Horde/IMP versus Squirrelmail
Jeff The Riffer
riffer at vaxer.net
Tue May 24 22:41:10 EDT 2005
On Tue, 24 May 2005, Steven Champeon wrote:
>on Tue, May 24, 2005 at 02:55:47PM -0400, Matt Pusateri wrote:
>> I've been using SM for at least 2 years and the majority of
>> vulnerabilites have been cross site scripting vulnerabilities. Since
>> SM is a mail client only, I find it hard to believe that SM itself is
>> responsible for all the Scam emails you have been getting.
>I don't follow - seems to me that mail clients are what are used to send
>mail.
For a broad definition of mail client, yes. What mail client am I using when
I telnet to port 25?
Spammers use software to deliver their spam in all sorts of inventive ways,
often ignoring standards and of course common courtesy. I'd hesitate to
label any of their spamware "mail clients". And of course their spamware
forges all sorts of headers, including the mailer agent stuff.
>Looks to me like SM 1.4.4 is vulnerable to exploit or the server is
>configured to allow free webmail account signups for criminals.
I strongly suspect the latter. Or you're just getting a lot of e-mail with
forged headers.
>Seems to me that running software that enables remote sending of mail
>without properly securing it against fraudsters is irresponsible.
Indeed, but all too common. And hardly a flaw with Squirrelmail itself.
That's a social problems. Just like spam.
####################==============---- ----==============####################
# riffer at vaxer.net - Jeff The Riffer - Drifter... - Homo Postmortemus #
# Disclaimer: I am not a number, I am a free man, and my thoughts are my own. #
# GCS$ d-- H++ s:++ !g p+ au0 a34 w+ v?(*) C++ UA P? L 3 E---- N++ K- W-- M+ V#
# po--- Y+ t+ 5+ !j R G' tv b+ D++ B--- e+ u--- h--- f+ r+++ n- y+++* #
More information about the ncsa-discussion
mailing list