lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 25 Sep 2003 17:21:51 +0200
From: Niels Bakker <niels=bugtraq@...ker.net>
To: Henning Rust <Henning.Rust@...d.uni-hannover.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Privacy leak in VeriSign's SiteFinder service #2


* Henning.Rust@...d.uni-hannover.de (Henning Rust) [Thu 25 Sep 2003, 17:13 CEST]:
> Up to now, e-mails addressed to misspelled mail domains will not be
> sent to Verisign's Fake-SMTP-service as MX records are used for
> mail-domain resolving. Verisign did not set up wildcard MX records.

Wrong.  Mail transfer agents fall back to A records if no MX records
exist for a given entry.  That's why Snubby was running in the first
place - to keep mail from accumulating in everybody's queues for a week
where at first it would've been discarded immediately.


> However, if you configure your E-Mail-Program or local Mail-Transfer-
> Agent and misspell the hostname of the SMTP-Server for outgoing mail,
> all outgoing mail will be sent to their Fake-SMTP service.

And rejected with an incorrect error message leading - again - to faulty
diagnostics.  The Internet Architecture Board has written a good
document about the operational impact of Verisign's move:

http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html


> What if Versign is planning to add wildcard MX records as well, so that
> any mail addressed to mistyped/non-existant mail domains like
> "foobar@...sgggdfasfasdf.com" will be sent to their fake SMTP service?

As said, that won't change much.  Someone proposed Verisign added "* IN
MX 0 ." as an additional wildcard but testing has shown that MTAs keep
mail spooled instead, so this won't work either.


> Expect the worst!

How much worse can it get?  On second thoughts, don't give Verisign any
ideas...


	-- Niels.

-- 
"The time of getting fame for your name on its own is over. Artwork that
 is only about wanting to be famous will never make you famous. Any fame
 is a bi-product of making something that means something. You don't go to
 a restaurant and order a meal because you want to have a shit." -- Banksy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