> It's hard to believe that from a programming standpoint that IMail > couldn't verify the sender's "reply to" and "mailed from" fields to > see if these email addresses exist within the Imail > Administrator/registry.
This will make no difference if the message is sent both FROM and TO servers that you don't control. That's the traditional Joe Job method. > Imail knows what email addresses have been created on this server, > therefore why could it not conceivably verify these addresses to see > if they are Joe Jobs before they are sent from my server? Well, they are not usually sent from your server. If somebody really wants to hurt you, they won't use your server to do it, unless the idea is to directly discredit your IP address, not simply your domain and/or your corporate image. True, if they do have AUTH creds on your server, that will enable them to circumvent SPF, not that SPF is such a fearsome force right now! But sending through your server to makes them much more liable to get caught and prosecuted, as you'll have logs and thus some way of tracking them down. > You mention SPF... funny, but in a SPF discussion list that I am a > member of I am personally being ridiculed for my inability to > prevent mailfrom forgeries, Joe Jobs, and cross-user forgeries. Ridiculed?. . . well, that's sad. I still keep my SPF-Discuss e-mails for the technical info, but I mark them as read automatically so as not to be distracted by the foolishness on that list. > But that's not what I am referring to. I'm not interested in what > other MTA's do. I simply want to prevent my own customers from > signing into my IMail server with a username/password and then > sending email with an invalid "reply to" / "mailed from" data. To do this, you'll need to (a) upgrade your IMail version and (b) write a script to match up the AUTH username with the MAIL FROM username. Unless this was added in 8.2, it isn't a built-in test. Now, there's no good reason for it not be an _option_, but bear in mind that non-matching AUTH and MAIL FROM accounts do not 100% indicate malfeasance. One has to allow for whitelisting this test for various reasons. Note that IMail 8.x does include the ability to check for valid local MAIL FROM addresses, preventing the use of fake local accounts when submitting locally. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
