mailing list archives
Re: Privacy leak in VeriSign's SiteFinder service #2
From: Niels Bakker <niels=bugtraq () bakker net>
Date: Thu, 25 Sep 2003 17:21:51 +0200
* Henning.Rust () stud uni-hannover de (Henning Rust) [Thu 25 Sep 2003, 17:13 CEST]:
Up to now, e-mails addressed to misspelled mail domains will not be
sent to Verisign's Fake-SMTP-service as MX records are used for
mail-domain resolving. Verisign did not set up wildcard MX records.
Wrong. Mail transfer agents fall back to A records if no MX records
exist for a given entry. That's why Snubby was running in the first
place - to keep mail from accumulating in everybody's queues for a week
where at first it would've been discarded immediately.
However, if you configure your E-Mail-Program or local Mail-Transfer-
Agent and misspell the hostname of the SMTP-Server for outgoing mail,
all outgoing mail will be sent to their Fake-SMTP service.
And rejected with an incorrect error message leading - again - to faulty
diagnostics. The Internet Architecture Board has written a good
document about the operational impact of Verisign's move:
What if Versign is planning to add wildcard MX records as well, so that
any mail addressed to mistyped/non-existant mail domains like
"foobar () sdfsgggdfasfasdf com" will be sent to their fake SMTP service?
As said, that won't change much. Someone proposed Verisign added "* IN
MX 0 ." as an additional wildcard but testing has shown that MTAs keep
mail spooled instead, so this won't work either.
Expect the worst!
How much worse can it get? On second thoughts, don't give Verisign any
"The time of getting fame for your name on its own is over. Artwork that
is only about wanting to be famous will never make you famous. Any fame
is a bi-product of making something that means something. You don't go to
a restaurant and order a meal because you want to have a shit." -- Banksy