Re: Privacy leak in VeriSign's SiteFinder service #2
* Henning.Rust@xxxxxxxxxxxxxxxxxxxx (Henning Rust) [Thu 25 Sep 2003, 17:13
CEST]:
> Up to now, e-mails addressed to misspelled mail domains will not be
> sent to Verisign's Fake-SMTP-service as MX records are used for
> mail-domain resolving. Verisign did not set up wildcard MX records.
Wrong. Mail transfer agents fall back to A records if no MX records
exist for a given entry. That's why Snubby was running in the first
place - to keep mail from accumulating in everybody's queues for a week
where at first it would've been discarded immediately.
> However, if you configure your E-Mail-Program or local Mail-Transfer-
> Agent and misspell the hostname of the SMTP-Server for outgoing mail,
> all outgoing mail will be sent to their Fake-SMTP service.
And rejected with an incorrect error message leading - again - to faulty
diagnostics. The Internet Architecture Board has written a good
document about the operational impact of Verisign's move:
http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html
> What if Versign is planning to add wildcard MX records as well, so that
> any mail addressed to mistyped/non-existant mail domains like
> "foobar@xxxxxxxxxxxxxxxxxxxx" will be sent to their fake SMTP service?
As said, that won't change much. Someone proposed Verisign added "* IN
MX 0 ." as an additional wildcard but testing has shown that MTAs keep
mail spooled instead, so this won't work either.
> Expect the worst!
How much worse can it get? On second thoughts, don't give Verisign any
ideas...
-- Niels.
--
"The time of getting fame for your name on its own is over. Artwork that
is only about wanting to be famous will never make you famous. Any fame
is a bi-product of making something that means something. You don't go to
a restaurant and order a meal because you want to have a shit." -- Banksy