Hi,
I noticed this discussion with some interest, as I was wondering too
about the Apache issues. Are all Debian Apache versions built off the
same tree? Ie: If I'm running Apache-SSL instead of Apache, does that
mean all the same "not vulnerable" applies? And, is there anywhere
stated why Debi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
no name supplied wrote:
| On May 27, 2004, at 2:15 PM, Kevin B. McCarty wrote:
|
|> On 5/27/2004, Luk Claes wrote:
|>
|>> You should check the website www.d-o/security/nonvulns-woody
|>> At least 4 of the 5 you mention are listed there...
|>
|> Luk --
Quoting Bernd Eckenfels ([EMAIL PROTECTED]):
> If you relay mail from your customers, you have to deliver them their
> bounces if they spam.
Well, that's the trick, isn't it? If they're sending spam (either
deliberately or -- much more likely of late -- because customer hosts have
been zombifi
Quoting Phillip Hofmeister ([EMAIL PROTECTED]):
> While I am sure finding out whose is bigger is exciting to you. I
> feel comfortable in speaking for the rest of the list when I say this
> thread has become WAY OT.
I'm surprised that an allegation that SPF -- highly relevant to SMTP
security
On Fri, Jun 04, 2004 at 11:50:09AM -0700, Rick Moen wrote:
I'm surprised that an allegation that SPF -- highly relevant to SMTP
security -- is "vapourware", not to mention refutations of that
assertion, are off-topic. Nonetheless, I apologise for reacting with
irritation to Michael's claim to th
> That doesn't matter, unless a large enough fraction of people at both
> ends of smtp conversations actually use the stuff. An implementation
> that is not deployed is no more useful than a standard which isn't
> implemented.
Fair enough, but it's up to people like us to push it, surely?
J.
--
In article <[EMAIL PROTECTED]> you wrote:
> It's possible you're taking that fact into account: I'd be curious to
> hear how you (or others) are ensuring that such bounces go somewhere
> appropriate.
Well, fisrt of all, I accept mail for outgoing relay only from verified
sources, this includes SM
In article <[EMAIL PROTECTED]> you wrote:
> Why is SPF important? Because it eliminates joe-jobs. That is, it
> allows mail admins to absolutely validate the envelope return path --
> significant because spammers have recently gotten around to forging
> sender envelope information, allowing forge
Quoting Michael Stone ([EMAIL PROTECTED]):
> Well, it is vaporware. Until it's used by a noticable percentage of
> hosts, it's irrelevant.
(1) Where I come from, the term "vapourware" means software touted far
in advance of its availability. As noted, such is most emphatically not
the case, here
On Fri, Jun 04, 2004 at 11:38:02PM +0100, Azazel wrote:
Fair enough, but it's up to people like us to push it, surely?
There's a line between advocacy and zealotry. At this point I'm not
convinced that it's worth the effort. It's fine for a home user to
implement it quickly but it's not so easy
On Fri, Jun 04, 2004 at 03:47:55PM -0700, Rick Moen wrote:
The utility of SPF lies in its ability to eliminate joe-jobbing,
providing a means to validate MXes -- and, as I'm reasonably sure you'll
have observed, forged mail's envelopes strongly tend to forge the
domains of major (very large) mail
Quoting Michael Stone ([EMAIL PROTECTED]):
> yeah, aol's pleased as punch about it. they also don't have much
> interest in customers sending email with @aol from off their own system
> unless they use an obnoxious webmail client. same goes for hotmail.
> anyone with users who isn't aol and whose
Quoting Michael Stone ([EMAIL PROTECTED]):
> There's a line between advocacy and zealotry.
Still stuck in name-calling mode? Pity.
> It's fine for a home user to implement it quickly but it's not so easy
> for a lot of large organizations that currently allow people to send
> mail from offsite
> On Fri, Jun 04, 2004 at 11:38:02PM +0100, Azazel wrote:
> >Fair enough, but it's up to people like us to push it, surely?
>
> There's a line between advocacy and zealotry. At this point I'm not
> convinced that it's worth the effort. It's fine for a home user to
> implement it quickly but it's n
On Fri, Jun 04, 2004 at 04:00:32PM -0700, Rick Moen wrote:
Not that I'm objecting, but I can't help noticing that you're ignoring
the point I just made, and changing the subject.
No, I'm not. I'm pointing out that the world is more complicated than
you seem to think.
