Hi
04 Feb 2001, "Samuel W. Heywood" <[EMAIL PROTECTED]> wrote:
SH> I didn't know it was that simple.
I thought that the whole thread was about that fact ;)
Yes ... standard SMTP does not have authentication capabilities.
Normally this is not a very big problems, because only a range of trusted
IPs is usually allowed to post.
But for freemail providers this is a much bigger problems.
(eg they don't have a IP range, because everybody can send through his own
connection)
so the usual thing donw was SMTP after POP.
You log in to the POP server (with username/password) and your IP is
recorded. You than was allowed to use the SMTP server for x minutes from
this IP.
Now authentication possibilities have emerged ... good !
(but you need the client which knows about these capabilities)
SH> and it appears that it is indeed true that no authentication is
SH> required under "normal" protocols to use any smtp server anywhere.
yes ... but this is nothing new ;)
SH> I was amazed to discover such a gaping security hole.
SMTP is *VERY* old ... :)
SH> Maybe this problem can be fixed simply by adding some login queries
SH> to the Telnet protocol used for smtp.
the 'telnet protocol used for smtp* _is_ SMTP ;))))
and yes ... these capabilities have been added ...
see the subject of this mail ;)
SH> I don't know if this would require also some authentication features
SH> for ordinary mail clients because I don't think the email clients are
SH> programmed to send mail by accessing Telnet.
yes this would require it.
Yes they use the same socket method you used.
telnet simply opens a socket to the machine x on port y.
Everything machine x sends will be displayed on screen.
Everything you type will be sent to the machine x via the open socket.
SH> I get an error message saying something to the effect that
SH> "you are not allowed to use the mail server smtp.sleezynet.com".
sure ... your IP does not match :)
SH> This will happen even if I have a POP3 account at sleezynet.com and
SH> even after I have downloaded my POP3 mail first.
smtp after pop has to be installed.
Normally only th IP is checked.
SH> I can send mail through their smtp server only by relaying it through
SH> shentel.net.
good ...
SH> Some ISPs are said to allow direct access by anyone, but they get
SH> reported to ORBS.
good again ...
if somebody is THAT stupid, than he has to be punished.
SH> Then they have to either clean up their act or lose their subscribers
SH> because not even their own subscribers would be able to send messages
SH> successfully to people who have email addresses at many other ISPs.
yes
SH> Sam Heywood
CU, Ricsi
--
|~)o _ _o Richard Menedetter <[EMAIL PROTECTED]> {ICQ: 7659421} (PGP)
|~\|(__\| -=> Always remember you're unique-just like everybody <=-
