begone, troll.
Patrick Bihan-Faou writes:
>> On Thu, Jan 25, 2001 at 12:40:47PM -0500, Patrick Bihan-Faou wrote:
>> > Well I guess that this one is definitely elligible for the
>> "qmail security
>> > challenge".
>> > http://web.infoave.net/~dsill/qmail-challenge.html
>> > If you don't count that as a bug in qmail, then I don't know what is a
>> > bug...
>>
>> You quote it, but have you also read the document?
>> Especially the "Rules" section, part 1. (and also 8.1)
>>
>
>
> Well failure to recognize that 0.0.0.0 is yourself is not quite DNS related
> exploit. It is a bug.
>
>
> <sarcasm>
>
> I like these rules that say "yeah we are setting up a challenge, but there
> is no way that you could ever win it"...
>
> If you ask me, qmail is far from bug free... The first security issue with
> this product is itself: the code is completely obfuscated (I know I know,
> style is a matter of taste), there is 0 line of comments in the code (hey
> isn't the fact that qmail code is "small" one of its selling points ? remove
> comments and you reduced the code size...)
>
> Read Bruce Schneier's comment on these type of contests in his latest
> book...
>
> </sarcasm>
>
>
> This 0.0.0.0 problem can easily be deflected by saying "some stupid people
> mis-configure DNS to cause you problem (clause 8)", but the facts are:
> - other MTA handle this properly (not qmail)
> - this sort of "attack" is in use and causing problems with site that
> selected qmail as their MTA
>
> So saying "it does not fit our challenge because you need to use DNS to
> perform the attack" is like saying "well qmail is perfectly safe if you
> don't use it in the real world"... Good PR move guys, and a cheap one too!
>
> Well my answer to this is "don't use qmail"
>
>
>
> Patrick.
>
---------------------------------
Paul Theodoropoulos
[EMAIL PROTECTED]
Senior Unix Systems Administrator
Syntactically Subversive Services, Inc.
http://www.anastrophe.net
Downtime Is Not An Option
