On Oct 20, 2006, at 8:14 PM, Rick Romero wrote:
I have an auditor who is telling me that allowing non-SMTP-AUTHd
clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
security vulnerability.
I don't know if it came up in the original thread, but enforcing that
Quoting Tom Collins [EMAIL PROTECTED]:
On Oct 20, 2006, at 8:14 PM, Rick Romero wrote:
I have an auditor who is telling me that allowing non-SMTP-AUTHd
clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
security vulnerability.
I don't know if it came up in the
Update, in case anyone cares.
'Security' company doesn't know the difference between 'MAIL FROM:' and
'From:'. Not only do they not run their own mail server (supposedly to
'prevent any attacks from that vector'), their ISP's mail server
actually creates a From: header from the Return-Path:
Hi All,
I have an auditor who is telling me that allowing non-SMTP-AUTHd clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
security vulnerability.
I just can't fathom how that is.
As I understand it, MAIL FROM is only used for returning undeliverable
mail. So, yes,