[pmmail-list] PMMail and network security issue.

Rich pmmail-list@blueprintsoftwareworks.com
Mon, 23 Apr 2001 00:04:24 -0400 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'll bring this up here just in case I'm just being horribly over paranoid, or maybe am just missing something?

Quite a while ago I reported what I thought was a security problem to BluePrint after they announced they were actually 
working on PMMail. The problem is the implementation of the "helo" command when mail is sent out. PMMail sent out the 
actual network computer name in the header. Of course the IP address is also available in the header. This gives anyone 
interested two thirds of the information needed to hack into your computer, missing only the password.

My impression from BluePrint at that time was that it would be changed. Well, after installing the 2.20.2300 beta3 program 
and sending myself a mail, I see they did changed it. It now not only sends the actual network computer name but also 
the network workgroup name! This is not a change for the better! To my knowledge it is specified nowhere in the RFC's 
that the network computer and workgroup names have to be sent along with an e-mail? Also to my knowledge, no other 
e-mail program does this. As a matter of fact, I can control what Netscape sends out with the helo command in the 
settings page, as it should be! Other programs use the return email address or just the user's name. That's fine too.

But why give people everything they need to hack into our computers with every email we send? Paranoia aside, there's 
probably no one in the world who would bother trying to get into my computers, and they would almost certainly be 
disappointed by what they might find here, but that's not the point...

So there's my comment and complaint. And if anyone knows how to get around this without hacking into the PMMail 
binary to change the helo command, I'd like to hear about it! I tried everything I could think of last time on my OS/2 
machine with no luck. I'll check more into the win machines to see what can be done there... Until then, I'll be looking for 
another email program that doesn't compromise the security of my network...

Rich...


******************************************************************************
Practice Random Acts of Kindness and Senseless...Umm...Uhh....
  Oh - Heck...I never could remember all that "nice" stuff.
- -----------------------------{rich@bearlycomputing.com}------------------------------
******************************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQA/AwUBOuOpyAcTxhO5AgodEQIYIwCcC4tS9xth0a5OpF5CAKghDsyfQiwAn1JK
yewMOAmmhwhGbx1AmVPVdFVE
=vAXX
-----END PGP SIGNATURE-----

- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com