A point that I think has been lost in the discussion of solutions.
Blocking telnet to the port *WILL NOT HELP*
Use of PGP will only help in repudiation.
The problem is simple: Netscape, and apparently all SMTP/POP/IMAP mailers
(Eudora, Pine, etc...) when running on unsecure platforms, let you set
the username. This is not connecting to port 25 and speaking SMTP, it
is just taking advantage of the weakness in the implementation.
I cannot understand why the clients do not make use of the loginname
used for the pop3 download. To me, it seems a trivial step to take.
[ Please note that this has been exploited by *ELEMENTARY* students
so I don't think this is exactly rocket science. The tool to
fake mail has been handed to them ]
Electus Technology Inc. / Loma Linda University Medical Center
San Bernardino, California. (909)799-8308 |Internet: baumann @
From: "A. Padgett Peterson P.E. Information Security" <PADGETT @