[FX.php List] [OFF] Sending php mail as anyone(?!)

Joel Shapiro jsfmp at earthlink.net
Thu Jul 31 12:12:23 MDT 2008 

Exactly!

:-)

Thanks ggt!

-Joel


On Jul 31, 2008, at 12:27 AM, Gjermund Gusland Thorsen wrote:

> Joel as the psychosecretary?
>
> ggt
>
> 2008/7/31 Steve Winter <steve at bluecrocodile.co.nz>:
>> Hi Joel,
>>
>> What you're missing is that the mail server you're using to send  
>> these
>> messages is poorly configured and is an open relay... in the world of
>> SPAMing this is a very good thing, in the world of internet  
>> security it is a
>> very BAD thing...!! assuming that this mail server is publicly  
>> accessible,
>> then the mail server owner needs to make some changes pretty  
>> swiftly...
>>
>> Essentially, if a mailserver isn't configured correctly, it can be  
>> used to
>> send mail as anyone that the user of that server likes, as you have
>> discovered, and therefore yip, you could post 500 word replies  
>> appearing to
>> be ggt... :-)
>>
>> Most mail servers these days use at least one of, and in many  
>> instance a
>> combination of, approaches like;
>>     pop before smtp - a user must have successfully checked for  
>> mail within
>> the last x min for them to be able to send mail
>>     authentication - a user must signin before sending mail
>>     IP restrictions -  a user must have a specific IP address, or  
>> be within
>> an IP block to send mail
>>
>> Essentially what you've just discovered, is what the people that  
>> send you
>> all that SPAM you have to filter out discovered ages ago, there  
>> are mail
>> servers on the net that are open relays... or they can install  
>> their own
>> mail sever, on their own ISP's connection and send out a truck  
>> load of
>> mail...
>>
>> The blacklists that you mention, and other 'strategies' by ISPs  
>> (like port
>> 23 blocking for 'residential users' have all been attempts to  
>> shutdown this
>> practice, however when all's said and done, it's still woefully  
>> easy to find
>> open relays...
>>
>> Cheers
>> Steve
>>
>> -----Original Message-----
>> From: Joel Shapiro <jsfmp at earthlink.net>
>> To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
>> Date: Wed, 30 Jul 2008 23:41:43 -0700
>> Subject: [FX.php List] [OFF] Sending php mail as anyone(?!)
>>
>> Hi all
>>
>> I'm just starting to look at sending mail via php.  I'm successfully
>> sending mail from my development machine via swiftmailer, but I'm
>> kinda shocked that it's so easy to send email seemingly from just
>> about *anybody's* email address.  Just put it in the 'sender'
>> parameter and it arrives looking like it was actually sent by that
>> person.
>>
>> I know there are email blacklists, SMTP authentication, etc., but can
>> it really be this simple to send as someone else?  (Is this
>> "spoofing"?)  I mean, I could start posting 500-word replies to this
>> list as ggt and none of you would even realize they weren't from him,
>> right?  (all due respect, ggt ;-)
>>
>> What am I missing?  Any recommended primers on this crazy scary new
>> world?
>>
>> TIA,
>> -Joel
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list