VeriSign SMTP reject server updated

George William Herbert gherbert at retro.com
Tue Sep 23 01:56:18 UTC 2003




>At anytime, Verisign could remove your .COM domain from their DNS for
>a short period of time which would result in all of your inbound
>email going to the Verisign collector servers. If this was only done
>for a brief interval, say 10 minutes, you might never notice that it
>had happened. But Versign's industrial espionage department would have
>your email in their hands and could do whatever they wish with it.
>How profitable might that be?

Actually...

If they were to accidentally remove someone's .COM domain
and do that, that would be a criminal violation of ECPA,
says my not-an-attorney analysis.

Even if they did it by accident.

Even if they didn't keep a copy.

Even if their mail server didn't accept it and returned
a 550 on the RCPT, if the sending mail agent did something
braindead like just pump out a whole message plus embedded
SMTP headers like... oh, I dunno... a bunch of Spamware does.

It seems... wrong... to consider that we could file
criminal charges against Verisign for illegally intercepting
spam between the spammer and our systems, but it appears
to be a legally consistent postulate.  As Verisign is doing
SiteFinder for commercial gain, it might even qualify for
the higher penalties (1 yr first offense 2 yr each subsequent
offense).  I wonder if 'offense' would map to 'domain' or
'individual email message' or what.  Conceivably could be
very very bad news.


-george william herbert
gherbert at retro.com




More information about the NANOG mailing list