[FX.php List] [OFF] Sending php mail as anyone(?!)

Gjermund Gusland Thorsen ggt667 at gmail.com
Thu Jul 31 01:27:01 MDT 2008


Joel as the psychosecretary?

ggt

2008/7/31 Steve Winter <steve at bluecrocodile.co.nz>:
> Hi Joel,
>
> What you're missing is that the mail server you're using to send these
> messages is poorly configured and is an open relay... in the world of
> SPAMing this is a very good thing, in the world of internet security it is a
> very BAD thing...!! assuming that this mail server is publicly accessible,
> then the mail server owner needs to make some changes pretty swiftly...
>
> Essentially, if a mailserver isn't configured correctly, it can be used to
> send mail as anyone that the user of that server likes, as you have
> discovered, and therefore yip, you could post 500 word replies appearing to
> be ggt... :-)
>
> Most mail servers these days use at least one of, and in many instance a
> combination of, approaches like;
>     pop before smtp - a user must have successfully checked for mail within
> the last x min for them to be able to send mail
>     authentication - a user must signin before sending mail
>     IP restrictions -  a user must have a specific IP address, or be within
> an IP block to send mail
>
> Essentially what you've just discovered, is what the people that send you
> all that SPAM you have to filter out discovered ages ago, there are mail
> servers on the net that are open relays... or they can install their own
> mail sever, on their own ISP's connection and send out a truck load of
> mail...
>
> The blacklists that you mention, and other 'strategies' by ISPs (like port
> 23 blocking for 'residential users' have all been attempts to shutdown this
> practice, however when all's said and done, it's still woefully easy to find
> open relays...
>
> Cheers
> Steve
>
> -----Original Message-----
> From: Joel Shapiro <jsfmp at earthlink.net>
> To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
> Date: Wed, 30 Jul 2008 23:41:43 -0700
> Subject: [FX.php List] [OFF] Sending php mail as anyone(?!)
>
> Hi all
>
> I'm just starting to look at sending mail via php.  I'm successfully
> sending mail from my development machine via swiftmailer, but I'm
> kinda shocked that it's so easy to send email seemingly from just
> about *anybody's* email address.  Just put it in the 'sender'
> parameter and it arrives looking like it was actually sent by that
> person.
>
> I know there are email blacklists, SMTP authentication, etc., but can
> it really be this simple to send as someone else?  (Is this
> "spoofing"?)  I mean, I could start posting 500-word replies to this
> list as ggt and none of you would even realize they weren't from him,
> right?  (all due respect, ggt ;-)
>
> What am I missing?  Any recommended primers on this crazy scary new
> world?
>
> TIA,
> -Joel
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>


More information about the FX.php_List mailing list