[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0406182127410.15794@shishi.roaringpenguin.com>
Date: Fri, 18 Jun 2004 21:29:37 -0400 (EDT)
From: "David F. Skoll" <dfs@...ringpenguin.com>
To: Jon Fiedler <jmf9@...u.edu>
Cc: bugtraq@...urityfocus.com
Subject: Re: Is predictable spam filtering a vulnerability?
On Fri, 18 Jun 2004, Jon Fiedler wrote:
> >In my opinion, any spam filter that silently drops e-mail is broken, and
> >is indeed a security risk. A spam filter MUST respond with a 500 SMTP
> >failure code if it rejects a message.
> This ignores client side spam filters,
Client-side spam filters that silently drop e-mail are broken. They
should generate a non-delivery notification.
Of course, that leads to all kinds of other nasty problems, so I've
concluded that client-side spam filters in general are broken, and the
only proper way to do it is on the server, and only by failing the
SMTP transaction.
> and doesn't really change the
> attack. The 500 message would be sent back to A, but not B, so B is
> still in the dark about C not receiving the emails.
No; B would get the failure message, because B is the envelope sender.
Regards,
David.
Powered by blists - more mailing lists