[ On Friday, January 28, 2000 at 17:13:30 (+0000), Ian Southam wrote: ]
> Subject: Re: [Exim] vulnerabilities
>
> To save you any more embarrasment, your consultants are talking rubbish.
Indeed!
> VRFY and EXPN can give out information about your network to third parties
> which you may not want to make available. For this reason I think both (but
> certainly VRFY) are disabled by default in Exim.
Disabling VRFY can't really hide anything -- just make it a tad bit
harder to obtain. It's not really a risk and disabling it isn't really
a deterrent.
EXPN can only reveal stuff if the mailer is implemented that way, and
indeed if there's something to reveal. If you have no local mailing
lists then no amount of EXPN usage can determine their non-existant
contents.... :-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>