Chris Faehl wrote:
[Paul Mansfield}
> > > > - only have valid results in 20% of cases
> > > As I said, my experience doesn't conform to that percentage;
> > hmmm, if I encounter someone who allows verify, I suggest they turn it off!
> > > > (its considered very bad practise to
> > > > allow verify to work as it poses a security risk
> > > I see that Philip's site practises what it preaches. Tell us a little
> > > about the security risks, please?
> > well, it means someone can expand mail addresses, and fundamentally get
> > information about real users... like finger. they can they try and crack
> > logins.
> Like they can't get plenty of account info just by scanning newsgroups and
> mailing list archives... vrfy is only really going to work if you already
> know an email address (expn is probably a good thing to disallow).
> Being able to verify email addresses and perform remote fingers is
> convenient. I doubt this information really constitutes that
> great a security risk.
This is precisely my feeling. I'm pretty paranoid about our network,
cops, firewall, proxy out, all kinds of restrictions. I can't see any
risk whatsoever in verifying that a person exists. And of course we
allow people to finger us. Now crack our Unix server, telnet to it,
rlogin, rexec, WinNuke it, bombard it, IP-spoof it, get our high ports -
I'll know who you are and precisely what you're doing, and will be in
touch with your administrator by return.
Thanks, Chris
Tony
--
Tony Earnshaw
Systems Manager
Electronic_State
Groeneweg 150
3981 CP Bunnik, The Netherlands
Telephone: +31 30 6563881
Fax: +31 30 6562472
URL:
http://www.e-state.com
**** The Magic is UNIX ****
--
*** Exim information can be found at
http://www.exim.org/ ***
