Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Email that can bring down Notes client

Status
Not open for further replies.

deros68

Programmer
Oct 28, 2005
12
US
I hope this is the right forum - if I need to send this elsewhere - someone please tell me what forum to use.

I have developed 5 different emails that can bring down a Notes client. I want to work with a technical person from another company to verify that these emails (with proper safety precautions) can DOS another instance of a Notes client (ie: not our shop's version) We run Notes 6.5.1 server and 6.5.3 client. My plan to is take these emails to Lotus/IBM and CERT after having proving that these emails work in at least 2 different environments. What I am trying to prove here is that our particular Notes instance, it's setup and defaults, is not responsible for the client DOS - the problem lies in the Notes bounds checking.

thanks
 
I find your case interesting.
Just one question : in the database properties of the mail client, does the option "Allow use of stored forms" make any difference to your emails if it is unchecked ?

Pascal.
 
No - the 5 different emails have no Notes specific content in them. I have simply used the ability of Notes to accept email from port 25 (in other words from the Internet) and not check the size, number, or format of five different RFC822 defined fields. I want to be sure that it is not our instance of Notes that is vulnerable - though some ill-advised setting. I am looking to correspond with another Notes shop and verify that their Notes clients will/will not be DOSsed by my DOS attack emails. Again - my attack emails are only ascii text - not created or sent by another Notes instance. For example - my emails could be sent from any RFC822 compliant SMTP server (Pine, MS Exchange, Eudora, sendmail etc..) to the receiving Notes system.

thanks
 
I suggest sending this to IBM ASAP. Even if it is particular to your Notes instance, you waould want to fix it.



BocaBurger
<===========================||////////////////|0
The pen is mightier than the sword, but the sword hurts more!
 
Ok - finally got to an IBMer who listened, let me send them an email that crashed their client on previewing the email - IBM is now fixing it. Along with the other 5 DOS attacks that I passed along. The mills of the gods grind slowly - so do the mills of IBM!!!!
 
Congratulations, and thank you for helping make Notes a better client.

Pascal.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top