Date: Fri, 15 Jan 1999 00:52:53 PST From: Siva Sankar Adiraju To: BUGTRAQ@netspace.org Subject: Lotus Notes SMTP Server bug There is a security bug in IBM's Lotus Notes SMTP server. eg. An SMTP session: helo a 250 notes.foo.com helo b 500 Session already established. The domain name [b] passed in with HELO will be ignored. The current domain name of sending SMTP is [a]. If the strings `a' and `b' are very long (2048 chars), the Notes SMTP server starts consuming CPU and crashes. A remote denial-of- service. No workaround is known to me. The bug exists with Notes on both Solaris and Windows platforms. PS: This is not related to the gethostbyname() bug in Solaris 2.5. -- Kapil Chowksey