4.1.5 Considerations for Message/External-Body

The original MIME RFC, [RFC1521], allowed the body of an entity to be referenced externally rather than requiring it to be inline. The current MIME RFC, [RFC2046], describes the form of this construct; the security implications are as follows:

1. The blind retrieval of the content by the client can disclose information about the recipient (1).

2. The authentication mechanism tied to the retrieval (access-type parameter) can result in a pop-up dialog box, leading the user to expose credential information.

3. The server (policy or delivery application) that is attempting to check the content opens up a denial of service vector for the remote host to tie up server resources.