Xref: utzoo comp.mail.misc:2280 comp.mail.uucp:3438 Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!cs.utexas.edu!tut.cis.ohio-state.edu!rutgers!bellcore!att!chinet!les From: les@chinet.chi.il.us (Leslie Mikesell) Newsgroups: comp.mail.misc,comp.mail.uucp Subject: Re: How do you "kill" a message in uucp? Summary: no way to check security Message-ID: <9237@chinet.chi.il.us> Date: 11 Aug 89 04:53:26 GMT References: <119830@sun.Eng.Sun.COM> <312@galadriel.bt.co.uk> <120415@sun.Eng.Sun.COM> Reply-To: les@chinet.chi.il.us (Leslie Mikesell) Followup-To: comp.mail.misc Organization: Chinet - Public Access Unix Lines: 29 In article <120415@sun.Eng.Sun.COM> argv@sun.UUCP (Dan Heller) writes: [ ..remote uustat server to kill jobs..] >> How would you specify the message that you wanted to kill ? And if you >> could then how would you stop other people blatting your outgoing mail ? >Uucp just sent you a message saying, "to kill the mail, issue the command >uustat -k..." Well, you simply mail that same job number to the uustat >server. If the job is still queued, it has the envelope for the message >going out -- just check that address against yours and verify that they >are the same. The problem here is that it is trivial to fake authorship of uucp mail. SysV mail uses the environment variable LOGNAME as the sender, so: LOGNAME=you mail somewhere!someone is all it takes. >Further, the uustat server could also reply to queries about what's in its >queue -- that way, you could check on things that are outgoing from that site. This might be the ticket. Receiving mail is fairly secure, so if the uustat server mailed you back a magic cookie id that couldn't be obtained any other way, knowing that id could allow you to delete the job. If you fake the sender's name on the outgoing message, the real user will get the returned information. The normal uustat id number would not work as well, since it can be obtained by anyone with access to the machine. Les Mikesell