On Thu, 10 Jan 2002, Henrik Steffen wrote: > > Hi all, > > I just tried the following: > > on our server there are two domains: > > foo.com > bar.com > > Say, I am user at foo.com - e.g. [EMAIL PROTECTED] with a valid SMTP Auth password. > > But say, I am mean and want to claim to be [EMAIL PROTECTED] I could simply > change my eMail-Address to [EMAIL PROTECTED], using the same valid SMTP > Auth password for [EMAIL PROTECTED] However, the recipient will believe > I am [EMAIL PROTECTED] . This is a security hazard, isn't it? > > I noticed, that it is logged correctly into the smtp-log. But you can't > tell from the mail-headers, that the email originates from [EMAIL PROTECTED] > In the headers it says: > > Received: from bar.com (111.222.111.33) > by ibis.city-map.de (62.116.140.188) with [XMail 1.3 (Linux/Ix86) ESMTP Server] > id <S2238> for <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]>;
That's why headers are for. I could actually claim to be Bill Gates ( but sure i won't ) and only a look at the headers can let you know. Actually you can fake even the headers and you've to rely on the IP shown in the last received to understand if your MTA is actually receiving the email from a plausible IP. Actually someone could spoof it and you're screwed in any case. The best solution here is to use some form of message authentication with public/private keys ( but you've still to be sure to have your pc access weel secured :) ) - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
