I appreciate the comments. In an ideal world, all software companies would have a central forum where users/developers could discuss security, bugs, and other technical issues openly in the same way scientific researchers have journals and peer reviews. After all, everyone knows it can take many people to construct a building, but only one person to bring it down.
IMHO, it is only by open discussion and experimentation that we can keep ahead of the sort of people that would like to see our systems brought down for whatever reason. The problem is that when one of us finds something, it is a little difficult to quickly communicate to all the right people that the problem exists, then collectively work towards a solution. I appreciate the fact that IPSwitch is working on this problem, but I know that there are many of us that are willing to help at no cost. It's like all the news reporters you hear about getting past airport security. Sure it's a good thing that security is being testing and the results published. It politically and financially motivates the "higher-ups" to act quickly to improve their systems. It's a bad thing that we're letting everyone know that it can be done. Another $0.02 in the opinion pool. With all this money, we might be able to get ourselves a "daisy cutter". -Norm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Smart Business Lists Sent: Wednesday, March 20, 2002 11:13 AM To: Norman J. Nolasco Subject: Re: [IMail Forum] Problem With Calendaring Norman, Wednesday, March 20, 2002 you wrote: NJN> I don't know if there are any other conclusions that can be NJN> drawn, but to me this points to someone who knows nothing about NJN> iMail and just wanted to try to get a few kicks. A lot of people, myself included, use various "public" e-mail accounts when we are uncertain just where our e-mail might be sent. NJN> A round of "I'm sorry"'s all around to anyone who was offended by NJN> my (including, but not limited to) comments, posts, rantings, NJN> HTML emails, stats, web page colors, and/or disposition. Actually my own opinion is that you are to be thanked and congratulated for finding the problem and reporting it. I certainly tested it both from your test page and from my own test program and I found that you were exactly correct. It is a significant vulnerability. Other security vulnerabilities have been reported on this forum. One that I do not believe has been fixed yet by IPSWITCH has to do with using a % sign address sent to a secondary mail server for IMAIL. Scott Perry has a provision in declude which handles this so I have not been too concerned about it. However, I have stopped a few messages that were indeed attempting to take advantage of the vulnerability. I know this was reported to IMAIL but I do not believe it has been corrected. So I appreciate the fact that you posted the information to the list. At least I can decide if I want to respond to the vulnerability myself. Terry Fritts Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
