spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SPF will solve spam and punish spammers

2004-07-24 04:02:08
from [James Couzens] [Permanent Link] 
Dearest Ryan,

On Fri, 2004-07-23 at 15:14, Ryan Malayter wrote: 


[Michel Bouissou]

Impossible. They don't have any "GOOD SECURE mail server" at 
"A Micro$oft Shop".


Actually Michael, Exchange is probably one of the more secure Microsoft
products.  It certainly appears to suffer from the fewest bugs. 
However, many of the Exchange servers I have seen have been sitting
behind Qmail, Sendmail or Postfix running on OpenBSD or some Linux
variant.  A smart move, probably.  It is my humble opinion that Exchange
is rather bloated and suffers from feature creep like much else out
there.


Exactly how many port 25, remote code execution exploits have been
discovered against Microsoft SMTP/excahnge servers since 1 January
2000?


*SIGH*

Ok first of all, you can't only look in that area my friend.  You must
examine the entire server, that aside do you realize that more than 70%
of the crap you posted were not SMTP exploits?  In fact, all you have
done is make your self questionable.



Exactly one:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714


*SIGH*

MS Exchange Server:
-------------------

2004-04-14:     Microsoft Remote Procedure Call Service DoS Vulnerability
2004-04-14:     Microsoft Exchange Server Buffer Overflow Vulnerability
2004-04-14:     Microsoft Windows SMTP Service Authorization Bypass 
Vulnerability
2004-04-14:     Microsoft Exchange Server Invalid MIME Header charset = "" DoS 
Vulnerability

MS Exchange Server 2000:
------------------------

2004-04-14:     Microsoft Remote Procedure Call Service DoS Vulnerability
2004-04-14:     Microsoft Exchange Server Buffer Overflow Vulnerability

MS Exchange Server 2003:
------------------------

2004-02-02:     Microsoft Exchange Server 2003 Outlook Web Access Random 
Mailbox Access Vulnerability  


Sendmail?


Most of these use words like "possibly" and "maybe".  Well "maybe" I'll
get laid today, or win the lottery or ....


Postfix?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0468


*SIGH*.  Denial of Service attack is not the same thing as Remote Code
Execution.  AGAIN as I stated above, you are attempting to compare
apples and oranges here.  This exploit has nothing to do with remote
code execution.


Qmail?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0654


WRONG.  Please don't post blatant lies to the list, or better research
your information.  There has never been a single REAL exploit against
qmail.  To this day DJB is still offering the cash prize to anyone who
can defeat his challenge.  I find this flagrant disregard for proper
research unnerving and exceptionally irritating coming from an apparent
NT dolt with a penchant for ignoring important details.

1) Autoresponder has nothing to do with qmail. 

james(_at_)code3 james $ find ./qmail-1.03 | grep autorespond
james(_at_)code3 james $
 
2) qmail has never been exploited.  There are four listened "exploits"
   in the CAN database.  Two of them are an exercise in poor judgement
   on the part of Wietse Venema.  You can read all about that here:
   http://cr.yp.to/qmail/venema.html

   CAN-1999-0144 - NOT an exploit, if the *NIX is exhausted of resources
                   that is a reflection of a system that is/was
                   vulnerable with or without the presence of qmail.
   CAN-1999-0250 - DUPE of
   CAN-2002-1414 - QmailAdmin is NOT part of qmail, its 3rd party.
   CAN-2003-0654 - Autoresponder is NOT part of qmail, its 3rd party.


All of these MTAs also have a few DoS vulnerabilites. I'm not sure how
you justify your claim.


This is incorrect.  If you send E-mail to a server where a user does not
exist, and it responds to tell you it doesn't exist, this is CORRECT MTA
behaviour!  If some ass-clown decides to "DoS" someone by sending emails
to boxes that don't exist they were likely dropped on their head as a
child because there are far superior ways to "DoS" a server.


 A Windows SMTP server firewalled to allow only
port 25 looks at least as secure as the other popular MTAs to me, in
the
same configuration.


Windows is a complete flaming hunk of baby turds wrapped in a pretty
package.  I can't remember the last time I had such a good laugh.  You
used the word "Secure" and "Windows" in the SAME SENTENCE!  ROFL.

Lets see, its the 24th now, and Microsoft has 29 exploits this month. 
Mmmhmmm so far this year there have been at least 155.  Clean out your
ears put down the "hack me sign" and do a little research before you
open your yap about Qmail or Windows "being secure".


But let's not let the facts get in the way of a good fanatical
crusade. 


