W3C home > Mailing lists > Public > ietf-discuss@w3.org > February 2000

Re: Mail-related comments in ACM risks

From: <ned.freed@innosoft.com>
Date: Sat, 19 Feb 2000 01:21:14 -0800 (PST)
To: Graham Klyne <GK@dial.pipex.com>
Cc: discuss@apps.ietf.org
Message-id: <01JM2OD1BL8G000D5S@MAUVE.INNOSOFT.COM>
> I've noted a couple of mail-related postings in the ACM risks forum.

> This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/20.79.html>

> (1) In "Risks of bouncing messages from closed e-mail lists", a suggestion
> that closed mailing list bounces can be used to create a mail loop (I don't
> think this works, but I may be missing something).

You're right, it is nonsense. The idea is to get two lists bouncing mail back
to each other. But this only works if the lists put their address in the
envelope from of the bounce message. Not only would this be a standards
violation, it would be a terribly dumb thing to do.

The risk of using bounces off lists to relay is also considerably overstated.
Not only is return of content suppressed a lot more often than this would
indicate, getting the "message" as the content of a nondelivery notification
is in practice not going to be a very effective means of communicating.

> (2) In "More risks with MS Outlook", a possible issue with
> multipart/alternative -- something to note in a future "security
> considerations" section?

This is a known issue; the following text is currently in the
multipart/alternative description in the MIME specification:

 Multipart/alternative provides no mechanism that assures that the parts it
 contains provide equivalent information. This gives rise to a security
 consideration:  A message sender, knowing that one recipient will display one
 part of a multipart/alternative and another will display a different part,
 could put different information in the two parts, fooling the two recipients
 into thinking they received the same information when in fact they did not.

				Ned
Received on Saturday, 19 February 2000 04:32:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:27 GMT