Re: Eudora incoming email affects behavior

[jdyson () TECHREPORTS JPL NASA GOV (Jay D. Dyson)]

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 18 Feb 2000, Thomas Kluegel wrote:

> When a person downloads and uses the newly released adware Eudora 4.3,
> Qualcomm eventually sends out an email entitled:
>
> "Eudora Profile Information for youraddress () domain com".
>
> When Eudora receives this email it recognizes it as special and loads
> personal profile information.  This seems very questionable, to
> distribute a client that can respond to special message emails sent to
> it.  One wonders, what else can it do?  Whatever Qualcomm can make it do
> via email, surely a forged email sent by anybody could do the same.
> Also, we have to take their word that arbitrary code execution isn't a
> part of the new Eudora's design.
>
> Am I off in the weeds with my concern on this?

        Sounds like a sane concern to me.  For what it's worth, any
special event triggered by a simple e-mail with little or no attempt at
serious authentication of origin strikes me as an issue of merit.

        I'd like to see a copy of this message with full headers.  With
that alone, we can play with some forgeries and see what shakes loose.  It
should prove interesting, to say the least.

- -Jay

   (                                                             ______
   ))   .-- "There's always time for a good cup of coffee." --.   >===<--.
 C|~~| (>-- Jay D. Dyson -- jdyson () techreports jpl nasa gov --<) |   = |-'
  `--'  `- It's a thankless job, but I've got Karma to burn. -'  `-----'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Email me for my current public key.

iQCVAwUBOK0WcYzYnY/37fGZAQHtZgQAl+aVL7kDdsoTlUX/mgvECj2ncFTVIWes
gurUy1Zs5BKRmJ6B21BInlxS7Jmx265yjwLnnId49PQjsvMMd193OKBoP1E7Us/Z
aUMHJTpEBo7QESnqArISYvlauqiH3YViZwSP1iCHYLvnXvIz5wa5P6zp54I38bqM
VRWDDzA5Wdk=
=qMB6
-----END PGP SIGNATURE-----