[FX.php List] [OFF] Sending php mail as anyone(?!)

Steve Winter steve at bluecrocodile.co.nz
Thu Jul 31 00:51:35 MDT 2008 

Hi Joel,

What you're missing is that the mail server you're using to send these 
messages is poorly configured and is an open relay... in the world of 
SPAMing this is a very good thing, in the world of internet security it is a 
very BAD thing...!! assuming that this mail server is publicly accessible, 
then the mail server owner needs to make some changes pretty swiftly...

Essentially, if a mailserver isn't configured correctly, it can be used to 
send mail as anyone that the user of that server likes, as you have 
discovered, and therefore yip, you could post 500 word replies appearing to 
be ggt... :-)

Most mail servers these days use at least one of, and in many instance a 
combination of, approaches like;
    pop before smtp - a user must have successfully checked for mail within 
the last x min for them to be able to send mail
    authentication - a user must signin before sending mail
    IP restrictions -  a user must have a specific IP address, or be within 
an IP block to send mail

Essentially what you've just discovered, is what the people that send you all 
that SPAM you have to filter out discovered ages ago, there are mail servers 
on the net that are open relays... or they can install their own mail sever, 
on their own ISP's connection and send out a truck load of mail...

The blacklists that you mention, and other 'strategies' by ISPs (like port 
23 blocking for 'residential users' have all been attempts to shutdown this 
practice, however when all's said and done, it's still woefully easy to find 
open relays...

Cheers
Steve



-----Original Message-----

From: Joel Shapiro <jsfmp at earthlink.net>

To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>

Date: Wed, 30 Jul 2008 23:41:43 -0700

Subject: [FX.php List] [OFF] Sending php mail as anyone(?!)




Hi all



I'm just starting to look at sending mail via php.  I'm successfully  

sending mail from my development machine via swiftmailer, but I'm  

kinda shocked that it's so easy to send email seemingly from just  

about *anybody's* email address.  Just put it in the 'sender'  

parameter and it arrives looking like it was actually sent by that  

person.



I know there are email blacklists, SMTP authentication, etc., but can  

it really be this simple to send as someone else?  (Is this  

"spoofing"?)  I mean, I could start posting 500-word replies to this  

list as ggt and none of you would even realize they weren't from him,  

right?  (all due respect, ggt ;-)



What am I missing?  Any recommended primers on this crazy scary new  

world?



TIA,

-Joel

_______________________________________________

FX.php_List mailing list

FX.php_List at mail.iviking.org

http://www.iviking.org/mailman/listinfo/fx.php_list 
[http://www.iviking.org/mailman/listinfo/fx.php_list]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://localhost/pipermail/fx.php_list/attachments/20080731/2e92fb99/attachment-0001.html

More information about the FX.php_List mailing list