How to DoS the company Exchange server (part I)

It all started with 2 seemingly bening messages appearing in the Outlook inbox. The first one was an announcement for the upcoming BlueHat event. (BlueHat is a series of security-focused presentations for Microsoft employees styled after the more famous Black Hat briefings held in Las Vegas every year.) Arriving within minutes after that was a second follow-up message, recalling the first one.

The recall feature is an interesting piece of functionality built into Outlook and Exchange. It was the subject of a Sunday New York Times article couple of weeks ago, discussing how to handle the situation when you send a message that in retrospect comes to be viewed as perhaps written in a moment of anger or indiscretion. But contrary to what users might hope for, the recall does not automatically yank the message from recipients’ inbox. Instead it depends on sending a follow-up message announcing the intention to recall the original one. “Intention” is the key word, and that request has to be honored by the sender and/or senders’ email application aka the MUA, mail user agent. Outlook recognizes these messages and in principle opening the second message– either intentionally or by browsing with preview pane for example– the first message is removed from the Inbox. The catch is that the recipient could choose to open the first message first, even if the recall message has already arrived. In reality the recall virtually ensures the original one will be opened and scrutinized very carefully, by drawing attention to the unintended error. (In one case HR emailed a document containing sensitive compensation information to an entire building full of employees, followed up with a recall message and an even more helpful second email explaining why the first message is “highly confidential” and urging recipients to delete it without reading.)

In this case there was nothing particularly confidential or inappropriate about the original message, perhaps a misspelling here and there or an incomplete sentence. But the original sender– identity unknown because the message was sent out on behalf of the distribution list– dutifully recalled it. And that is when all hell broke loose. The first indication of something amiss emerged when this author, along with 2000+ employees on that alias, started receiving recall success/failure messages in his inbox. All of this is by design: when you recall a message, you can ask for confirmation from Exchange as to whether the recall succeeded or whether the recipient read the message. That generates one status message per potential recipient, returned to the original sender.

Except that in this case the message was sent on behalf of the distribution list, “Bluehat Alerts” which contained over two thousand employees. So the status messages naturally were also sent to the same DL.

That would be 2000+ status messages each delivered to 2000+ members of the alias.

Unwittingly the sender had just pulled off a remarkable denial-of-service attack against the corporate email system and succeeded in bringing the pilot deployment of the new Exchange Titanium to its breaking point.

And it only took 2 messages. One of which was intended to announce an event focused on computer security , on building/breaking systems that can survive hostile attacks. The irony was inescapable.



3 thoughts on “How to DoS the company Exchange server (part I)

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s