IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability On March 29th 2002 we sent a Portcullis Advisory to Microsoft and CERT regarding the above vulnerability. This Advisory came about as a direct result from the findings of tests on a customer's system and information given to us about that system's configuration. It was not possible for us to verify this information using any independent means. During the forty-five day grace period before publication we had some dialogue both with Microsoft and another security company who had reported similar findings. After publication of our Advisory we received a formal response from Microsoft and performed further testing and verification of the system configuration. It has become evident that some of the earlier information we had was, in fact, inaccurate and this in turn led us to the wrong conclusion. With the latest evidence in mind we wish to retract our earlier statements about this vulnerability. Sincerely, Thomas Liam Romanis Security Testing Services Manager (PTT Manager) CHECK Certified Penetration Tester. Portcullis Computer Security Ltd.
