There are several remote DoS vulnerabilities in both the SMTP and POP components of the SmartServer3 email server. By passing large command arguments to either component, an attacker can remotely cause the services to fail.
Vulnerable systems:
SmartServer version 3.75.x and prior
POP3 DoS:
A large argument (consisting of a couple thousand characters) to either the USER or PASS commands places the server in an unstable state, where it will react to every individual character entered afterwards on the current and subsequent connections. For instance, if another user connects after the attack takes place, the mail server would respond to 'USER bob' with seven separate error messages. The service must be stopped and restarted in order to return to proper functionality. The SMTP and POP services can be stopped and started from the SS3 console (the 'File' menu); it is not necessary to close the program.
SMTP DoS:
A large argument (a couple thousand characters) given to any command (other than DATA) after the HELO command will cause the server to stop responding to commands. So, if an attacker connects and enters:
HELO whatever.com
MAIL FROM: <A Large Buffer of Characters>
The service will still be able to accept subsequent connections but will be unable to respond to anything given on any connection until the service is stopped and restarted.
