On 11/24/2006, "Don Gould" <[EMAIL PROTECTED]> wrote:
> > >Nick Rout wrote: >> Next most likely: someone else has his password and access to the >> pop/imap/excahnge server where the mail is stored. > >> Whatever else please bear in mind that mail at the smtp delivery stage is >> sent over the wire in plain text, so if you were able to sniff the >> packets passing through port 25 at national.org.nz you would get all >> their email. > >Yes. I was giving some thought to this exact issue. I wonder how many >of these people who do communicate sensitive information actually >realise just how insecure smtp and pop are? I don't really know how hard or easy sniffing is. pop can be as secure as you like, it is common to wrap it in ssl, ditto imap. But in the absence of any real details on how their email system is structured its hard to make really informed comment. > >> But also bear in mind that just because they are using a >> microsoft smtp server that is not an indication of how the mail is >> stored or served to end users. > >Also 100% agree. This is not a ms-nix debate, it's a topic about smtp >issues. I personally have used both extensively and know that both have >issues. sorry i didn't mean to make the brand an issue, take the word "miscrosoft" out of my sentence and it expresses what I mean. The fact is that getting access to the "permanent" storage (pop/imap/exchange/the client computer) will provide an easier perusal and theft of the things you want at a leisurely pace, rather than having to sniff a wire. > >If you have access to the mail server machine it self then mail security >is limited. > >I was more wondering how possible it is to hack in to the mail store on >the server from out side and pick up held mail. > depends on the server, and the security surrounding it. We all know computers have vulnerabilities, and that once you exploit one to the point of obtaining "root" you can read pretty much anything. >Sure, once the mail is cleared from the POP server then it's going >(other than what's sitting in logs) but what about the security of mail >while it's sitting in the POP store? who said they use pop? >> As I said, my money is on an inside job. Which still deserves a jail >> sentence. > >Yes. > >However I have a padlock on my letter box if I know I'm going to be >getting cheques in the mail. > >I wonder if more needs to be done to educate people about the reality >that is email? > The only guy not prosecuted over Enron didn't use email (or so the urban legend has it) >> Last thing: if you want to find what server handles mail addressed to >> national.org.nz, you need to find the DNS MX record. What that shows in >> this case is that their mail is handles by mail.national.org.nz, which >> in turn has a different IP address from the one you tried (although >> co-incidentally the software behind it is the same). > >I used www.domainwhitepages.com I think it does actually service trace >the correct IP (thou I didn't copy and paste the right info). > >Thanks for your thoughts Nick, very much the same as my own. Thinking about it more, if I was the leader of a political party and a user of email, i would want: 1. security (obviously) 2. access from any computer in the world, but without leaving a trace (because I travel a lot) 3. Lots of folders "inbox, bretheren, US NeoCons, Trash, Reporters, Constituents" An imap based webmail over ssh would be the choice. No clent caches lying around on hard drives. All handled locally on the server, including smtp for outgoing.
