On Wed, 23 Oct 2002 19:00:06 +0200 Dan Richter <[EMAIL PROTECTED]> wrote:
> Pardon me for being a pain here, but isn't it ridiculously easy to > forge a From:, and also rather easy to forge an envelope? From: is trivial under many MTAs. Envelope requires understanding SMTP and driving that manually. However, this is largely moot: if you need strong(er) authentication in email systems, period, and this is not just limited to Mailman, you're basically into the realms of PKI. Exception: (I do this in a couple case) I require mail arriving with specific From: and Envelopes to also list specific addresses in the Received: headers. This is not strong, it is equally trivially forged as the envelope, but it is (currently) a sufficient barrier to entry to cut even the few who do forge envelopes that I've found. > Now I'll be humble and admit that I don't even know what an envelope > is. Crudely, its the "From " header (note the space). More usefully the envelope contains the return-path, the address to which a bounce should be sent back to if this message bounces. > So my question about the envelope really boils down to: if I have root > access on a machine other than the one Mailman is running on, can I > fool Mailman's envelope recognition? Absolutely. You don't need root access on any system to forge email. -- J C Lawrence ---------(*) Satan, oscillate my metallic sonatas. [EMAIL PROTECTED] He lived as a devil, eh? http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live. ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/