RE: SPF will solve spam and punish spammers2004-07-24 04:02:08Dearest Ryan, On Fri, 2004-07-23 at 15:14, Ryan Malayter wrote: [Michel Bouissou]Impossible. They don't have any "GOOD SECURE mail server" at "A Micro$oft Shop". Actually Michael, Exchange is probably one of the more secure Microsoft products. It certainly appears to suffer from the fewest bugs. However, many of the Exchange servers I have seen have been sitting behind Qmail, Sendmail or Postfix running on OpenBSD or some Linux variant. A smart move, probably. It is my humble opinion that Exchange is rather bloated and suffers from feature creep like much else out there. Exactly how many port 25, remote code execution exploits have been discovered against Microsoft SMTP/excahnge servers since 1 January 2000? *SIGH* Ok first of all, you can't only look in that area my friend. You must examine the entire server, that aside do you realize that more than 70% of the crap you posted were not SMTP exploits? In fact, all you have done is make your self questionable. Exactly one: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714 *SIGH* MS Exchange Server: ------------------- 2004-04-14: Microsoft Remote Procedure Call Service DoS Vulnerability 2004-04-14: Microsoft Exchange Server Buffer Overflow Vulnerability 2004-04-14: Microsoft Windows SMTP Service Authorization Bypass Vulnerability 2004-04-14: Microsoft Exchange Server Invalid MIME Header charset = "" DoS Vulnerability MS Exchange Server 2000: ------------------------ 2004-04-14: Microsoft Remote Procedure Call Service DoS Vulnerability 2004-04-14: Microsoft Exchange Server Buffer Overflow Vulnerability MS Exchange Server 2003: ------------------------ 2004-02-02: Microsoft Exchange Server 2003 Outlook Web Access Random Mailbox Access Vulnerability Sendmail? Most of these use words like "possibly" and "maybe". Well "maybe" I'll get laid today, or win the lottery or .... Postfix? http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0468 *SIGH*. Denial of Service attack is not the same thing as Remote Code Execution. AGAIN as I stated above, you are attempting to compare apples and oranges here. This exploit has nothing to do with remote code execution. Qmail? http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0654 WRONG. Please don't post blatant lies to the list, or better research your information. There has never been a single REAL exploit against qmail. To this day DJB is still offering the cash prize to anyone who can defeat his challenge. I find this flagrant disregard for proper research unnerving and exceptionally irritating coming from an apparent NT dolt with a penchant for ignoring important details. 1) Autoresponder has nothing to do with qmail. james(_at_)code3 james $ find ./qmail-1.03 | grep autorespond james(_at_)code3 james $ 2) qmail has never been exploited. There are four listened "exploits" in the CAN database. Two of them are an exercise in poor judgement on the part of Wietse Venema. You can read all about that here: http://cr.yp.to/qmail/venema.html CAN-1999-0144 - NOT an exploit, if the *NIX is exhausted of resources that is a reflection of a system that is/was vulnerable with or without the presence of qmail. CAN-1999-0250 - DUPE of CAN-2002-1414 - QmailAdmin is NOT part of qmail, its 3rd party. CAN-2003-0654 - Autoresponder is NOT part of qmail, its 3rd party. All of these MTAs also have a few DoS vulnerabilites. I'm not sure how you justify your claim. This is incorrect. If you send E-mail to a server where a user does not exist, and it responds to tell you it doesn't exist, this is CORRECT MTA behaviour! If some ass-clown decides to "DoS" someone by sending emails to boxes that don't exist they were likely dropped on their head as a child because there are far superior ways to "DoS" a server. A Windows SMTP server firewalled to allow only port 25 looks at least as secure as the other popular MTAs to me, in the same configuration. Windows is a complete flaming hunk of baby turds wrapped in a pretty package. I can't remember the last time I had such a good laugh. You used the word "Secure" and "Windows" in the SAME SENTENCE! ROFL. Lets see, its the 24th now, and Microsoft has 29 exploits this month. Mmmhmmm so far this year there have been at least 155. Clean out your ears put down the "hack me sign" and do a little research before you