[1148] in WWW Security List Archive
Re: mail port
daemon@ATHENA.MIT.EDU (Albert Lunde)
Thu Nov 9 12:04:46 1995
To: rfjimen@tesuque.cs.sandia.gov (Ross F. Jimenez)
Date: Thu, 9 Nov 1995 08:06:28 -0600 (CST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.951108221322.16290B-100000@tesuque.cs.sandia.gov> from "Ross F. Jimenez" at Nov 8, 95 10:17:51 pm
Reply-To: Albert-Lunde@nwu.edu (Albert Lunde)
From: Albert-Lunde@nwu.edu (Albert Lunde)
Errors-To: owner-www-security@ns2.rutgers.edu
> I have a question... you can telnet to a mail port (25) and send mail
> from it,,to any person, and put it's from anybody you want, are you not
> suppose to do this,, or can anybody do this, can the mail be tracked ??
> It would seem like a big security flaw if you could send false mail so
> easily... ???
Ease of forgery is a well-known problem with SMTP and NNTP. "You" are
"not supposed" to do this, but the ability to do so is hard to
remove without breaking universal mail delivery.
Logging, "Received:" headers, and address/ident lookups by sendmail do make
forgery detectable in many cases, and use of digital signatures
like PGP can provide checks on who wrote a message.
This is not really an issue for www-security, however....
--
Albert Lunde Albert-Lunde@nwu.edu
