wouldn't it be nice to have the smtp-auth user somewhere in the headers?
Davide Libenzi schrieb: > > On Thu, 10 Jan 2002, Henrik Steffen wrote: > > > > > Hi all, > > > > I just tried the following: > > > > on our server there are two domains: > > > > foo.com > > bar.com > > > > Say, I am user at foo.com - e.g. [EMAIL PROTECTED] with a valid SMTP Auth password. > > > > But say, I am mean and want to claim to be [EMAIL PROTECTED] I could simply > > change my eMail-Address to [EMAIL PROTECTED], using the same valid SMTP > > Auth password for [EMAIL PROTECTED] However, the recipient will believe > > I am [EMAIL PROTECTED] . This is a security hazard, isn't it? > > > > I noticed, that it is logged correctly into the smtp-log. But you can't > > tell from the mail-headers, that the email originates from [EMAIL PROTECTED] > > In the headers it says: > > > > Received: from bar.com (111.222.111.33) > > by ibis.city-map.de (62.116.140.188) with [XMail 1.3 (Linux/Ix86) ESMTP Server] > > id <S2238> for <[EMAIL PROTECTED]> from <[EMAIL PROTECTED]>; > > That's why headers are for. I could actually claim to be Bill Gates ( but > sure i won't ) and only a look at the headers can let you know. > Actually you can fake even the headers and you've to rely on the IP shown > in the last received to understand if your MTA is actually receiving the > email from a plausible IP. Actually someone could spoof it and you're > screwed in any case. > The best solution here is to use some form of message authentication with > public/private keys ( but you've still to be sure to have your pc access > weel secured :) ) > > - Davide > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] -- Mit freundlichem Gru� Henrik Steffen Gesch�ftsf�hrer top concepts Internetmarketing GmbH Am Steinkamp 7 - D-21684 Stade - Germany -------------------------------------------------------- http://www.topconcepts.com Tel. +49 4141 991230 mail: [EMAIL PROTECTED] Fax. +49 4141 991233 -------------------------------------------------------- 24h-Support Hotline: +49 1908 34697 (� 1.86/Min,topcon) -------------------------------------------------------- System-Partner gesucht: http://www.franchise.city-map.de -------------------------------------------------------- Handelsregister: AG Stade HRB 5811 - UstId: DE 213645563 -------------------------------------------------------- - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
