[Esd-l] A sticky problem???

Brent Wallis brent.w at infosynergy.com.au
Wed Jun 12 18:51:03 PDT 2002


Hi All,
What follows relates to the sanitizer but may not be as focussed as it
should.
To make it brief, I'll use bullet form..:

- I am in Australia and have a multinational client who has the sanitizer
installed
on a sendmail gateway. Zero infection rate for the last 2 years..(tks
John..:-)
- This client supplies to a retailer who owns 80% of the hardware retail
sector in this country
and act like MS with their suppliers.....what they say goes and if you don't
like it, your product gets de-ranged.
- The retailer in question has implemented this method of sending orders and
invoice interchange (plain ol EDI via the Internet) that uses a modified
Outlook MUA. Data interchange happens via unattended message passing accross
SMTP.
- The normal problems we all face in e-Commerce, like non-repudiation,
protection from tampering during transit,
proof of origin, digital signing etc etc etc are nowhere to be seen in this
program.
- The developer in question has no idea about the issues surrounding SMTP
security, and when I have questioned him, the "i'll delete everything from
your client companies" range is about the only reality answer I get.
- The devloper in question reckons they have developed their own method of
encryption???(my bull***t meter tripped into the red on this one...)
- The emails sent by the program to and fro are NOT RFC821 compliant, and
the MIME attachments are, for lack of a better phrase "a wank on some form
of ratbag proprietry MIME type"...

Basically, the sanitizer is getting in the road, munging the emails sent by
the program so that the MUA they "invented" can't read them. There are
things we could do, like key the sanitizer to overlook the emails(to and
from set addresses) in question, but that would leave a hole. One which I
would rather not open because of the proprietry and closed source nature of
their MUA. When I have my black hat on, I can spot "50 ways to break it",
and all I see is this trojan with a red flag up yelling come and take me.

So my questions for the list are:
1. In my mind, data interchange via SMTP is like using a butter knife to cut
spread concrete...it works, but there are far better and more efficient
ways. SMTP is for messaging between users, not unattended data interchange.
Does everyone agree? or do I have that wrong?
2. Anyone that tells me they have invented an encryption algorithm that
no-one knows about just tells me they are full of crap and alarm bells start
ringing....what do you think?
3. Is a desire to do business worth dropping the sanitizer? I would rather
shake hands with my client and politely walk away rather than be party to
that.....my answer in this instance is a definite NO.
4. Has anyone else faced this in the real world? Is anyone having to change
their sanitizer installs for the sake of e-Commerce applications using
SMTP??

I should point out that this is not a call to have something changed in the
sanitizer. It's just fine and works well, I am more focussed on whether or
not I am on the right track and would appreciate comment from any angle.
This is very important in terms of what I am having to deal with in the
e-Commerce sector, and I want my facts absolutely correct(and real world
anecdotes from you guys) before taking the next step, which would be
informing the other 400 or so businesses that use this program that they
have a security issue to deal with and what seems to be an MS fanatic
writing programs using VB "point and drool" without knowing that their
application design and strategy could be harmful for the networks it is on.

John my appologies if this is off centre, but the sanitizer is a part of
this and I would be interesetd in other experiences that may be similar to
this...
Regards
Brent Wallis



More information about the esd-l mailing list