outlook.express.mailbox.dos.txt

`Outlook Express Win98 bug  
  
Miquel van Smoorenburg ([email protected])  
Tue, 11 May 1999 10:58:41 +0200   
  
  
  
There is a bug in Outlook Express delivered with Windows '98, at least  
version 4.72.3110.1 (4.01 SP1) and 4.72.3120.0 (4.01 SP1 + oepatsp1)  
  
Windows '95 updated with MSIE 4.01 has Outlook Express 4.72.3612.1700,  
which doesn't show the problem. OE from MSIE3 and MSIE5 don't have the  
problem either. There might be versions of MSIE4 included with Windows  
'98 that don't show the problem either, but I don't have a stack of  
Windows CDs to test against.  
  
We have talked to Microsoft NL about this, tracking number S2134 T6142.  
However they either deny there is a bug ("sorry sir, this product has  
been available for a year now so there cannot be any bugs in it") or  
they do not understand what we are talking about. They also claim to  
have not received any mail we sent to them, so I am giving up on that.  
We did send them this bug report by fax, perhaps that technology is  
stable enough to work for them, I don't know.  
  
Description of the problem:  
  
A dot on a single line means EOM in the POP3 protocol. If a message  
contains that it must be escaped by adding an extra dot, so we have 2  
dots on a single line - which is OK. However if on the TCP level the  
line after this double-dot crosses over to the next packet, Outlook  
Express will interpret the double-dot as a single dot, switching back to  
POP3 command mode and interpreting the rest of the message as a response  
from the POP3 server. Result is an error message and usually a hanging  
POP3 session.  
  
Perhaps it's not really a bug in Outlook, but the Windows I/O library  
or the TCP implementation.. which is scary.  
  
So at the TCP packet level it looks like this:  
  
packet1: [message data]  
packet1: \r\n..\r\nthis is a line that  
packet2: continues in the next packet  
  
The double-dot on the 2nd line will be interpreted as a single dot.  
  
Include a few thousand lines like this in an email and the bug will trigger:  
  
So  
.  
this  
.  
might  
.  
actually  
.  
cause  
.  
the  
.  
bug  
.  
with  
.  
some  
.  
luck  
.  
repeat  
.  
until  
.  
three  
.  
times  
.  
max  
.  
mtu  
.  
of  
.  
1500  
  
  
Mike.  
--  
Indifference will certainly be the downfall of mankind, but who cares?  
  
------------------------------------------------------------------------------  
  
Outlook Express Win98 bug, addition.  
  
Miquel van Smoorenburg ([email protected])  
Wed, 12 May 1999 10:59:46 +0200   
  
In article <[email protected]>,  
Miquel van Smoorenburg <[email protected]> wrote:  
>There is a bug in Outlook Express delivered with Windows '98, at least  
>version 4.72.3110.1 (4.01 SP1) and 4.72.3120.0 (4.01 SP1 + oepatsp1)  
[...]  
>Outlook  
>Express will interpret the double-dot as a single dot, switching back to  
>POP3 command mode and interpreting the rest of the message as a response  
>from the POP3 server. Result is an error message and usually a hanging  
>POP3 session.  
  
It occured to me that it might not be clear from the original message  
but because the POP3 session is hanging, the message will not be removed  
from the server and the next time mail is check the same thing will  
occur. This is an effective DOS attack against the mailbox.  
  
The only way to solve this is to remove the message with another  
POP3 email program (Eudora, Pegasus) or to ask the sysadmin of the POP3  
server to remove the message manually (look for a message that has a line  
starting with a dot).  
  
Upgrading to MSIE 5.0 will also solve the problem, but there is no  
simple/small bugfix from Microsoft available (an MSIE 5.0 download is  
what - 20 MB at least?) yet for as far as I know.  
  
So, ISP helpdesks - take note. This is at least one of the causes of  
the problems all these people have been having with their "blocked mail".  
  
Mike.  
--  
Indifference will certainly be the downfall of mankind, but who cares?  
`