MS-Mail Security

Bill Stewart stewarts at ix.netcom.com
Fri Jun 28 19:22:29 PDT 1996


Leo WONG Wing-yan <wywong2 at cs.cuhk.hk>
> In> I would like to gather informations of whether the MS-Mail server
> In> is  secure or not, is anyone heard of somebody, say, disguise 
> In> as other user or read other user e-mail?

You have to look at the whole environment.  MSMail typically runs
on MS-DOS / Windows PCs, on a network using Microsoft file server
protocols over TCP/IP, so it has all the vulnerabilities of that
environment.  (It can run over Novell Netware instead, which has
a somewhat more secure file server, but the system is still vulnerable.)
The easy attack is to use a sniffer or other ethernet eavesdropping
software to listen for MSMail messages on the LAN - they're not
sent encrypted.  It also runs over dialup, and the dialup and
LAN versions rely on a user-typed login name and password for security,
but don't require that the password meet any minimum standards
for length (empty passwords work just fine.)

MSMail is typically used for two different kinds of business applications -
a purely internal mail system that doesn't connect to the outside world,
or gatewayed to SMTP or UUCP to connect to other locations.
I don't know how secure the gateways are, but the places I've seen them
used they certainly haven't been reliable, and generally have been heavily
hacked on by the users to make them do what the users want, which probably
doesn't add to either the reliability or the security.  The mail client
has its own set of problems, such as choking on messages with more than
30KB of message body.  My purely personal non-official opinion is that 
it's the third worst mail system I've ever used.  (IBM PROFS is the worst,
and I watched someone use the original Prodigy 1200-baud 24x40 lines with
advertising on every page nonsense as well.)

harka at nycmetro.com
>I'd also like to know how secure the MS-Mail files are (*.mmf). 
>They are password protected and should be encrypted but 
>does anybody know how secure?

For those of you who aren't familiar with MSMail, the .mmf file
is the big hulking file that MSMail keeps all your mail in,
including new mail and mail filed in folders (you _can_ split it
so your Inbox resides in one .mmf on a mail server and all
your other mail folders are in one file on your PC.)  
The main effects are 
- if the file gets corrupted (perhaps by a bad disk block, or 
because the "operating system" crashed while you were using MSMail), 
you can't read the undamaged pieces,
- if you received a message that the MSMail client can't handle,
like a large text message, you can't read it directly from the mail file
using a text editor like Emacs.

I haven't tried to crack it, but the experience of people who've
cracked other Microsoft Office encryption (e.g. Word, Excel)
has been that it's been pretty wimpy.  It does prevent casual
users of your PC or server from reading your email by looking
at the file with an editor or by using the MSMail client without
the password, but I'd be very surprised if it kept out a professional
who wanted to take the time to attack it carefully.




#				Thanks;  Bill
# Bill Stewart +1-415-442-2215 stewarts at ix.netcom.com
# http://www.idiom.com/~wcs
#				Distract Authority!







More information about the cypherpunks-legacy mailing list