Hi all Sending this to bugtraq at the suggestion of a collegue on an ISP mailing list in this neck of the woods. Norton Antivirus 2002 appears to be transparently intercepting and rewriting SMTP transactions from desktops on which it is installed. In particular, it intercepts the "STARTTLS" command and returns a bogus "500 Unsupported command." response. The STARTTLS command is never sent to the SMTP server, and the response is not generated by the SMTP server. This has the effect of breaking encrypted SMTP sessions. Email clients will issue the "STARTTLS" command, recieve the bogus error from NAV, and usually abort the sending action with an obscure error message, the exact nature of which can generally only be revealed by enabling SMTP transaction logging in the mail client, or using a packet sniffer to watch the conversation. The user disabling the Norton AV process in the taskbar has no affect on this, the Administrator user (on Win2k, have not tried on other platforms) has to specifically disable outbound email scanning. What the desktop sees: << 220 mailserver.example.com ESMTP Postfix >> EHLO TEST << 250-mailserver.example.com << 250-PIPELINING << 250-SIZE 10240000 << 250-VRFY << 250-ETRN << 250-STARTTLS << 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 << 250-XVERP << 250 8BITMIME >> STARTTLS << 500 Unsupported command. >> QUIT << 221 Closing connection. Good bye. What the SMTP server sees: >> 220 mailserver.example.com ESMTP Postfix << EHLO TEST >> 250-mailserver.example.com >> 250-PIPELINING >> 250-SIZE 10240000 >> 250-VRFY >> 250-ETRN >> 250-STARTTLS >> 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 >> 250-XVERP >> 250 8BITMIME << QUIT >> 221 Bye Notice that the 221 message is also rewritten (for no apparent reason). I presume that Norton AV is doing this interception and rewriting at a network level to foil virii/worms which use their own SMTP implementations to spread via email. However, the way in which they are doing this is quite insidious. I've not seen it mentioned anywhere in the program or the documentation that it intercepts and rewrites SMTP transactions. I would hope that, at least, when their interception returns a bogus 500 response to a STARTTLS command that they could cause some kind of error to be displayed in a dialog box etc, or return a more meaningful error such as "500 Norton Antivirus has disabled use of TLS", instead of invisibly causing the use of encrypted SMTP to break for no apparent reason. Dale Clapperton
