From: Steve Manzuik [smanzuik@RAZOR.BINDVIEW.COM]
Sent: Wednesday, December 13, 2000 3:12 PM
To: win2ksecadvice@LISTSERV.NTSECURITY.NET
Subject: Re: XATO Advisory: Win32 Command-Line Mailers

John.

You are correct in your statement that under Win2K you can use the built in
SMTP services.  Unfortunately, you are also correct in your assumption that
it is a little known addition/service which I do believe depending on your
configuration (added by option pack 4 I believe) you can also use under NT
4.0.

There is a large install base of NT/Win2K web servers on the Internet that
are using one of these vulnerable command line mailers.  Granted, some of
the flaws do not exist depending on configuration but we have all learned
the hard way that correctly configuring products is only half the battle.



>
>I believe the XATO advisory is flawed in that it makes several assumptions
>about how a Web-server is setup and configured.
>
>Regardless of this, a little known feature of Windows 2000
>obviates the need
>for a command-line mailer. If you install Internet Services (WWW,
>FTP, etc.)
>you also install a damned good SMTP server. If you simply write a valid
>file containing To: and From: lines to the directory
>c:\InetPub\mailroot\Pickup (or equivalent for your setup) it will be sent
>out by the server. You don't even need Windows 2000 Server as it is
>available in the Professional product too.
>
>john...
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net