lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040128183633.GB10544@SDF.LONESTAR.ORG>
From: petard at freeshell.org (petard)
Subject: Proposal: how to notify owners of compromised PC's

On Wed, Jan 28, 2004 at 05:19:08PM +0100, Thomas Zangl - Mobil wrote:
> A working solution (practiced at the TU Graz / Austria) would be an open
> mail relay for every user in the ISPs address space and block all outgoing
> connections to port 25. The users will be forced to use the ISPs relay and
> can?t send out virii/[apply your favorite filter rule here] etc...

Sorry for a borderline off-topic reply, but I'm cc-ing the list so this
is in the archives, in case any stupid ISP reads this and thinks it's a
good idea. It isn't.

I left my ISP about 9 months ago because they implemented this very
policy. It entirely destroyed my ability to send email from my preferred
address. Our SMTP setup at example.com relays mail from people
claiming to be @example.com if and only if they have been authenticated
using a client X.509 certificate issued by the example.com root
certificate authority. The mechanism for achieving this is to connect to
smtp.example.com, port 25, and use the STARTTLS command after the EHLO,
as described in RFC 3207. The policy you describe broke this, and
therefore prevented me from sending mail to my cohorts at example.com.
The ISP would not make an exception, so I left. I was not the only one.

regards,

petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