The client software can be configured (is by default?) to send a
notification email when a domain name is registered. The address is
configured within OpenSRS.conf.
The email includes the domain info, the admin and billing contacts and the
credit card information by default.
It's never concerned me overly since I control my mailserver and it's the
same one used to send the email...as a result, it never actually leaves our
internal networks. The connection is made between our web server and our
mail server, the mail is sent, and (because it's local) is promptly dropped
in the appropriate mailbox. I suppose that that could be a potential
security problem if someone sniffed our internal network (which you couldn't
do from the Internet due to the firewall) and watched for the packets that
were used in transmitting the email message to the mail server...
The other option might be to hack the client and modify the format of the
email message, either removing the card number or encrypting it somehow.
Regards,
Eric Longman
Atl-Connect Internet Services
+-------------------------------------------------------+
| Atl-Connect Internet Services http://www.atlcon.net |
| 3600 Dallas Hwy Ste 230-288 770 590-0888 |
| Marietta, GA 30064-1685 support@atlcon.net |
+-------------------------------------------------------+
----- Original Message -----
From: <bill@daze.net>
To: "Doytchin Spiridonov" <info@webyou.com>
Cc: "Jason Tarrant" <jasont@internetcds.com>; <discuss-list@opensrs.org>
Sent: Friday, June 02, 2000 4:04 PM
Subject: Re: "Domain Names Hijacked" news article
On Fri, 2 Jun 2000, Doytchin Spiridonov wrote:
> yup - the only bad thing with opensrs is that credit card
> info is sent trough e-mail....
Huh? I have never seen any CC info sent through e-mail. I guess this
really depends on how an RSP chooses to implement their CC processing.
OpenSRS does not accept CC info via e-mail.
> regards,
> doytchin spiridonov
>
>
> Jason Tarrant wrote:
>
> > Its actually even easier than that. All you have to do is change the
> > reply to address in your e-mail program to pretend you are the admin
> > contact for the registration. As long as the e-mail address is still
> > valid, or has a valid nameserver record that can be verified by your
> > outbound mail server, and as long as you have the template and
> > tracking numbers correct it can be done.
> >
> > I have had certain other domain hosts who shall remain nameless, here
> > in the Pacific Northwest do that to transfers away from us, and
> > without the customer knowing, and voila, I get the nasty phone call
> > Monday morning wondering why their domain/e-mail is down due to dns
> > changes we had no idea were taking place.
> >
> > NSI make the INS and the IRS look like efficient, friendly, customer
> > service driven agencies.
> >
> > Long Live Open SRS, and slow, painful, bankrupt death to NSI :)
> >
> > Jason Tarrant
> > Domain Administrator
> > InternetCDS
> > 1-800-943-4638 xtn. 2330
> > 541-773-9600 xtn 2330
> > >www.internetcds.com
>
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:37 EDT