Exchange DoS vulnerability due to possible named properties overflow

From: Boris Lokhvitsky (msexpert_at_community.nospam)
Date: 11/29/04

• Next message: Dr. Gadget: "Re: Send as"
• Previous message: Santosh: "Help Needed ASAP."
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 29 Nov 2004 11:44:10 -0800

Hello All,

Here's a problem. Exchange Server 2003 has a hard quota limit for the named
properties of the messages stored in Exchange Information store, as
described in a KB article 820379. After the quota has been reached, numerous
error messages with Event ID 9667 and 12800 from MSExchangeIS are generated
in Exchange server's Application Log. This creates DoS conditions for the
affected Information store. If the quota is increased up to the capacity
limit of the named properties table (32,000), server can become unresponsive
to client requests.

Named properties quota overflow can be caused by malicious spammers sending
messages with randomly created SMTP X-headers. According to RFC 822, all
X-headers should be passed transparently through SMTP gateways and thus are
being accumulated in Exchange Information store.

Increasing the registry quota limit as described in KB 820379 is just a
temporary workaround since in case of continued attacks the new increased
quota will be hit very soon again, and the registry quota setting cannot
exceed the hardcoded limit of 32,000 anyway.

Another possible workaround is to move all mailboxes from the affected
Information store to another store or server. This might be a very
trouble-making operation in case of numerous actively working users, and it
still doesn't solve the problem but just delays it until named properties
quota limit is exceeded for the new database.

It would be nice to have a solution to this problem, not just a workaround.
For example, the possibility to clean up the named properties tables, or a
significant increase of the tables capacity. Maybe it is possible to write
an event sink analyzing and filtering out excessive unnecessary X-headers.

Any thoughts and/or feedback is highly appreciated, especially from MS
Exchange team.

Regards,
Boris

• Next message: Dr. Gadget: "Re: Send as"
• Previous message: Santosh: "Help Needed ASAP."
• Messages sorted by: [ date ] [ thread ]

Relevant Pages Exchange DoS vulnerability due to possible named properties overflow ... Exchange Server 2003 has a hard quota limit for the named ... properties of the messages stored in Exchange Information store, ... being accumulated in Exchange Information store. ... (microsoft.public.exchange.design) Exchange DoS vulnerability due to possible named properties overflow ... Exchange Server 2003 has a hard quota limit for the named ... properties of the messages stored in Exchange Information store, ... being accumulated in Exchange Information store. ... (microsoft.public.exchange.admin) Re: HELP~215 test about quota ... > You want to configure the disk quota scheme. ... > the do not limit disk usage option button for the default quota limit. ... > C.Create a new quota entries for the eight designers user accounts.Select ... (microsoft.public.cert.exam.mcse) [UNIX] Bypassing Linux Kernel Quota Limits ... Bypassing Linux Kernel Quota Limits ... Disk quotas for user wp: ... Filesystem blocks quota limit files quota limit ... (Securiteam) HELP~215 test about quota ... You want to configure the disk quota scheme. ... the do not limit disk usage option button for the default quota limit. ... C.Create a new quota entries for the eight designers user accounts.Select ... (microsoft.public.cert.exam.mcse)

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint