Outstanding, Great Post Len & John,
I have a very clear overall picture now. Our company processes email for several small businesses, churches, and possibly soon a school district including the parents and students. We have adopted a NO Spam No Porn philosophy as outlined in our terms of service and now I'll have to add a spill about this 'Creature Feature'. Just keeping these issues under control is near impossible. Norm, I understand you're the resident guru on the IMGate too? Is this a software based system that can operate on a Windows box? I've got a spare server I'd like to test it on and possibly integrate it into the realm. Are their any Pro's or Con's about IMGate? I'm just not inclined to install yet another computer or server into the farm for the sake of 'email processing'. I understand that there is a certain amount of vulnerability involved with any computer on the internet. Some of which includes the ever present danger from viruses, hackers, trojan laden sporn, (sporn - spam & porn), Magic Light, and the installed software - let alone the underlying operating system. With that said it appears that I'm not left with many choices but too install another system at least for security sake. I certainly hope that the the Home Land Security Office will fulfill its' duty toward clamping down on hackers. Spam, in its' current life, will never be fully controlled or regulated by Law. Porn, well It erodes the moral fibre of any ethical soul. tnx, ~Rick John Tolmachoff wrote: > Another point from my small prospective is if you have a known security > issue that can be easily blocked, albeit at the expense of some users, I > would rather error on the side of safety. > > We face enough problems and hack attempts, not necessarily by malicious > intent but also by some one hacking just to say he did it. > > I will stand my ground, and if any users complain, I will politely > explain in simple terms what the problem is and why we take the stance > of security. > > After all, it appears that this only affects some users of AOL, > Earthlink and Starband. Why, if you don't worry about the AOL crowd, > (like we all want to,) then it doesn't affect that many people. > > Just my rambling tired .02. > > John Tolmachoff > IT Manager, Network Engineer > RelianceSoft, Inc. > Fullerton, CA 92835 > www.reliancesoft.com > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Norman J. > Nolasco > Sent: Friday, June 14, 2002 8:42 PM > To: [EMAIL PROTECTED] > Subject: RE: [IMail Forum] Possible security flaw > > Rick, > > I have to be honest with you on the "Is this really a problem?" > question... I really don't know. There are a few more things to > consider, I guess. For example: > > 1) Are you a target? If you're just hosting a few small business > web sites, then it's possible that you could get lucky and no one > will EVER attempt to hack into your server. There's just nothing > interesting to go after. > > On the other hand, if you are hosting a government sponsored site > (as we may soon) or if you host an organization that would make a > great headline (ie... political, opinionated, or finance-centric > site), then you've probably got at least 5 hack attempts a day. > One of my friends hosts SSL.com. His firewall shows about 30-40 > attacks a day with about 1 or 2 successful defacements of his site > every 6 months or so. Needless to day, he opted for an MS Exchange > server with no web messaging. > > The funny thing is, SSL.com has NOTHING to do with the organizations > who manage SSL technology. He just sells SSL certificates. It just > happens to be a nice target for hackers to tell their friends about. > > 2) How easy is it for someone to figure out what mail server you're > using? It's easy to hack into our own servers since we KNOW we're > using IMail v.7.1 HF2, we're aware of the vulnerability, and we're > knowledgeable enough to exploit the vulnerability. > > Unfortunately, just posting into this Internet archived mail list > opens up our servers! A hacker would just have to know that you use > IMail and then figure out which servers are yours. 1 of the 3 steps. > > 3) How easy is it for someone to figure out your email addresses? > Most of these exploits rely on the knowledge of the email address. > If you don't know what the addresses are, you can't break into an > account. > > 4) Do your users rely heavily on the web messaging tool? If the > answer is yes, then the chance of an account being compromised is > increased. > > 5) What happens to you if someone succeeds in breaking into an account? > The reality check here is that most of the time, it really doesn't > matter. Some people just don't use their accounts for anything > important. If someone broke into my hotmail.com account, it really > doesn't matter to me... and I doubt anyone has really tried to sue > MS for a compromised account. > > My situation is a difficult one. We may be involved in a small > project to supply emails to school district students and government > employees as part of a larger package. So, I've got a real problem. > > I really like IMail's pricing schedule and functionality. As you've > said, it's a good product. However: > > 1) We would definitely be a target. Middle School and High School > kids are notorious for having lots of time and motivation for breaking > into our servers. > > 2) If someone connects these posts to me and my company, then my > company to this project. They will be able to figure out I'm using > IMail. > > 3) Since we have standardized addresses: [EMAIL PROTECTED] > it should be fairly trivial to figure out a target email address to > break into. > > 4) Since the point of supplying these addresses to the schools and > employees is to eliminate the need for expensive software and hardware, > I think our users will rely heavily on the web messaging tool. > > 5) We could be in serious legal trouble if some key accounts were > broken into. For example, privacy issues if someone gets grades > that were emailed from teacher to parent through our system... or what > is our liability if an account is hijacked and FALSE grades are sent > to parents? > > Thus, at least for us, I feel that if a majority of these security > issues are not resolved, we'll be forced to look for an alternative... > no matter how much I like the product. > > Hope this is helpful. > > -Norm > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Leske > Sent: Friday, June 14, 2002 8:53 PM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] Possible security flaw > > > Norm, > > I've read your post earlier and thank you again for your superior > knowledge on all topics, but is this really anything to 'worry' about? > Do most clients get their dynamic ip addresses automatically changed > every 15 minutes? I would think that would generate a lot of calls to > isp, etc.. Are a lot of IMail servers being compromised? I've seen the > hacks used to compromise user pwds, etc, for IMail and still believe > it's better overall than other options.. > > Thanks, > > ~Rick > > ___________________________________________________________________ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
