Quote:
Originally Posted by sclitheroe
So I took a look and signed up just for poop and giggles.
Brutal - there's no way to specify which SMTP hosts this thing should accept email from me from. So it looks like once I know someone is a Flexmail user, I can spam like crazy by spoofing my SMTP from: address.
Second, once you've created an account, there's no way to delete your account. Nice.
Edit: Those are honest opinions/feelings. I'm not ripping on Serapth - the thing is labelled as a beta and must be treated as such. But man, you've got to find a way to make it easy for users to manage what "locations" (that would be which IP's to your app) they can send commands from. Otherwise this thing is a giant data sieve/DOS bot/Tojan distribution thingy just waiting to happen.
|
SMTP servers are not a static thing, especially when it comes to something like Blackberry users, where the outgoing SMTP servers are not only highly dynamic, but also obfuscated. Additionally, the vast majority of people have dynamic ip addresses at home, so locking down by IP would do very little. Finally, it is not so easy to spoof as you think, Flexamail is not completely without security. Adding an optional feature to lock down to IP could be handy for the security minded. The service has been running for about a year and has thousands of users and we have never had a reported spoofing problem. I am not saying it isn't possible, I am just saying in practicality, it has never actually happened.
As to your bot/trojan distribution comment, frankly thats just silly. Take your scenario, in order to "attack" a user, you would need to know they were a member and their email address.... and knowing that, frankly, would give you no more power than you would have if......... you knew their email.