Rick, I have to be honest with you on the "Is this really a problem?" question... I really don't know. There are a few more things to consider, I guess. For example:
1) Are you a target? If you're just hosting a few small business web sites, then it's possible that you could get lucky and no one will EVER attempt to hack into your server. There's just nothing interesting to go after. On the other hand, if you are hosting a government sponsored site (as we may soon) or if you host an organization that would make a great headline (ie... political, opinionated, or finance-centric site), then you've probably got at least 5 hack attempts a day. One of my friends hosts SSL.com. His firewall shows about 30-40 attacks a day with about 1 or 2 successful defacements of his site every 6 months or so. Needless to day, he opted for an MS Exchange server with no web messaging. The funny thing is, SSL.com has NOTHING to do with the organizations who manage SSL technology. He just sells SSL certificates. It just happens to be a nice target for hackers to tell their friends about. 2) How easy is it for someone to figure out what mail server you're using? It's easy to hack into our own servers since we KNOW we're using IMail v.7.1 HF2, we're aware of the vulnerability, and we're knowledgeable enough to exploit the vulnerability. Unfortunately, just posting into this Internet archived mail list opens up our servers! A hacker would just have to know that you use IMail and then figure out which servers are yours. 1 of the 3 steps. 3) How easy is it for someone to figure out your email addresses? Most of these exploits rely on the knowledge of the email address. If you don't know what the addresses are, you can't break into an account. 4) Do your users rely heavily on the web messaging tool? If the answer is yes, then the chance of an account being compromised is increased. 5) What happens to you if someone succeeds in breaking into an account? The reality check here is that most of the time, it really doesn't matter. Some people just don't use their accounts for anything important. If someone broke into my hotmail.com account, it really doesn't matter to me... and I doubt anyone has really tried to sue MS for a compromised account. My situation is a difficult one. We may be involved in a small project to supply emails to school district students and government employees as part of a larger package. So, I've got a real problem. I really like IMail's pricing schedule and functionality. As you've said, it's a good product. However: 1) We would definitely be a target. Middle School and High School kids are notorious for having lots of time and motivation for breaking into our servers. 2) If someone connects these posts to me and my company, then my company to this project. They will be able to figure out I'm using IMail. 3) Since we have standardized addresses: [EMAIL PROTECTED] it should be fairly trivial to figure out a target email address to break into. 4) Since the point of supplying these addresses to the schools and employees is to eliminate the need for expensive software and hardware, I think our users will rely heavily on the web messaging tool. 5) We could be in serious legal trouble if some key accounts were broken into. For example, privacy issues if someone gets grades that were emailed from teacher to parent through our system... or what is our liability if an account is hijacked and FALSE grades are sent to parents? Thus, at least for us, I feel that if a majority of these security issues are not resolved, we'll be forced to look for an alternative... no matter how much I like the product. Hope this is helpful. -Norm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Leske Sent: Friday, June 14, 2002 8:53 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] Possible security flaw Norm, I've read your post earlier and thank you again for your superior knowledge on all topics, but is this really anything to 'worry' about? Do most clients get their dynamic ip addresses automatically changed every 15 minutes? I would think that would generate a lot of calls to isp, etc.. Are a lot of IMail servers being compromised? I've seen the hacks used to compromise user pwds, etc, for IMail and still believe it's better overall than other options.. Thanks, ~Rick Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
