A crafty way of knocking out any email server using a few carefully constructed emails has been identified by a team of computer security experts. The trick involves sending forged emails that contain thousands of incorrect addresses in the "copy to" fields that are normally used to send duplicate messages. Researchers at UK-based NGSSoftware sent these emails to the largest email servers on the internet, and found they could force huge quantities of unwanted email to pour into another mail server of their choice. . . .
A crafty way of knocking out any email server using a few carefully constructed emails has been identified by a team of computer security experts.

The trick involves sending forged emails that contain thousands of incorrect addresses in the "copy to" fields that are normally used to send duplicate messages.

Researchers at UK-based NGSSoftware sent these emails to the largest email servers on the internet, and found they could force huge quantities of unwanted email to pour into another mail server of their choice.

The exploit depends on finding a server configured to return an email plus its attachments to each incorrect address. But this can be tested by sending just a single message.

The next step is to forge an email so it appears to come from the mail server that is to be the target of the attack. This is also relatively simple trick. Finally, the forged email, complete with the thousands of incorrect addresses is sent. The resulting avalanche of "bounced" messages sent to the target server would almost certainly cause it to crash, and leave its users without access to their mail.

"With one 10 kilobyte email I could then send 100 megabytes back to a server of my choosing," says Gunter Ollman, one of the researchers who identified the potential attack.

Fortune 500

The researchers tested the email servers of all Fortune 500 companies and found that 30 per cent could be used to launch this type of attack.

The link for this article located at newscientist.com is no longer available.