Re: [EXIM] question about verification of email addresses

Top Page
Delete this message
Reply to this message
Author: Tony Earnshaw
Date:  
To: Chris Faehl, Exim
Subject: Re: [EXIM] question about verification of email addresses
Chris Faehl wrote:

[Paul Mansfield}
> > > > - only have valid results in 20% of cases
> > > As I said, my experience doesn't conform to that percentage;


> > hmmm, if I encounter someone who allows verify, I suggest they turn it off!


> > > > (its considered very bad practise to
> > > > allow verify to work as it poses a security risk
> > > I see that Philip's site practises what it preaches. Tell us a little
> > > about the security risks, please?


> > well, it means someone can expand mail addresses, and fundamentally get
> > information about real users... like finger. they can they try and crack
> > logins.


> Like they can't get plenty of account info just by scanning newsgroups and
> mailing list archives... vrfy is only really going to work if you already
> know an email address (expn is probably a good thing to disallow).


> Being able to verify email addresses and perform remote fingers is
> convenient. I doubt this information really constitutes that
> great a security risk.


This is precisely my feeling. I'm pretty paranoid about our network,
cops, firewall, proxy out, all kinds of restrictions. I can't see any
risk whatsoever in verifying that a person exists. And of course we
allow people to finger us. Now crack our Unix server, telnet to it,
rlogin, rexec, WinNuke it, bombard it, IP-spoof it, get our high ports -
I'll know who you are and precisely what you're doing, and will be in
touch with your administrator by return.

Thanks, Chris

Tony

-- 
Tony Earnshaw
Systems Manager
Electronic_State
Groeneweg 150
3981 CP Bunnik, The Netherlands
Telephone:    +31 30 6563881
Fax:        +31 30 6562472


URL: http://www.e-state.com

**** The Magic is UNIX ****

--
*** Exim information can be found at http://www.exim.org/ ***