AW: [IRCServices Coding] A few things...
Panagiotis Kefalidis
pkef at hnioxos.ee.auth.gr
Fri Sep 20 04:50:54 PDT 2002
On Fri, 20 Sep 2002, Yusuf Iskenderoglu wrote:
>
>
> Hello;
>
> >> How will you ensure that the email is correct ? If it is not
> >> Authenticated ? Users could have set a at b.c.de as email.
> >I think we don't care about the email they've set.To set a
> >valid mail is for their own good in case they forget their
> >password.I believe just a notice while running the register
> >proccess,about setting a valid email,is enough. (:
>
> It looks as if you have never run sendmail. And have never had
> To kill 500 sendmail processes trying to time out due to wrong
> Email addresses, when attackers think they are cleverer.
I did,but to be honest,i'ven't thought about that(attackers).We can add a
limit to the SENDPASS command to prevent attackers doing this.I mean, in case
there is an email set,adding a limit to the user preventing him to use
the SENDPASS more than 1 time per hour or sth like that, would be
nice/enough to prevent abuse.
Whatever i've written above is not what i believe as being right.
My personal opinion is that the most safe way is FIRST authenticate
the email and then anything else.That's to prevent abuse from attackers
or any other kind of attack to services or the machine running them
itself,as yusuf mentioned in his reply.
> Please do consider that there are users without root-rights
> Who also run services, and they cannot modify sendmail settings.
>
That's true. :|
> As of this, a new command a la DENYMAIL add|del|list to prevent
> Certain email addresses from being used at registration processes
> Would moreover be fine.
>
> SCNR.
> Yusuf
>
Regards,
Gizm0.-