[35378] in bugtraq
Re: Is predictable spam filtering a vulnerability?
daemon@ATHENA.MIT.EDU (David F. Skoll)
Sat Jun 19 17:00:20 2004
Date: Fri, 18 Jun 2004 21:29:37 -0400 (EDT)
From: "David F. Skoll" <dfs@roaringpenguin.com>
To: Jon Fiedler <jmf9@cwru.edu>
Cc: bugtraq@securityfocus.com
In-Reply-To: <40D38D99.8090903@cwru.edu>
Message-ID: <Pine.LNX.4.58.0406182127410.15794@shishi.roaringpenguin.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 18 Jun 2004, Jon Fiedler wrote:
> >In my opinion, any spam filter that silently drops e-mail is broken, and
> >is indeed a security risk. A spam filter MUST respond with a 500 SMTP
> >failure code if it rejects a message.
> This ignores client side spam filters,
Client-side spam filters that silently drop e-mail are broken. They
should generate a non-delivery notification.
Of course, that leads to all kinds of other nasty problems, so I've
concluded that client-side spam filters in general are broken, and the
only proper way to do it is on the server, and only by failing the
SMTP transaction.
> and doesn't really change the
> attack. The 500 message would be sent back to A, but not B, so B is
> still in the dark about C not receiving the emails.
No; B would get the failure message, because B is the envelope sender.
Regards,
David.