open your yap about Qmail or Windows "being secure". But let's not let the facts get in the way of a good fanatical crusade. Well, lets not let the FACTS get in the way. I don't have to go back to 2000, because if I did, I would flood all of you to hell because the list would be so long. So i'll just give you THIS MONTH's BOUNTY'O'MICROSOFT'SPLOITS: 2004-07-20: Multiple Browser URI Obfuscation Weakness 2004-07-20: Microsoft Windows Utility Manager Local Privilege Escalation Variant Vulnerability 2004-07-19: Microsoft Windows Task Scheduler Remote Buffer Overflow Vulnerability 2004-07-17: Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability 2004-07-17: Microsoft Internet Explorer JavaScript Method Assignment Cross-Domain Scripting Vulnerability 2004-07-16: Microsoft Windows Shell CLSID File Extension Misrepresentation Vulnerability 2004-07-16: Microsoft Windows HTML Help Heap Overflow Vulnerability 2004-07-16: Microsoft Outlook Express Malformed Email Header Denial Of Service Vulnerability 2004-07-16: Microsoft Windows POSIX Subsystem Buffer Overflow Local Privilege Escalation Vulnerability 2004-07-16: Microsoft IIS 4 Redirect Remote Buffer Overflow Vulnerability 2004-07-15: Microsoft Windows Local Descriptor Table Local Privilege Escalation Vulnerability 2004-07-14: Microsoft Windows showHelp CHM File Execution Weakness 2004-07-14: Microsoft Systems Management Server Remote Denial Of Service Vulnerability 2004-07-14: Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability 2004-07-14: Microsoft Internet Explorer Shell.Application Object Script Execution Weakness 2004-07-13: Microsoft Internet Explorer URL Local Resource Access Weakness 2004-07-12: Microsoft Internet Explorer Popup.show Mouse Event Hijacking Vulnerability 2004-07-12: Microsoft Internet Explorer JavaScript Desktop Spoofing Vulnerability 2004-07-12: Microsoft Windows 2000 Media Player Control Media Preview Script Execution Vulnerability 2004-07-12: Microsoft Internet Explorer JavaScript Null Pointer Exception Denial Of Service Vulnerability 2004-07-12: Microsoft Outlook Express Message Window Script Execution Vulnerability 2004-07-08: Microsoft Word/Outlook Object Tag Security Setting Compromise Vulnerability 2004-07-08: Microsoft Windows Window Message Subsystem Design Error Vulnerability 2004-07-08: Microsoft Internet Explorer Self Executing HTML File Vulnerability 2004-07-07: Microsoft Windows Program Group Converter Filename Local Buffer Overrun Vulnerability 2004-07-07: Microsoft Internet Explorer Non-FQDN URI Address Zone Bypass Vulnerability 2004-07-05: Multiple Vendor Internet Browser User Action Prediction/Interception Weakness 2004-07-03: Microsoft Internet Explorer Cross-Domain Frame Loading Vulnerability 2004-07-02: Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness You hate Microsoft. We know. Post your rants on Slashdot, not here. Can we move on to discussions of SPF now? Hey can I join that club too? Oh yeah, before I forget, don't reply to this post stating that the above stated vulnerabilities are not relative to the discussion because believe me they are. You may or may not get owned through exchange, thats not the point. MS software is holier than god and there are more unauthorized entrances to and through it than the internet has spam. You are probably owned right now just because you decided on a whim to use Internet Explorer to browse the web. Who knows, maybe the hacker who owned you box posted that message on your behalf because he wanted me to flame you? As a reminder to you that are guilty of using an operating system that is a ticking timebomb of exploitable poopie I've attached the 155 listed "Janyary 01 - to date" exploits in your precious. Sure why not. Cheers, James -- James Couzens, Programmer ----------------------------------------------------------------- http://libspf.org -- ANSI C Sender Policy Framework library http://libsrs.org -- ANSI C Sender Rewriting Scheme library ----------------------------------------------------------------- PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBD3BF855 ------- Sender Policy Framework: http://spf.pobox.com/ Archives at http://archives.listbox.com/spf-discuss/current/ Send us money! http://spf.pobox.com/donations.html To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
155_microsoft_vulnerabilities.txt
signature.asc
|
|