Mike Stone
On Fri, Jun 04, 2004 at 04:09:32PM -0700, Rick Moen wrote:
Quoting Michael Stone ([EMAIL PROTECTED]):
There's a line between advocacy and zealotry.
Still stuck in name-calling mode? Pity.
What name calling? There's a difference.
It's fine for a home user to implement it quickly but it's
On Sat, Jun 05, 2004 at 12:23:14AM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > It's possible you're taking that fact into account: I'd be curious to
> > hear how you (or others) are ensuring that such bounces go somewhere
> > appropriate.
>
> Well, fisrt of all,
Quoting Michael Stone ([EMAIL PROTECTED]):
> What name calling? There's a difference.
Cute.
Ah, well.
> You're assuming unrestricted outbound connections. Might even be true in
> your environment.
It's true that there will be interim problems with corporate firewalls
(etc.) closing off outb
Quoting Michael Stone ([EMAIL PROTECTED]):
> No, I'm not.
You _weren't_ ignoring the point I just made and changing the subject?
Then, some villain apparently snuck into your MTA and substituted
different text that did, for the original message you tried to send.
You should sue! ;->
> I'm poin
On Wed, Jun 02, 2004 at 12:19:35AM -0700, Matt Zimmerman wrote:
> On Wed, May 26, 2004 at 07:33:12PM +0200, jorge salamero wrote:
>
> > yes but ...
> >
> > /usr/sbin/dpkg-reconfigure: cacti is not fully installed
>
> man dpkg-reconfigure
Or else just manually edit the debian registry ;-)
On Fri, Jun 04, 2004 at 05:26:07PM -0700, Rick Moen wrote:
You mean like having extra meanings of the term "vaporware", ones that
you alone are aware of? OK.
You're talking about SPF. That's a concept, not an implementation.
Effective use of SPF requires widespread adoption. Until/unless
wides
On Thu, Jun 03, 2004 at 02:42:59AM +0200, Florian Weimer wrote:
> Has [EMAIL PROTECTED] been directed away from debian-private? It's
> probably a good move. In the past, the old setup resulted in some
> confusion because submitters usually do not expect that security@ is read
> by all people in
Hi,
I noticed this discussion with some interest, as I was wondering too
about the Apache issues. Are all Debian Apache versions built off the
same tree? Ie: If I'm running Apache-SSL instead of Apache, does that
mean all the same "not vulnerable" applies? And, is there anywhere
stated why Debi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
no name supplied wrote:
| On May 27, 2004, at 2:15 PM, Kevin B. McCarty wrote:
|
|> On 5/27/2004, Luk Claes wrote:
|>
|>> You should check the website www.d-o/security/nonvulns-woody
|>> At least 4 of the 5 you mention are listed there...
|>
|> Luk -- t
Quoting Bernd Eckenfels ([EMAIL PROTECTED]):
> If you relay mail from your customers, you have to deliver them their
> bounces if they spam.
Well, that's the trick, isn't it? If they're sending spam (either
deliberately or -- much more likely of late -- because customer hosts have
been zombifi
Quoting Phillip Hofmeister ([EMAIL PROTECTED]):
> While I am sure finding out whose is bigger is exciting to you. I
> feel comfortable in speaking for the rest of the list when I say this
> thread has become WAY OT.
I'm surprised that an allegation that SPF -- highly relevant to SMTP
security
On Fri, Jun 04, 2004 at 11:50:09AM -0700, Rick Moen wrote:
I'm surprised that an allegation that SPF -- highly relevant to SMTP
security -- is "vapourware", not to mention refutations of that
assertion, are off-topic. Nonetheless, I apologise for reacting with
irritation to Michael's claim to that
> That doesn't matter, unless a large enough fraction of people at both
> ends of smtp conversations actually use the stuff. An implementation
> that is not deployed is no more useful than a standard which isn't
> implemented.
Fair enough, but it's up to people like us to push it, surely?
J.
--
In article <[EMAIL PROTECTED]> you wrote:
> It's possible you're taking that fact into account: I'd be curious to
> hear how you (or others) are ensuring that such bounces go somewhere
> appropriate.
Well, fisrt of all, I accept mail for outgoing relay only from verified
sources, this includes SM
In article <[EMAIL PROTECTED]> you wrote:
> Why is SPF important? Because it eliminates joe-jobs. That is, it
> allows mail admins to absolutely validate the envelope return path --
> significant because spammers have recently gotten around to forging
> sender envelope information, allowing forge
Quoting Michael Stone ([EMAIL PROTECTED]):
> Well, it is vaporware. Until it's used by a noticable percentage of
> hosts, it's irrelevant.
