-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> If I am [EMAIL PROTECTED], and I want to get all mail for
> victim.org, what would happen in the following scenario:
>
> I have root privliges for attacker.org, and for the purpose of attack I
> will accept mail destined for victim.org.
>
> I issue an ETRN command, with the @host extention, and wait for email to
> come to my mailboxes at attacker.org.
>
> I don't see any restrictions in the rfc regarding how host selection
> happens, so I infer from the rfc that it's based on the 'helo'. Is
> this right? Does ETRN work this way?
No it doesn't. It just says "reprocess mail for victim.org sitting in
the queue". The other side then goes to DNS (or smtproutes) and
delivers accordingly.
It means that unless you can spoof DNS for victim.org, this
scenario is safe. (And if you can, you can steal the mail without
ETRN as well.)
The only "problem" is possible DoS scenario (since anyone can
issue ETRN, he can saturate the other side with queue runs) - or
even this-is-gonna-cost-you if the link between server and victim is
on-demand and expensive.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBN6an4lMwP8g7qbw/EQK0cQCfeIqfQwSjSd98X2Dtaynz9niA7rEAnRBT
l7BfMSt1zVj6Y0JKipI5OjAL
=RzRE
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
