Thursday, May 30, 2002 you wrote:
RSP> I had been convinced that this was a bug in IMail, until I saw Eric's post.
I really don't care about this subject since I am using DECLUDE's test
to eliminated the vulnerability in the first place so it doesn't
really bother me. And this is definitely my last post on the subject.
But whether IMAIL is technically correct or not this is a
vulnerability unless someone takes affirmative action to stop it.
That is proven by the experience that began this entire thread.
1) You can't relay mail for an email address without a % sign in it
from a backup server but you can relay mail for an email address
with a % sign in it.
2) If you follow the instructions from IPSWITCH for making a backup
mail server you very likely will have acl permitted for the
backup server and you will be vulnerable.
3) It is a known exploit for relaying as demonstrated by the fact
that the open relay testers use it. If it weren't a possible
vulnerability then why test for it?
4) There may be situations where someone cannot restrict the ACL for
the backup server. In this case their only solution would be to
use a different backup server I suppose.
5) It has been discussed for a long time with absolutely no comment
from IPSWITCH except from Eric on today's list as far as I know.
So somewhere something should be changed. Either the backup mail
server instructions need to be changed, or IMAIL needs to parse the
e-mail address differently, or people at least need to be warned about
the vulnerability so they can make other arrangements for a backup
mail server.
Or do like I've done and use the DECLUDE test.
Now to be fair the only thing I've ever caught with the DECLUDE test
are messages sent from an open rely tester. So I doubt it is a very
widely used spammer exploit in the first place. But it still pays not
to get listed in the blackholes.
Terry
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit the Knowledge Base for answers to frequently asked
questions: http://www.ipswitch.com/support/IMail/
