From: "Joey Grasty" <jgrasty@gate.net>
Date: Sun, 6 Aug 95 13:13:19 PDT
To: cypherpunks@toad.com
Subject: Questions about SMTP and NNTP
Message-ID: <199508062011.QAA28350@tequesta.gate.net>
MIME-Version: 1.0
Content-Type: text/plain


C-punks:

While working on the SMTP and NNTP clients for the WinSock remailer,
I have uncovered two questions I don't know the answer to.  Here they
are:

1.  When sending a message to the SMTP server, I use scenario 4 as
    shown in RFC821 as a basis for my client.  There seems to be a 
    huge security hole in SMTP.  I can use just about any name 
    when sending the VRFY command.  For example, I could connect to
    "sensemedia.com" and pretend to be "tcmay".  Is there something
    I'm missing here or is there really that big a security hole in
    SMTP?

2.  How do you do user authentication in NNTP?  There's nothing about
    it RFC977.  Is there a later RFC that describes how to do user
    authentication?  All of my newsreaders support this function, but
    I haven't been able to figure out how to do it.

Any help you can give me would be appreciated.

ObWinSock Remailer:  I have the POP3, NNTP and SMTP clients functional
now.  With luck, I'll have an alpha test version of the remailer in 
two or three weeks.

ObCypherPunks:  Is the list down?  I haven't heard a peep since about
noon.  I send a "who cypherpunks" to majordomo and received a quick 
reply which shows I'm still subscribed.  Any idea?

Regards,

--
Joey Grasty
jgrasty@gate.net [home -- encryption, privacy, RKBA and other hopeless causes]
jgrasty@pts.mot.com [work -- designing pagers]
"Anyone who considers arithmetical methods of producing random digits is,
of course, in a state of sin." -- John Von Neumann