1st: Ritz motives can be many. Maybe he did a zone transfer to compile a list of public ips he may receive spam from. Unfortunately in doing the zone transfer undesired information was disclosed too.

2nd: The analogy with sql injections and XSS etc is bad: These exploits are not published as allowed commands but usually found when experts or crackers analyze available code or simply trial and error.

Zone transfer and the SMTP VRFY command on the other hand are well described in publicly available documents as functions that may or should be supported by software and which message should be returned if not supported or disabled. In other words, since these are indeed intended for use, the issued commands were indeed valid, I'd say Ritz acted in good faith, or that is, while the result may be undesirable for the plaintiff they should have know better.

I do not know if this argument was raised.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/463/34876#34876