I have an auditor who is telling me that allowing non-SMTP-AUTHd clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
I just can't fathom how that is.
As I understand it, MAIL FROM is only used for returning undeliverable
mail. So, yes, I'm sure we've all been joe-jobbed, but he's talking
about on my own server. Since I'm using tcpserver, I really have total
control over what would be a 'local joe-job'.
Supposedly it'll be in the pen-test report, but I haven't even been
given a theoretical on how this is an issue.
Can anyone else come up with one?