Bugtraq mailing list archives
Re: Is predictable spam filtering a vulnerability?
From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Fri, 18 Jun 2004 21:29:37 -0400 (EDT)
On Fri, 18 Jun 2004, Jon Fiedler wrote:
In my opinion, any spam filter that silently drops e-mail is broken, and is indeed a security risk. A spam filter MUST respond with a 500 SMTP failure code if it rejects a message.
This ignores client side spam filters,
Client-side spam filters that silently drop e-mail are broken. They should generate a non-delivery notification. Of course, that leads to all kinds of other nasty problems, so I've concluded that client-side spam filters in general are broken, and the only proper way to do it is on the server, and only by failing the SMTP transaction.
and doesn't really change the attack. The 500 message would be sent back to A, but not B, so B is still in the dark about C not receiving the emails.
No; B would get the failure message, because B is the envelope sender. Regards, David.
Current thread:
- Is predictable spam filtering a vulnerability? R Armiento (Jun 16)
- Re: Is predictable spam filtering a vulnerability? Joel Eriksson (Jun 18)
- Re: Is predictable spam filtering a vulnerability? Jason Coombs (Jun 19)
- Re: Is predictable spam filtering a vulnerability? Bill Burge (Jun 19)
- Re: Is predictable spam filtering a vulnerability? Sean Straw / PSE (Jun 19)
- RE: Is predictable spam filtering a vulnerability? Aaron Cake (Jun 18)
- Re: Is predictable spam filtering a vulnerability? Chris Brown (Jun 21)
- RE: Is predictable spam filtering a vulnerability? Hamlesh Motah (Jun 18)
- Re: Is predictable spam filtering a vulnerability? David F. Skoll (Jun 18)
- Re: Is predictable spam filtering a vulnerability? Jon Fiedler (Jun 19)
- Re: Is predictable spam filtering a vulnerability? David F. Skoll (Jun 19)
- Re: Is predictable spam filtering a vulnerability? Kyle Wheeler (Jun 21)
- Re: Is predictable spam filtering a vulnerability? (silently dropping messages) Martin Mačok (Jun 22)
- Re: Is predictable spam filtering a vulnerability? (silently dropping messages) David F. Skoll (Jun 23)
- Re: Is predictable spam filtering a vulnerability? (silently dropping messages) der Mouse (Jun 24)
- Re: Is predictable spam filtering a vulnerability? (silently dropping messages) Valdis . Kletnieks (Jun 24)
- Re: Is predictable spam filtering a vulnerability? Jon Fiedler (Jun 19)
- Re: Is predictable spam filtering a vulnerability? Luca Berra (Jun 22)
- Re: Is predictable spam filtering a vulnerability? Sean Straw / PSE (Jun 24)
- Re: Is predictable spam filtering a vulnerability? John Fitzgibbon (Jun 24)
- Re: Is predictable spam filtering a vulnerability? Sean Straw / PSE (Jun 25)
- Re: Is predictable spam filtering a vulnerability? The Fungi (Jun 25)
- Re: Is predictable spam filtering a vulnerability? Joel Eriksson (Jun 18)