On Fri, Nov 28, 2008 at 03:56:07PM -0500, Barry Shein wrote:
I don't see how 10^8 compromised systems can get past that, short of
the ietf mail server being compromised which could happen but isn't
likely, and is less likely to persist long enough to be much of a
concern.
If the system of any subscriber is compromised, or if the email
credentials (username, password, server triplet) of any subscriber
are used on a system which is compromised, then the adversary has the
ability to send mail as the subscriber. Note that compromise of some
systems will lead to disclosure of many sets of email credentials.
(So why haven't we seen more of this to date? There's no need for
spammers or phishers to bother. However, it's abundantly clear that
they have had this ability for years and can exercise it at will.
And no doubt were we so silly as to deploy an infrastructure that
they've already thoroughly defeated, they *would*.)
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg