Bugtraq mailing list archives
Re: Privacy leak in VeriSign's SiteFinder service #2
From: Niels Bakker <niels=bugtraq () bakker net>
Date: Thu, 25 Sep 2003 17:21:51 +0200
* Henning.Rust () stud uni-hannover de (Henning Rust) [Thu 25 Sep 2003, 17:13 CEST]:
Up to now, e-mails addressed to misspelled mail domains will not be sent to Verisign's Fake-SMTP-service as MX records are used for mail-domain resolving. Verisign did not set up wildcard MX records.
Wrong. Mail transfer agents fall back to A records if no MX records exist for a given entry. That's why Snubby was running in the first place - to keep mail from accumulating in everybody's queues for a week where at first it would've been discarded immediately.
However, if you configure your E-Mail-Program or local Mail-Transfer- Agent and misspell the hostname of the SMTP-Server for outgoing mail, all outgoing mail will be sent to their Fake-SMTP service.
And rejected with an incorrect error message leading - again - to faulty diagnostics. The Internet Architecture Board has written a good document about the operational impact of Verisign's move: http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html
What if Versign is planning to add wildcard MX records as well, so that any mail addressed to mistyped/non-existant mail domains like "foobar () sdfsgggdfasfasdf com" will be sent to their fake SMTP service?
As said, that won't change much. Someone proposed Verisign added "* IN MX 0 ." as an additional wildcard but testing has shown that MTAs keep mail spooled instead, so this won't work either.
Expect the worst!
How much worse can it get? On second thoughts, don't give Verisign any ideas... -- Niels. -- "The time of getting fame for your name on its own is over. Artwork that is only about wanting to be famous will never make you famous. Any fame is a bi-product of making something that means something. You don't go to a restaurant and order a meal because you want to have a shit." -- Banksy
Current thread:
- Privacy leak in VeriSign's SiteFinder service Richard M. Smith (Sep 24)
- Privacy leak in VeriSign's SiteFinder service #2 Mark Coleman (Sep 24)
- Re: Privacy leak in VeriSign's SiteFinder service #2 Marco Ivaldi (Sep 24)
- Re: Privacy leak in VeriSign's SiteFinder service #2 Diego Bitencourt Contezini (Sep 24)
- Re: Privacy leak in VeriSign's SiteFinder service #2 Henning Rust (Sep 25)
- Re: Privacy leak in VeriSign's SiteFinder service #2 Niels Bakker (Sep 25)
- Re: Privacy leak in VeriSign's SiteFinder service #2 Marco Ivaldi (Sep 24)
- Re: Privacy leak in VeriSign's SiteFinder service #2 der Mouse (Sep 24)
- Re: Privacy leak in VeriSign's SiteFinder service #2 Hugo van der Kooij (Sep 24)
- Message not available
- Re: Privacy leak in VeriSign's SiteFinder service #2 Timothy J. Biggs (Sep 25)
- Privacy leak in VeriSign's SiteFinder service #2 Mark Coleman (Sep 24)