Excerpts from Justin Skazat's message of Tue Jan 05 17:32:25 -0500 2010: > > But that can already easily be done, I can just put > > > > From: You <m...@example.com> > > > > in my email headers. > > OK - what should I do about that? What's the general wisdom to help thwart > that? Use the Sender: header? Both? Something more fancy?
If you are relying on From (or Sender) headers for access control, you have already lost. Almost every part of the email header and SMTP transaction can be faked by a malicious user. If you want authentication, you'll need to either write your own layer on top of it (e.g. PGP signing, secure per-user recipient addresses) or use a gateway in front of your mail processor that does it (e.g. IP-based filtering in your MTA, SASL auth). hdp.