Hotmail can be used to launch email bombs

Microsoft's Hotmail can be used as a tool for flooding and email bombing because of a weakness in the free email service that the software giant admits will not be fixed until tomorrow.

According to security researcher Philip Stoev, who discovered the issue, Hotmail can act as email size amplifier with a factor of at least 1000, allowing an attacker to flood a victim with mail while consuming a negligible amount of bandwidth.

In a posting to the Bugtraq security mailing list, Stoev explained the problem stems from the way Hotmail handles the 'attfile' hidden form field on its Compose Message form.

"Normally, this form field contains information on the attachments that are to be sent with the message being composed. The problem is that it is possible for this form field to reference one and the same attachment several times, which will make Hotmail send this attachment as many times as desired with the outgoing mail," said Stoev.

"The amplification occurs because the attachment is actually uploaded only once, while Hotmail sends it several times to the end recipient."

Stoev estimated that, using this technique, an attacker using 100Kb of bandwidth would be able to consume 22Mb of incoming bandwidth. Beyond filtering there seems to no way of dealing with the vulnerability, which Stoev said would be relatively easy to exploit using readily available tools.

In a response posted to Bugtraq, security officials at Hotmail confirmed they were able to reproduce the problem. "The Hotmail security team has identified the changes that are needed, and is implementing the change even as we speak," they said.

"New system software is loaded every two weeks, and the next scheduled update is 14 November. We'll make sure that the change is included in that update."

Deri Jones, of security testing specialist NTA Monitor, said Microsoft would have to block people from sending a file in the same email more than once. He added that web-based email services in general can be used as a tool for email bombing by, for example, subscribing to high-volume mailing lists and forwarding mail from an account to the victim's email address.

"Victimising someone's email address is as old as email, and mail-bombing has always being a part of that," said Jones.