RE: TECH-OMISSION: Security vulnerability - Malicious DSNattacks

[<terry@xxxxxxxxxxxxxxxxxxxx>]

RE:
>Do you agree?  If so, then I think this is important to mention
>because it significantly reduces the risk level associated with
>the vulnerability you're writing about; one cannot easily launch
>this type of attack from anywhere on the Internet.

I disagree because "anywhere on the internet" has to include the thousands of trojaned workstations
(and even servers) that are in the wild.


Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry@xxxxxxxxxxxxxxxxxx
Fax: (416) 441-9085


-----Original Message-----
From: owner-ietf-mxcomp@xxxxxxxxxxxx [mailto:owner-ietf-mxcomp@xxxxxxxxxxxx]On Behalf Of Daryl
Odnert
Sent: Tuesday, August 31, 2004 12:48 PM
To: 'Chris Haynes'; IETF MARID WG
Subject: RE: TECH-OMISSION: Security vulnerability - Malicious DSNattacks


Chris Haynes wrote:
> > Normally, only MTAs that are operated by (or trusted by) V for outbound
> > SMTP mail processing would be configured this way.  Therefore, the attack
> > is only likely to occur if it can be launched from an IP address that
> > normally submits mail from V to P.


Do you agree?  If so, then I think this is important to mention
because it significantly reduces the risk level associated with
the vulnerability you're writing about; one cannot easily launch
this type of attack from anywhere on the Internet.


Regards,
Daryl Odnert
Tumbleweed Communications
Redwood City, California