[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RSET command - possible security loophole

To: ietf-smtp@xxxxxxx
Subject: Re: RSET command - possible security loophole
From: Glenn Anderson <glenn@xxxxxxxxxxxx>
Date: Tue, 31 May 2011 11:31:02 +1200
In-reply-to: <4DE407A8.9010605@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-id: <ietf-smtp.imc.org>
List-unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>
References: <4DE407A8.9010605@xxxxxxxxxxxxxx>
Sender: owner-ietf-smtp@xxxxxxxxxxxx

Title: Re: RSET command - possible security loophole

At 5:10 pm -0400 30/5/2011, Hector Santos wrote:

So basically, on the first DATA attempt our data filter returned a FAIL=451 which was a greylist filter script, the transaction and state was cleared with RSET. Then during the 2nd attempt the client was able to get by the initial rejection.

If you read a bit further in to section 4.1.1.5 it says:

It is

effectively equivalent to a NOOP (i.e., it has no effect) if issued

immediately after EHLO, before EHLO is issued in the session, after

an end of data indicator has been sent and acknowledged, or

immediately before a QUIT.

If your server is adhering to the standard, you would still have the same problem even if the spammer left out the RSET, or replaced it with a NOOP, so this isn't a problem with RSET.

Glenn.

Follow-Ups:
- Re: RSET command - possible security loophole
  - From: Hector Santos

References:
- RSET command - possible security loophole
  - From: Hector Santos

Prev by Date: Re: RSET command - possible security loophole
Next by Date: Re: RSET command - possible security loophole
Previous by thread: Re: RSET command - possible security loophole
Next by thread: Re: RSET command - possible security loophole
Index(es):
- Date
- Thread