On 16-Jun-2000 [EMAIL PROTECTED] wrote: > I've never really used anything other than my office's dedicated email > program (which does not allow changing the FROM: field near as I know), AOL, > which allows made up screen names but can't alter the domain name, and free > e-mail services on the net, which limit you to the, say hotmail.com domain > name. I've never used Eudora or any other program....can one really, fully > alter the FROM: address to make it, say, in the classic example, > [EMAIL PROTECTED]? And when you say "easily," how easy is it? If you think about it, the From: header can never be trusted, assuming you are in the SMTP/POP3 world. When you set up the mail client, it asks your email address. The SMTP session does not include authentication, and does not require a valid user on the SMTP server for transmission of the message. If you had to log in as <user>@<mail_server> to send the message, some form of From: header authentication would occur, but you don't do that. The From: header isn't even really noticed or cared about by the mail transport agent (ie, sendmail, postfix, etc.). It seems to me that the ease with which one can forge the From header has to do with ease-of-use -- virtual hosting for smaller businesses or personal domains and whatnot would be more difficult, and sending mail from a friends account so that replies would automatically come to your mailbox would be much harder. Also, messages can be tracked easily without valid From headers. The worst aspect of the ease of forging From headers, I think, is how hard it is to explain them to victims of spam. -Todd
