Hacking Attack: Email Forwarder DOS Loop/storm

For some email providers it is possible to create a denial of service (hacking attack) condition by creating an email forwarder that directs mail to a non-existent email address of a victim domain.

how the attack works:

step1: create an email forwarder (or create an anonymous email address and forward all emails) to a victim domain with a non-existent email box, (ex. {NotARealUser}@{somedomain}{.tld}).

step2: sign-up for a lot of spam email using the malicious email address.

step 3: ensure all email is being forwarded including ‘bounce-back’ or ‘user-not-found’ emails.

step 4: wait for the ‘message undeliverable’ email that indicates the server has gone down

why it work (sometimes): email servers only check to see if a mailbox exists, they do not check to see if they are in a forwarding loop. This means all ‘new’ emails and all ‘bounce-back’ or ‘user-not-found’ emails may cause another email to be received for processing by the server. This may ultimately leads to an email loop or email storm that eventually overwhelms the email server(s) much like a routing storm overwhelms routers.

solution(s): Ensure your email server(s) do not respond to forwarded message, do not respond to any ‘user-not-found’ or ‘message not deliverable’ emails, and/or block (or white list) addresses that forward large amounts of emails to your email servers.

this is just one of many email dos vulnerabilities. If multiple anonymous emails are used for forwarding purposes this may create a ddos condition.