Update, in case anyone cares.
'Security' company doesn't know the difference between 'MAIL FROM:' and 'From:'. Not only do they not run their own mail server (supposedly to 'prevent any attacks from that vector'), their ISP's mail server actually creates a From: header from the Return-Path: if the From: header is left out. Not that I have intimate knowledge of all mail servers, but I've never heard of that.

So after going through all this, they now believe qmail "doesn't work like the rest of the internet". Of course, they'll still continue to verify 'spoofing' by testing via MAIL FROM: (because, supposedly, everyone else passes) - not realizing they will never have an accurate result. It's pretty much a given that From: will exist, negating their test entirely.

I guess I learned today anyone can do pen testing, as long as you find enough scripts posted on websites.

Just thought I'd finish this 'thread' in case anyone was wondering or comes across it again.


Rick Romero wrote:
Hi All,

I have an auditor who is telling me that allowing non-SMTP-AUTHd clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
security vulnerability.

I just can't fathom how that is.
As I understand it, MAIL FROM is only used for returning undeliverable
mail.  So, yes, I'm sure we've all been joe-jobbed, but he's talking
about on my own server.  Since I'm using tcpserver, I really have total
control over what would be a 'local joe-job'.

Supposedly it'll be in the pen-test report, but I haven't even been
given a theoretical on how this is an issue.
Can anyone else come up with one?


Reply via email to