- From: <ned.freed@innosoft.com>
- Date: Sat, 19 Feb 2000 01:21:14 -0800 (PST)
- To: Graham Klyne <GK@dial.pipex.com>
- Cc: discuss@apps.ietf.org
> I've noted a couple of mail-related postings in the ACM risks forum. > This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/20.79.html> > (1) In "Risks of bouncing messages from closed e-mail lists", a suggestion > that closed mailing list bounces can be used to create a mail loop (I don't > think this works, but I may be missing something). You're right, it is nonsense. The idea is to get two lists bouncing mail back to each other. But this only works if the lists put their address in the envelope from of the bounce message. Not only would this be a standards violation, it would be a terribly dumb thing to do. The risk of using bounces off lists to relay is also considerably overstated. Not only is return of content suppressed a lot more often than this would indicate, getting the "message" as the content of a nondelivery notification is in practice not going to be a very effective means of communicating. > (2) In "More risks with MS Outlook", a possible issue with > multipart/alternative -- something to note in a future "security > considerations" section? This is a known issue; the following text is currently in the multipart/alternative description in the MIME specification: Multipart/alternative provides no mechanism that assures that the parts it contains provide equivalent information. This gives rise to a security consideration: A message sender, knowing that one recipient will display one part of a multipart/alternative and another will display a different part, could put different information in the two parts, fooling the two recipients into thinking they received the same information when in fact they did not. Ned
Received on Saturday, 19 February 2000 04:32:32 UTC