lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0406182127410.15794@shishi.roaringpenguin.com>
Date: Fri, 18 Jun 2004 21:29:37 -0400 (EDT)
From: "David F. Skoll" <dfs@...ringpenguin.com>
To: Jon Fiedler <jmf9@...u.edu>
Cc: bugtraq@...urityfocus.com
Subject: Re: Is predictable spam filtering a vulnerability?


On Fri, 18 Jun 2004, Jon Fiedler wrote:

> >In my opinion, any spam filter that silently drops e-mail is broken, and
> >is indeed a security risk.  A spam filter MUST respond with a 500 SMTP
> >failure code if it rejects a message.

> This ignores client side spam filters,

Client-side spam filters that silently drop e-mail are broken.  They
should generate a non-delivery notification.

Of course, that leads to all kinds of other nasty problems, so I've
concluded that client-side spam filters in general are broken, and the
only proper way to do it is on the server, and only by failing the
SMTP transaction.

> and doesn't really change the
> attack.  The 500 message would be sent back to A, but not B, so B is
> still in the dark about C not receiving the emails.

No; B would get the failure message, because B is the envelope sender.

Regards,

David.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