Re: email authentication

From: T. Sean Weintz (strap_at_hanh-ct.org)
Date: 10/26/04

Next message: Srfig: "Re: email authentication"

Previous message: Security Alert: "SSRT3526 rev.0 Serviceguard potential increase in privilege"
In reply to: willy gates: "email authentication"
Next in thread: Srfig: "Re: email authentication"
Reply: Srfig: "Re: email authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Oct 2004 10:44:18 -0400

willy gates wrote:
> Hello
>
> BT have asked us to enable SMTP email authentication, good idea I
> thought...
>
> But then I began to think...
>
> I am logging into BT SMTP or POP3 server and sending them a login and
> a password. I have not got a secure connection SSL, nor is secure
> authentication supported. Therefore I assume that I am sending a
> plaintext username and password each time I log into the BT server to
> send/receive my email.
>
> Is this correct?

Yes. The password for both smtp and pop3 goes over the wire plaintext.
Given that you likely already log in for pop3 anyway, doing the same
thing for SMTP would not be a much bigger security hole.

>
> That means if I get a virus that wants to set up a spam zombie on my
> machine sending spam to my BT server then BT have prevented them from
> sending unauthenticated spam however it wouldn't take much to read my
> unauthenticated password

No, but so far no-one has thought of this. See why below-

> and start using my BT login to send spam. Or
> do the spam zombies created by these virus send their email using
> other servers?
The spam zombies generally have their own server built in. Esp. the self
replicating ones. The spew goes straight from the users machine to the
targets smtp server, bypassing the local ISP server.

That is why many consumer oriented ISP's are blocking port 25 to
anything other than their own mail servers.

T. Sean Weintz

Next message: Srfig: "Re: email authentication"

Previous message: Security Alert: "SSRT3526 rev.0 Serviceguard potential increase in privilege"
In reply to: willy gates: "email authentication"
Next in thread: Srfig: "Re: email authentication"
Reply: Srfig: "Re: email authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: SMTP Server remote queue length alert
... Thank you for posting in the SBS newsgroup. ... automatically creates a SMTP connector for outgoing messages. ... bridgehead defines the Exchange server which can use this SMTP connector to ... What method is used to send outgoing email (DNS route or ISP ...
(microsoft.public.windows.server.sbs)
RE: Exchange, BadMail Folder
... always growing after you have removed files from folder and unplug server ... Furthermore,Please refer to the following KB article to clean up the SMTP ... click SmallBusiness SMTP Connector under ... them in a single queue for the SmallBusiness SMTP Connector or for the one ...
(microsoft.public.windows.server.sbs)
RE: SMTP error (only from Outlook)
... This issue appeared on specify user or all SMTP clients? ... If yes, in Exchange System ... Is there any local bridgehead server listed in "Local ... to over three dozen open relay block lists. ...
(microsoft.public.windows.server.sbs)
RE: Email messages stuck in unreachable destination queue
... you configure sharing an SMTP address space in Exchange Server 2003 thru ... it seems like you do not block the open SMTP relaying ... on the Exchange server. ... To check the properties for the SmallBusiness SMTP Connector, ...
(microsoft.public.windows.server.sbs)
Re: Fax routing
... please enable Message Tracking and SMTP logging to ... Open the properties page of the Default SMTP Vitual Server in Exchange ... Microsoft CSS Online Newsgroup Support ... E-mail incoming routing method" ...
(microsoft.public.windows.server.sbs)