacks have changed in
isolated cases to include other domain names [.RU (Russia) and .UK (United
Kingdom), for example], therefore the offending messages may come from a
different domain. However, the vast majority of instances occurred with the
reception of a message from the .FM domain.

WORKAROUND FOR MAIL FROM THE .FM DOMAIN

You may successfully prevent the crash by blocking all inbound mail from all
domains ending with the .FM country code. There is a small risk that you will
prevent legitimate inbound email coming into your domain by implementing this
workaround, however the only mail that will be blocked is mail emanating from
the .FM domain. If your company does not do business with this small
collection of South Pacific islands, adding .FM to the deny domain list (as
described below) will not prevent any legitimate mail from reaching your
users. However, please be aware that if the spammers change the domain being
referred to in the "From" field of the message, and send the message to your
company again, you may still experience further crashes.

In order to block inbound messages from domains ending in .FM, edit your
Configuration Settings document. The relevant Configuration document is the
document with either an asterisk ( * ) or the name of your SMTP server in the
Server Name field. Within that Configuration document, go to your Router/SMTP
tab, Restrictions and Controls tab, SMTP Inbound Controls tab. There, change
the Inbound Sender Controls (see bitmap below) by adding .FM to the "Deny
messages from the following internet addresses/domains" field. This will block
messages from all domains ending in .FM.

THERE ARE HOTFIXES AVAILABLE

Hotfixes are now available for this issue that prevent your router from
crashing as a result of processing this malformed message, regardless of Domain
of origin. Hotfixes are currently available for this problem for the following
Domino releases: 5.0.8, 5.0.9a, 5.0.10, 5.0.11, and Domino 6. This defensive
hotfix was integrated into the code of Domino 5.0.12 and Domino 6.0.1, and all
subsequent releases.

If your company has Spam controls already in place, it is unlikely you will be
affected by this issue; however, as a preventative measure, an upgrade to
Domino 5.0.12 or 6.0.1 is advisable, as this issue has been addressed there.

Excerpt from the Lotus Notes and Domino Release 6.0.1 and 5.0.12 MR fix list
(available at http://www.ibm.com/developerworks/lotus/):

MIME - Native MIME
SPR# MJUK5FGQDL - This fix prevents an SMTP server crash when an incoming email
has a header field needing coding that results in a string longer than 256
characters.

Supporting Information:

For additional information regarding this solution or any of the relay controls
available in Domino R5 , refer to the document titled "Domino R5 Router
Restrictions and Controls Explained" (#179898 ). Specifically, section #4 on
Inbound Sender Controls.

Related Documents:

Domino R5 Router Restrictions and Controls Explained
Document #: 179898

Domino R5 Router NOTES.INI Debug Parameters for SMTP
Document #: 171763

How to Trap Inbound SMTP Messages on a Domino 5.x Server
Document #: 178652 More >

Last Modified on 05/18/2007

Go back