Title: Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts

On Wed, 2004-06-09 at 00:13, Devendra Singh wrote:
> At 08/06/04 11:41 (), Tom Collins wrote:
> >On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote:
> >>I would like to re-frame my Subject: "SMTP Authenticated user is
> able to
> >>impersonate anyone in rcpthosts".
> >
> >You could re-frame it even more.  Authenticated SMTP users can use
> any
> >FROM address and submit mail for any host.
> >
> >Some clients may have multiple from addresses going through a single
> >authenticated session.  Limiting them to the address they
> authenticated as
> >may be too strict.  Including it in the Received header is probably a
> more
> >useful option.
>
> Dear Tom,
>
> Thanks, that you understood. (Sorry, the issue is not related to
> Vpopmail,
> but may be of interest to most).
>
> Including the authenticated ID in the Received header is good, but
> still it
> would not be able to stop the menace of Spamming from your own users
> (who
> is going to monitor the logs of mails sent by users). Also, in the
> days of
> virus outbreak and users having password saved in their outlook
> express,
> the feature can be saviour.
>
> BTW, Shouguan Lin had pointed to a link
> <http://night.rdslink.ro/dudu/qmail/>http://night.rdslink.ro/dudu/qmail/
> with features
>
>          o       Added my own patch, that checks whether the 'mail
> from'
> value is
>                  different from the username used for SMTP AUTH, thus
> preventing
>                  source address spoofing. Useful for ISP's that only
> relay
> mails
>                  from authenticated users.
>          o       The 'mail from' verification is now configurable
> through a
> knob
>                  defined in /var/qmail/control/spoofcheck or in the
> environment
>                  variable $SPOOFCHECK
>
> But, this is part of unified patch which is difficult situation for
> me.
>
> It's my request to Dr Erwin Hoffmann through this list that if he adds
> the
> feature into his authentication patch which is also included into the
> Vpopmail contrib, we all would get benefited.
>
This is problematic for ISP customers whose ISPs block outbound port 25,
therefor forcing relaying through their servers, but who also have a
vanity domain or similar provided by a third party. ISPs would then be
disallowing any form of sending mail with that From: field, which is
pretty bogus.
Many of these so-called anti-spam measures are approaching throwing not
just the baby out with the bathwater, but the entire tub.
Why don't I reiterate the question Jeremy Kitchen so accurately asked,
"What problem are you solving?". "Forged" From fields server a
legitimate purpose, just like doing the same in the To field can (think
BCC mailing lists with "Undisclosed Recipients" in the To). Yes,
spammers abuse this, as do virus writers.
I definitely recommend this "functionality" be made optional, hard to
turn on, and as unadvertised as possible. Those few people who know
they'd benefit and not suffer can then find it, and those people who
think they'd benefit but wouldn't realize the consequences wouldn't
clobber their users.

Nick Harring
Webley Systems

Reply via email to