[FX.php List] [OFF] Sending php mail as anyone(?!)

Joel Shapiro jsfmp at earthlink.net
Thu Jul 31 12:06:51 MDT 2008 

Hey Steve

Thanks so much for laying out the basics for me.

The production version of this will be sending via a more-restrictive  
mail server.

Best,
-Joel


On Jul 30, 2008, at 11:51 PM, Steve Winter wrote:

> Hi Joel,
>
> What you're missing is that the mail server you're using to send  
> these messages is poorly configured and is an open relay... in the  
> world of SPAMing this is a very good thing, in the world of  
> internet security it is a very BAD thing...!! assuming that this  
> mail server is publicly accessible, then the mail server owner  
> needs to make some changes pretty swiftly...
>
> Essentially, if a mailserver isn't configured correctly, it can be  
> used to send mail as anyone that the user of that server likes, as  
> you have discovered, and therefore yip, you could post 500 word  
> replies appearing to be ggt... :-)
>
> Most mail servers these days use at least one of, and in many  
> instance a combination of, approaches like;
>     pop before smtp - a user must have successfully checked for  
> mail within the last x min for them to be able to send mail
>     authentication - a user must signin before sending mail
>     IP restrictions -  a user must have a specific IP address, or  
> be within an IP block to send mail
>
> Essentially what you've just discovered, is what the people that  
> send you all that SPAM you have to filter out discovered ages ago,  
> there are mail servers on the net that are open relays... or they  
> can install their own mail sever, on their own ISP's connection and  
> send out a truck load of mail...
>
> The blacklists that you mention, and other 'strategies' by ISPs  
> (like port 23 blocking for 'residential users' have all been  
> attempts to shutdown this practice, however when all's said and  
> done, it's still woefully easy to find open relays...
>
> Cheers
> Steve
>
> -----Original Message-----
> From: Joel Shapiro <jsfmp at earthlink.net>
> To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
> Date: Wed, 30 Jul 2008 23:41:43 -0700
> Subject: [FX.php List] [OFF] Sending php mail as anyone(?!)
>
> Hi all
>
> I'm just starting to look at sending mail via php.  I'm successfully
> sending mail from my development machine via swiftmailer, but I'm
> kinda shocked that it's so easy to send email seemingly from just
> about *anybody's* email address.  Just put it in the 'sender'
> parameter and it arrives looking like it was actually sent by that
> person.
>
> I know there are email blacklists, SMTP authentication, etc., but can
> it really be this simple to send as someone else?  (Is this
> "spoofing"?)  I mean, I could start posting 500-word replies to this
> list as ggt and none of you would even realize they weren't from him,
> right?  (all due respect, ggt ;-)
>
> What am I missing?  Any recommended primers on this crazy scary new
> world?
>
> TIA,
> -Joel
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list