Important notice to owners/administrators of Small Business Server 2003

 

If you are using the "POP Connector" to retrieve email from your ISP, you may be turned into a Email spammer if you have not patched your server:

1.  How do I know if I am using POP Connector?  If during the system setup you, or your consultant checked this box, you are using the POP connector:

2.  If you are using POP connector, please check to see if you have installed this patch on your system. While at the server, click on Start, Control Panel, Add/Remove programs and ensure you have patch 835734 installed:

It will be all the way at the bottom of the add/remove screen

3.  If you do NOT have this patch, download it IMMEDIATELY from here:  http://www.microsoft.com/downloads/details.aspx?FamilyId=7B1FF109-092E-4418-AA37-A53AF7B8F6FC&displaylang=en  and patch your system, and in fact visit this page and install all other patches from here: http://www.microsoft.com/windowsserver2003/sbs/downloads/default.mspx

If you used a consultant to set up your server, ensure that you forward this message to them.  If they tell you that you are using a SMTP connection, they you will not have this issue and will not need this patch.

 

This is the description of the problem as provided by an affected Internet Service Provider:

Email Replication Problem
-------------------------
 
How do I spot the problem?
 
You receive many duplicates of a genuine email originally sent to a large list of addresses. In the list of recipients, one address will appear with the string "mspop3connector." in front of it. In the internet headers of the email, it will probably look as though it has passed through many more servers and networks than necessary.
 
Many people will think this is due to a virus, or a spam attack, or the sender's mail server being misconfigured.
 

What causes this?
 
The original email has only been sent from the listed sender once. The duplicates are generated by those recipients who run unpatched Microsoft Small Business Server 2003. There is a flaw in the POP connector of this product. If it receives an email for a large number of people, it will duplicate the email and send it to all the recipients on the list again, repeatedly. The duplicated email will look as though it is being sent by the original sender, but an examination of the headers shows that it has not actually passed through their servers. This duplication effect can create millions of outbound emails from just one server.
 

How do I stop this?
 
The SBS 2003 machines must be patched - KB 835734
http://www.microsoft.com/downloads/details.aspx?FamilyId=7B1FF109-092E-4418-AA37-A53AF7B8F6FC&displaylang=en
 
Working out which servers need to be patched is harder. As above, the email address in the recipient list that has the string "mspop3connector." added to it points to one of the problem servers. Others can be found by looking at the route the email takes in the headers. Domains that are mentioned that do not relate to the sender or the recipient are likely to have this problem. Multiple tags that look like this...
 
Delivered-To: username@domain.co.uk
 
... indicate that the mailserver for "domain.co.uk" has this problem. This is because one SBS 2003 machine will generate a duplicate which is sent to another unpatched SBS 2003 machine, which sends to another and so on. These loops can be seen in the headers, which get longer as the problem continues. If the headers get too large the emails can be stopped as suspicious by anti-virus systems, although they are not in fact dangerous.
 
Replying to this list requesting that the sender stop, or discussing the number of emails you have received is a bad idea as your own email will replicate in the same way, adding to the load.
 

What happens afterwards?
 
Depending on the number of emails produced, the size of the email plus attachments and the mail systems they pass through, you may still receive duplicated emails hours, even days after the patches have been applied. This is because of the huge load that this effect placed on internet mail systems. One example generated an estimated 2 terabytes of data passing through one particular route in one day.
 

What if I sent the original email?
 
You will be receiving even more mail in the form of bounceback messages. As the recipients' mailboxes reach capacity, they will generate "Mailbox full" bouncebacks, which will be sent to you regardless of the fact you did not generate any duplicates yourself. This bounceback flood can effectively shutdown your email system and your incoming bandwidth. You may end up bouncing the bounceback messages, which can cause problems.
 

Whose fault is this?
 
There are three sets of people who could be blamed for this (note: I am not a lawyer, I cannot advise on legal implications of this).
 
1. The sender of the original email.
 
The only thing that this person did wrong was send an email to a large number of people. This is not widely known to be a bad thing to do. They did not generate the duplicates, they do not have a virus, they are not spammers.
 
2. The administrators of the SBS 2003 machines.
 
The servers should have been fully patched before going live. The date of release of this patch is 5/21/2004.
 
3. Microsoft.
 
This is a business-breaking flaw that very few people are aware of. The patch that prevents the problem is only listed as a recommended update rather than a critical one. The description of the problem in the knowledge base is a gross understatement of the chaos this can cause.