I did not write a new entry for a very long time. This time, I would like to discuss the RFC 2821. This is the first time I read documents in RFC. Simple Mail Transfer Protocol (SMTP) is the simplest Internet standard for delivering emails across IP networks. The one I read is not the updated version of SMTP, the most updated one is RFC 5321, I may take a look on it later. But still, it is worth to take a look at RFC 2821, see how the engineers think about message delivery in the past.
Once the SMTP client connected to the SMTP server, the client should perform the command EHLO to introduce itself to the server, the server will reply with a list of extensions if it has. After initiate the connection between client and server, there are 3 basic steps the client need to perform to complete the mail submission.
MAIL FROM:<username@domain> – This is the command to declare the sender of the email, it can be used to identify the sender and can be used as the replying address (Of course you can specify the replying address with other commands).
RCPT TO:<username@domain> – In an opposite, this command is used to declare the receiver of the email, the SMTP server has to identify the recipients’ address before it accepts the mail submission. You can specify more than one recipients or even mailing list.
DATA – After this command is performed, the client can submit the content of the message to server. To declare the end of the message, client must provide an extra line with a single dot “.”. In Internet Message Format (RFC 2822), they defined some fields inside DATA block to represent different type of information, eg. SUBJECT.
The mail submission process can be visualized with the following diagram (Greatly simplfiied, give a better version later).
from RFC2821
The SMTP design may allow an attack at the very beginning, when client try to initialize the session. By design, the SMTP protocol allows server to formally reject a transaction while still allowing the initial connection; server can send a 554 (Transaction failed) response instead of 220 (<domain> service ready). However the server must wait for the QUIT command performed by the client. What if the client just leave the connection there and do not echo the QUIT command? and what if there are tons of clients (most likely is a tons of zombies) doing the same thing at the same time? Is server possible to handle that? The server may be overloaded because of these actions. In other words, it is a denial of service (DoS). In more accurate speaking, it is distributed denial of service (DDoS), because it needs more than one machine to cause the server overloaded.
I am still on the way to finish this RFC, next time I will discuss some extensions mentioned in the RFC 2821, which may help spammer to grab email addresses from the SMTP server. Let’s have a guess what are they before I really post the next entry. Enjoy!
Filed under: app sec, protocols, spec , DDoS, DoS, email, RFC, SMTP
