Full Disclosure mailing list archives

Re: Proposal: how to notify owners of compromised PC's

From: petard <petard () freeshell org>
Date: Thu, 29 Jan 2004 04:19:24 +0000

On Wed, Jan 28, 2004 at 05:37:59PM -0600, Phil Brutsche wrote:

<sending this to the list as well, since not enough people are doing the 
proper research>

I left my ISP about 9 months ago because they implemented this very
policy. It entirely destroyed my ability to send email from my preferred
address. Our SMTP setup at example.com relays mail from people
claiming to be @example.com if and only if they have been authenticated
using a client X.509 certificate issued by the example.com root
certificate authority.


Then put SMTP on a different TCP port.  RFC 2476, which specifies TCP 
port 587 to be a message submission port for MUAs, was specifically 
created to address this issue.

OK. You get a cookie. You've heard of RFC 2476. Now read it and you can
have another. From the RFC:

"A site MAY choose to use port 25 for message submission,
by designating some hosts to be MSAs and others to be MTAs."
Section 3.1 [emphasis in the original]

Because of my ISP's suddenly BROKEN service, I was no longer able to
operate in this RFC-compliant manner.

This is in fact our preferred mode of operation at example.com, as it
allows maximum client interoperability, or did anyway... It was
our only mode of operation at that time. When this happened with my ISP,
unannounced, we set the process in place to get the necessary holes
punched in our firewalls and configure an extra instance of the smtp
daemon on 587. This took weeks, and I still switched to a non-broken
ISP. Our admins are not paid to work around ISPs who do not provide what
they say they do, or suddenly and without notice stop doing so.

At any rate, blocking port 25 is a half-assed solution to a problem that
needs to be solved at the MUA, not the MTA or MSA.


regards,

petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Proposal: how to notify owners of compromised PC's Erik van Straten (Jan 28)
- <Possible follow-ups>
- Re:Proposal: how to notify owners of compromised PC's Thomas Zangl - Mobil (Jan 28)
  - Re: Re:Proposal: how to notify owners of compromised PC's Jonathan A. Zdziarski (Jan 28)
  - Re:Proposal: how to notify owners of compromised PC's Erik van Straten (Jan 28)
  - Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
    - Re: Proposal: how to notify owners of compromised PC's Phil Brutsche (Jan 28)
    - Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
    - Re: Proposal: how to notify owners of compromised PC's Phil Brutsche (Jan 29)
    - Re: Proposal: how to notify owners of compromised PC's Åke Nordin (Jan 29)
- Fwd:Re:Proposal: how to notify owners of compromised PC's Thomas Zangl - Mobil (Jan 28)
- Re:Proposal: how to notify owners of compromised PC's Thomas Zangl - Mobil (Jan 28)
  - Re: Proposal: how to notify owners of compromised PC's petard (Jan 28)
  - Re: Proposal: how to notify owners of compromised PC's Dave Sherohman (Jan 29)