Well, lets not let the FACTS get in the way.  I don't have to go back to
2000, because if I did, I would flood all of you to hell because the
list would be so long.  So i'll just give you THIS MONTH's
BOUNTY'O'MICROSOFT'SPLOITS:

2004-07-20:     Multiple Browser URI Obfuscation Weakness
2004-07-20:     Microsoft Windows Utility Manager Local Privilege Escalation 
Variant Vulnerability
2004-07-19:     Microsoft Windows Task Scheduler Remote Buffer Overflow 
Vulnerability
2004-07-17:     Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting 
Vulnerability
2004-07-17:     Microsoft Internet Explorer JavaScript Method Assignment 
Cross-Domain Scripting Vulnerability
2004-07-16:     Microsoft Windows Shell CLSID File Extension Misrepresentation 
Vulnerability
2004-07-16:     Microsoft Windows HTML Help Heap Overflow Vulnerability
2004-07-16:     Microsoft Outlook Express Malformed Email Header Denial Of 
Service Vulnerability
2004-07-16:     Microsoft Windows POSIX Subsystem Buffer Overflow Local 
Privilege Escalation Vulnerability
2004-07-16:     Microsoft IIS 4 Redirect Remote Buffer Overflow Vulnerability
2004-07-15:     Microsoft Windows Local Descriptor Table Local Privilege 
Escalation Vulnerability
2004-07-14:     Microsoft Windows showHelp CHM File Execution Weakness
2004-07-14:     Microsoft Systems Management Server Remote Denial Of Service 
Vulnerability
2004-07-14:     Microsoft Internet Explorer Modal Dialog Zone Bypass 
Vulnerability
2004-07-14:     Microsoft Internet Explorer Shell.Application Object Script 
Execution Weakness
2004-07-13:     Microsoft Internet Explorer URL Local Resource Access Weakness
2004-07-12:     Microsoft Internet Explorer Popup.show Mouse Event Hijacking 
Vulnerability
2004-07-12:     Microsoft Internet Explorer JavaScript Desktop Spoofing 
Vulnerability
2004-07-12:     Microsoft Windows 2000 Media Player Control Media Preview 
Script Execution Vulnerability
2004-07-12:     Microsoft Internet Explorer JavaScript Null Pointer Exception 
Denial Of Service Vulnerability
2004-07-12:     Microsoft Outlook Express Message Window Script Execution 
Vulnerability
2004-07-08:     Microsoft Word/Outlook Object Tag Security Setting Compromise 
Vulnerability
2004-07-08:     Microsoft Windows Window Message Subsystem Design Error 
Vulnerability
2004-07-08:     Microsoft Internet Explorer Self Executing HTML File 
Vulnerability
2004-07-07:     Microsoft Windows Program Group Converter Filename Local Buffer 
Overrun Vulnerability
2004-07-07:     Microsoft Internet Explorer Non-FQDN URI Address Zone Bypass 
Vulnerability
2004-07-05:     Multiple Vendor Internet Browser User Action 
Prediction/Interception Weakness
2004-07-03:     Microsoft Internet Explorer Cross-Domain Frame Loading 
Vulnerability
2004-07-02:     Microsoft Internet Explorer ADODB.Stream Object File 
Installation Weakness


 You hate Microsoft. We know. Post your rants on Slashdot, not here.
Can we move on to discussions of SPF now?


Hey can I join that club too?  Oh yeah, before I forget, don't reply to
this post stating that the above stated vulnerabilities are not relative
to the discussion because believe me they are.  You may or may not get
owned through exchange, thats not the point.  

MS software is holier than god and there are more unauthorized entrances
to and through it than the internet has spam.  You are probably owned
right now just because you decided on a whim to use Internet Explorer to
browse the web.  Who knows, maybe the hacker who owned you box posted
that message on your behalf because he wanted me to flame you?  

As a reminder to you that are guilty of using an operating system that
is a ticking timebomb of exploitable poopie I've attached the 155 listed
"Janyary 01 - to date" exploits in your precious.

Sure why not.

Cheers,

James

-- 
James Couzens,
Programmer
-----------------------------------------------------------------
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBD3BF855

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Send us money!  http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: 155_microsoft_vulnerabilities.txt
Description: Text document

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Is SPF all that useful?, Ralf Doeblitz
Next by Date:  Re: Is SPF all that useful?, James Couzens
Previous by Thread:  Re: SPF will solve spam and punish spammers, Koen Martens
Next by Thread:  Re: SPF will solve spam and punish spammers, Michel Bouissou
Indexes:  [Date] [Thread] [Top] [All Lists]