E-Mail is now 8-bit transparent!

From: Markus G. Kuhn (kuhn@cs.purdue.edu)
Date: Fri Jul 11 1997 - 16:57:48 EDT

"Alain LaBont/e'/ SCT" <alb@riq.qc.ca> wrote on 1997-07-11 07:11 UTC:
> You know, the 7-bit stripping of my messages is infinitely more
> problematic. And QUOTED-UNREADABLE too... outside of the English-speaking
> world we suffer when we want to speak our language with correspondents
> which happen to be located in SMTP-dogma-bound (mainly
> English-speaking-only) environments.

Oh, this old SMTP story again. SMTP is history. What happened is the
following: Many SMTP implementations, most notably Unix sendmail, have
suffered the discovery of *very* significant security vulnerabilities in
the past 24 months. If you are still using an old sendmail version,
then any 13-year old kid can now easily get supervisor access through your
sendmail program and read/destroy any file on your harddisk. Easy exploit
scripts are widely available, just check the bugtraq archives. Firewalls
do not prevent this attack form as firewalls forward the deadly
SMTP connections. The details are documented in numerous CERT

The new software versions where these security bugs have been fixed
are all fully ESMTP capable, i.e. they are 8-bit transparent. Since
system administrators had to upgrade their legacy e-mail systems all over
the world last year for security reasons, we got a very fast and
complete ESMTP upgrade for free.

These events, which have been largely unnoticed by the character set
community, have practically eradicated old non-ESMTP versions of sendmail
from this planet and have therefore practically solved the old Internet
7-bit transparency problem. The 8-bit transparency statistics from 1995
are obsolete today. Quoted-printable encoding is obsolete today.

If you *do* know a host that has still an old 7-bit sendmail running, then
I can reformat the harddisk of this host at any time in a minute from
my desk here using easy-to-use plug-and-pray exploit scripts, and we
will have one 7-bit e-mail system less on the network. You should inform
the responsible system administrator about her negligence immediately,
referring her to



Markus G. Kuhn, Computer Science grad student, Purdue
University, Indiana, USA -- email: kuhn@cs.purdue.edu

This archive was generated by hypermail 2.1.2 : Tue Jul 10 2001 - 17:20:35 EDT