A crafty way of knocking out any email server using a few carefully constructed emails has been identified by a team of computer security experts. The trick involves sending forged emails that contain thousands of incorrect addresses in the “copy to” fields that are normally used to send duplicate messages.

It was discovered by Stefan Frei, who maintains the computer security site Techzoom, along with Ivo Silvestri, an independent security researcher, and Gunter Ollmann of the UK-based company NGSSoftware. They sent forged messages to the largest email servers on the internet, and found they could force huge quantities of unwanted email to pour into another mail server of their choice.

The exploit depends on finding a server configured to return an email plus its attachments to each incorrect address. But this can be tested by sending just a single message.

New Scientist - Will Knight April 6, 2004