(1) Where I come from, the term "vapourware" means software touted far
in advance of its availability. As noted, such is most emphatically not
the case, here
On Fri, Jun 04, 2004 at 11:38:02PM +0100, Azazel wrote:
Fair enough, but it's up to people like us to push it, surely?
There's a line between advocacy and zealotry. At this point I'm not
convinced that it's worth the effort. It's fine for a home user to
implement it quickly but it's not so easy for
On Fri, Jun 04, 2004 at 03:47:55PM -0700, Rick Moen wrote:
The utility of SPF lies in its ability to eliminate joe-jobbing,
providing a means to validate MXes -- and, as I'm reasonably sure you'll
have observed, forged mail's envelopes strongly tend to forge the
domains of major (very large) mail-h
Quoting Michael Stone ([EMAIL PROTECTED]):
> yeah, aol's pleased as punch about it. they also don't have much
> interest in customers sending email with @aol from off their own system
> unless they use an obnoxious webmail client. same goes for hotmail.
> anyone with users who isn't aol and whose
Quoting Michael Stone ([EMAIL PROTECTED]):
> There's a line between advocacy and zealotry.
Still stuck in name-calling mode? Pity.
> It's fine for a home user to implement it quickly but it's not so easy
> for a lot of large organizations that currently allow people to send
> mail from offsite
> On Fri, Jun 04, 2004 at 11:38:02PM +0100, Azazel wrote:
> >Fair enough, but it's up to people like us to push it, surely?
>
> There's a line between advocacy and zealotry. At this point I'm not
> convinced that it's worth the effort. It's fine for a home user to
> implement it quickly but it's n
On Fri, Jun 04, 2004 at 04:00:32PM -0700, Rick Moen wrote:
Not that I'm objecting, but I can't help noticing that you're ignoring
the point I just made, and changing the subject.
No, I'm not. I'm pointing out that the world is more complicated than
you seem to think.
Mike Stone
--
To UNSUBSCRIBE,
On Fri, Jun 04, 2004 at 04:09:32PM -0700, Rick Moen wrote:
Quoting Michael Stone ([EMAIL PROTECTED]):
There's a line between advocacy and zealotry.
Still stuck in name-calling mode? Pity.
What name calling? There's a difference.
It's fine for a home user to implement it quickly but it's not so
On Sat, Jun 05, 2004 at 12:23:14AM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > It's possible you're taking that fact into account: I'd be curious to
> > hear how you (or others) are ensuring that such bounces go somewhere
> > appropriate.
>
> Well, fisrt of all,
Quoting Michael Stone ([EMAIL PROTECTED]):
> What name calling? There's a difference.
Cute.
Ah, well.
> You're assuming unrestricted outbound connections. Might even be true in
> your environment.
It's true that there will be interim problems with corporate firewalls
(etc.) closing off outb
Quoting Michael Stone ([EMAIL PROTECTED]):
> No, I'm not.
You _weren't_ ignoring the point I just made and changing the subject?
Then, some villain apparently snuck into your MTA and substituted
different text that did, for the original message you tried to send.
You should sue! ;->
> I'm poin
On Wed, Jun 02, 2004 at 12:19:35AM -0700, Matt Zimmerman wrote:
> On Wed, May 26, 2004 at 07:33:12PM +0200, jorge salamero wrote:
>
> > yes but ...
> >
> > /usr/sbin/dpkg-reconfigure: cacti is not fully installed
>
> man dpkg-reconfigure
Or else just manually edit the debian registry ;-)
On Fri, Jun 04, 2004 at 05:26:07PM -0700, Rick Moen wrote:
You mean like having extra meanings of the term "vaporware", ones that
you alone are aware of? OK.
You're talking about SPF. That's a concept, not an implementation.
Effective use of SPF requires widespread adoption. Until/unless
widesprea
On Thu, Jun 03, 2004 at 02:42:59AM +0200, Florian Weimer wrote:
> Has [EMAIL PROTECTED] been directed away from debian-private? It's
> probably a good move. In the past, the old setup resulted in some
> confusion because submitters usually do not expect that security@ is read
> by all people in
44 matches
Mail list logo
