+++ Rohit Sharma [linux-india] <01/12/01 17:20 +0530>: > well ... I have found one flaw ... and playing with it for quite a long time > now ... > and the working of it goes like this .... > In one line :: > Yahoo pop mail server can maintain session for smtp servers , so smtp > servers can relay the mail without authentication . ( sounds weired but it > does )
This is pop before smtp. There is a window of about 10..15 minutes where you can relay through the smtp server from that IP, using your own yahoo account (not any random thing in the envelope-from) once you check your yahoo pop account. > any authentication when sending any mail . no user name or passwd at all.but > when you try without authentication it will prompt for a username and passwd > .. AUTH is also supported I believe. Not a security hole at all. > On top of that when after authenticating to the pop mail servers if I send > a mail from their smtp server with telnet > with simple commands like > helo whatever > mail from:<...> > rcpt to:<[EMAIL PROTECTED]> // yahoo id only > data > ... > so if you have a yahoo mail ID then you have no way of determinning > my/sender's actual source domain ... other then my IP (which can keep on Your IP is logged right? > changing and no way to track me in case i have a dial up account .) ...it's Ummm... VSNL or any other dialup ISP can easily track you - RADIUS / TACACS logs to pull down your username (hence your contact information) and also the phone number you are dialing in from. > account .in hotmail atleast the reply path shows the origination (only when > you read the headers) but a guy who is a novice and does not knows about the > headers has no way of determinig the user@domain . > now you can not expect spamming from yahoo's branded servers this way . This is a feature of [E]SMTP. Even for newbies, there's stuff like http://www.spamcop.net if a newbie wants to trace the headers. -srs -- Suresh Ramasubramanian <----> mallet <at> efn dot org EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
