Last weekend I'd configured a new test machine at home and figured an interesting bug-chain. I was also able to reproduce it yesterday in the Swyx QA lab. Under special circumstances it is possible to use the GSE "Send Email" block to sent an Email to more or less the entire world. I guess that's the wet dream of every spammer (and I sincerely hope they don't read this article).
You don't believe it ? Read this article...
I have to admit it sounds strange, but due to some bugs in SwyxWare and Windows SBS 2003 it really is possible. I was able to reproduce this with any SwyxWare v6.1x version and Microsoft Windows Small Business Server 2003 (Standard and Premium Edition).
So, what you have to do is the following:
- have SwyxWare v6.1x running on a SBS 2003 machine
- create a new GSE rule for any test user you like
- add the "Send Email" block to the script and configure it as following:
- it doesn't matter what email address is configured as recipient, it is important to set *@*.* as CC or BCC
- you need to set the "Signal Voicemail available" flag to any user you like
- that's it, give it a try by calling your script user. I suggest to decrease the recipient list by using the TLD of some small country, like Mayotte: *@*.yt
Why or how does this work ?
The first bug occurs in the GSE itself. It uses the following regular expression to validate an email address:
\b[A-Z0-9*._%-]+@[A-Z0-9*.-]+\.[A-Z*]{2,4}\b
This is faulty as it allows the usage of * (asterisks). A correct regular expression would look like this:
\b[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b
The second bug is located within the SwyxServer. It itself uses a regular expression to test the validity of email address within its built-in Script API function PBXCall.SendEmail. But it does so only for the TO field, but not for the CC and BCC field - if - the Signal "Voicemail available" flag has been set. It seems someone in development has forgotten something...
The third bug is within the SBS 2003 Exchange Server and is confirmed by Microsoft. One of it's side effects is that it's possible to use wildcards in email addresses which causes the Exchange server to start enumerating existing domains and sending out emails...
You might also be able to trigger this mass mailing without the SwyxWare, just by using the SMTP interface of Exchange, but I haven't tested it.
Sometimes it's real fun to play around with things and look closely on your machine to monitor what happens...
BTW: I have just added the both SwyxWare related bugs to the Swyx Bug Tracking system (Swyx00019815 and Swyx00019816) so I am sure they will be fixed in short time.