Re: heads up ... another imapd attack source
At 04:54 AM 12/15/98 , Dave Crocker wrote:
At 05:17 PM 12/14/98 -0800, Roeland M.J. Meyer wrote:
FYI: Not that I sell shell accounts anyway, but I additionally block all non-http access, from *.EDU, with tcp_wrappers and my POP3 is wrapped up in SSH. IMAPD was shot and buried(deleted) a long time ago.
this means that any user who is traveling, and happens to try to get their mail while accessing from a .edu site won't be able to pick it up.
Only if they are accessing mail on MHSC systems, from an *.EDU dial-up. There are other dial-up options and MHSC has direct dial-up ports available. Also, we do allow VPN tunnels from *.EDU, but only to directed hosts with no routing and on advanced arrangement. The user that does so, does it under our TOS and AUP.
since imap popularity is growing, lack of imap service is also problematic.
It's balance of problems. We consider the rootkit risk more severe than the loss of business from *.EDU sites. We have secure POP3 and Web-based (SSL) mail, we are investigating POP3 over SSL. Those services are allowed to *.EDU, from MHSC. As has been shown by others, IMAPD attacks are on the rise. It would not do for a security advocate to get rootkit'd, just think of the publicity <grin>. It's one of the things that keep me up at night. Many of the vulnerable systems are in *.EDU, as has already been shown to my satisfaction. Granted, MHSC has always viewed *.EDU is a huge potential security risk. That is an unapologized bias on our part. It is the nature of the beast. When the reference code, for IMAPD, becomes better written, or we (MHSC) re-write it ourselves, we will reinstantiate the IMAPD service. Until then, it remains dead. A current example is a spammer that I've been tracing for weeks. They always come from a different host, but it's obviously the same guys, they are very good. Many of the relays they use have been root'd. The latest one I've found is at sun.soci.niu.edu. So a SAINT run against it yourself and see how vulnerable they are. If they aren't root'd now, they soon will be, IMHO. I am quickly gaining the unsupported suspicion that spammers may be behind many of the IMAPD attacks. They are looking for hosts to send their spew from. Note that this *is* an unsupported view/suspicion, I claim no solid evidence. _________________________________________________ Morgan Hill Software Company, Inc. Roeland M.J. Meyer, ISOC (RM993) President and CEO. e-mail: <mailto:rmeyer@mhsc.com>mailto:rmeyer@mhsc.com Web-pages: <http://www.mhsc.com/~rmeyer>http://www.mhsc.com/~rmeyer Web-site: <http://www.mhsc.com>http://www.mhsc.com Colorado Springs, CO - Livermore, CA - Morgan Hill, CA -----------------------------------------(legal notice)-------- Note: Statements made in this message do not necessarily reflect the position of MHSC. All forcasts and projections are to be considered as forward-looking and presume conditions which may not be referenced herein. -----------------------------------------(/legal notice)-------
At 11:09 AM 12/15/98 -0800, Roeland M.J. Meyer wrote:
this means that any user who is traveling, and happens to try to get their mail while accessing from a .edu site won't be able to pick it up.
Only if they are accessing mail on MHSC systems, from an *.EDU dial-up.
That's right. Only an MHSC customer.
There are other dial-up options and MHSC has direct dial-up ports available. Also, we do allow VPN tunnels from *.EDU, but only to directed hosts with no routing and on advanced arrangement. The user that does so, does it under our TOS and AUP.
If they know enough detail "ahead of time". Hence they are prevented from the benefit of opportunistic access.
since imap popularity is growing, lack of imap service is also problematic.
It's balance of problems. We consider the rootkit risk more severe than the loss of business from *.EDU sites. We have secure POP3 and Web-based (SSL)
It isn't a question of loss of business from a .edu site. It is a question of loss of business from an MHSC customer who is traveling. d/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Dave Crocker Tel: +60 (19) 3299 445 <mailto:dcrocker@brandenburg.com> Post Office Box 296, U.P.M. Serdang, Selangor 43400 MALAYSIA Brandenburg Consulting <http://www.brandenburg.com> Tel: +1 (408) 246 8253 Fax: +1(408)273 6464 675 Spruce Dr., Sunnyvale, CA 94086 USA
participants (2)
-
Dave Crocker
-
Roeland M.J. Meyer