Mailing List SIMS@mail.stalker.com Message #6011
From: Kreme <kreme@kreme.com>
Subject: Re: Can OE/Win do APOP?
Date: Thu, 18 May 2000 16:19:05 -0600
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
At 09:36 5/18/2000 -0700, you wrote:

> _No other mail client I have ever used does_.

You've already explained that that means only a very small handful of mail
apps.

A dozen or two.. that I've used, only a handful that I use on any regular basis.

There's may also a demonstrable difference between your users and mine, as
mine know not to click on links and executables from outside the office,
whether they be using Eudora or any other product

And I repeat, there are viruses for outlook and OE that DO NOT REQUIRE ACTION ON THE USERS PART.  That is, simply VIEWING the mail will infect the system and spam the Address book.


The point remains that at this
point in time you can be nearly as safe with a MS email app as any other.

Yes, this is true.  If you have all security patches, if you are running the latest version, if you set your internet security levels manually, and if you turn off message preview panes then you _CAN_ be _NEARLY_ as safe with MS email as any other Windows email client.

Your point on spread ONCE infected remains your only leveragable point, but
optionally becomes moot next week.

Can I enforce that on my end as the mail server?  Can I say, OE or Outlook is OK only if this patch is installed?  Can I protect my server from non-secure versions of OE and Outlook?  As I said, I don't care if windows users infest themselves with viruses until those viruses attack my computer.  It's what I've said all along -- my mail server is the issue, and Outlook users are a security threat (not risk, threat) to my machine.

My point remains that at the outset, you had a bundle of reasons why OE and
Outlook were bad and horrible and none of your should be allowed to use

Three reasons, error report everytime OE drops a connection to the server, auto-spamming and auto-installing viruses that can then auto-spam.  Those three still stand, although it appears MS is finally doing something about the latter two.  This doesn't help me with all the users who will not get that update next week, next month, or next year.

them.  In addition you suggested that all informed users should not WANT to
use them.

Right.  I stand by that.  And actually, this all started because you accused me of having a bias against OE.  I took exception to that word, since it implies and _UNFOUNDED_ prejudice.  I think my distaste for O/OE is quite well founded, and that I've shown that.  I would like to have a way to prevent an Outlook or Outlook Express client from checking mail on my server.  This would be a neat feature that I would use.  The original complaint about OE's lack of APOP doesn't affect me, as that relates to the security of the usser's mail, not my server, and I cn enable or disable APOP on an account-by-account basis.

  Through this thread I believe I have whittled you down with facts
to the contrary, down to this last message of yours where you hang your hat
on the issue of access to the addressbook and the ability for a virus to
autospread.

My original complaints.

From my first reply:
If you mean Bias because I dislike programs that auto-install viruses, then
I guess I'm biased on that count too.

From my second:
Well, since OE cannot corrctly disconnect from my server and generates an
error every single time, I think I am well within my rights of saying "No
Outlook Express or Outlook"  And since >I< am the one who gets called when
Beavis Q User infests his machine with an OE auto-installed virus, I think
I am again well within my rights of saying "No Outlook Express or
Outlook."  This doesn't even mention the problem of the spam-like behavior
of some of the viruses that cause a cascade of thousands of emails.

You then explained that there was no way of fixing this, "The securoty hole
is not, as MSFT would like to have you believe, a little hole they can
patch, it's a fundamental design principal in Outlook and OE.  It's an
integral part..."

That's right.  Microsoft themselves said so (not in those words) in the link you posted.

<<<Certain functionality in Office may be impacted by this update. You should read Functionality Impacted by Outlook 98/2000 E-mail Security Update for more information before installing the update.

Functionality in other products may be impacted as well. Presently Microsoft is working closely with many of these vendors to evaluate the impact of the Outlook E-mail Security Update on their products. For a list of vendors whose software may be impacted, read ISVs Affected by Outlook 98/2000 E-mail Security Update.>>>

This security fix changes the fundamental way that Outlook and OE interact with the system.  It is not a simple "patch" and it will eventually involve a redesign of the product.


We now see that those assumptions are false, and even this last point
becomes moot shortly.  You continue to hold Eudora up as beyond reproach
even though we see that it too has had weaknesses leveraged in the past.

I don't ever recall saying Eudora was beyond reproach or perfect.  Better than OE, that's what I said.  More secure than OE.  Eudora is _NOT_ perfect, and has some glaring issues that I find annoying (such as half-assed support for AUTH)


You may have at one time made your stand on facts, but you have maintained
them on beliefs, not objective truth.  An open mind requires continual
re-evaluation of previous stances in order to not slip into bias.

Having said all of that, if you'd like a point of continuing fact to support
your belief, go waaaaay back to the beginning of this thread and make lack
of APOP support a password security issue.  That one's current and
irrefutable.  But to do that in good conscience I guess you'd have to
enforce mandatory APOP on all your users and likely deny them from most
webmail interfaces to their Pop account.

I think we've covered the whole gamut now?

Craig Bowers


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <SIMS-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <SIMS-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <SIMS-index@mail.stalker.com>
Send administrative queries to  <SIMS-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster