Not to beat a dead horse, but an e-mail user anywhere in the wold can send e-mail to your users and say he is Jesus if he wants to. There is nothing to stop him. This isn't an Imail problem, but the way mail systems work. If you have valid users on a mail server, and I know their e-mail addresses, then I can send them mail. Period. Your reference to authentication does not apply as that referrs to a user passing credentials to your mail server to use your mail server to send mail to anyone, not just to your users.
Jason ----- Original Message ----- From: "Arthur Donchey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 24, 2003 10:50 AM Subject: RE: OSRELAY:Re: [IMail Forum] SMTP Problem (conclusion)! > > I have been reading this thread and have been working on a similar problem. > We have 'No Relay' enabled and all users use AUTH to send mail out. The > problem is some spammers (and email worms) are using the same 'to:' address > as the 'from:' address without being authenticated. Looking in the logs and > doing some testing I have found that I can send a message from the > 'postmaster@' to all local users (if I know their username) without > authenticating. I understand that if the email is for a local user that > IMail should try to deliver to that local user, but it should NOT allow > someone to impersonate any local users (or alias). I think that if > authentication is required for all outbound messages it should be required > for ALL messages, despite any interpretation of the RFC. From what I have > read there is nothing outside of a third party SMTP server that will stop > this within IMail. Am I correct? if not please tell me. > > Maybe it could be a new function in the next version of IMail. > > ps. Imail version 7.14 hf 2. > > > Arthur Donchey, CISSP > > V.P. Griffen & Assoc. > http://www.vpga.com > > Skyline Internet Inc. > http://www.skylineinternet.com > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Monday, February 24, 2003 10:28 AM > To: [EMAIL PROTECTED] > Subject: Re: OSRELAY:Re: [IMail Forum] SMTP Problem (conclussion)! > > > > >1- "Anyone" here means the person who has not real account on my mail > >server... > >2- He connected to the internet using my ISP that means with IP address > >listed in my SMTP relay for addresses. > > In that case, you can't safely use "Relay for Addresses." > > When you use "Relay for Addresses", you are saying "Anyone from these IPs > (or anyone with the password to an account on the server) may send outgoing > E-mail through our mailserver". If the spammer comes from one of those > IPs, he will be able to spam, per your instructions. > > If a spammer may be using one of the IPs that your customers use, the best > option is to force your customers to use SMTP AUTH. > > >3- He opened his Outlook express and configured a new account named > >"spammer" which is not on my mail server and configured his outgoing mail > >server as: Mail.MyDomain.Com > >and start sending from it to my local users.... > > There is *no* way to stop that. Even if IMail could authenticate the > *return address* (which it does not; this was brought up last week), the > spammer could just use some other return address and still spam your users. > > There just isn't any easy way for a computer to detect that the person > sending that mail was a spammer as opposed to someone sending you > legitimate mail. It looks the same to IMail as if the spammer used an open > relay as their outgoing mail server. > > >this is the case Scott in breif..... > >The account [EMAIL PROTECTED] does not exist on my mail server, however > >it's able to use my SMTP to send emails to the local users, while I > >prevented it from sending to outer users... > >How to prevent such case... > > With spam control software. That's the *only* way to block mail going to > your users. In this case, you could block the "[EMAIL PROTECTED]" > return address in the IMail SMTP Kill List. Or you could buy anti-spam > software. > > >why [EMAIL PROTECTED] can send to my local users... > >It's not a real account.... It cannot authenticated from my server.. then > >how it works and how it access my local users????? > > Because IMail (like most, but not all, other mailservers) doesn't check > what the return address is. Note that there are a *lot* of people who use > IMail as their mailserver who send out mail with accounts that aren't on > the IMail server (I knew of the CEO of a company who preferred to send mail > with his @aol.com address rather than the company's domain name, for > example). > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no > annual licensing fees. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
