Re: mail port

To: rfjimen@tesuque.cs.sandia.gov (Ross F. Jimenez)
Subject: Re: mail port
From: Albert-Lunde@nwu.edu (Albert Lunde)
Date: Thu, 9 Nov 1995 08:06:28 -0600 (CST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.951108221322.16290B-100000@tesuque.cs.sandia.gov> from "Ross F. Jimenez" at Nov 8, 95 10:17:51 pm
Reply-To: Albert-Lunde@nwu.edu (Albert Lunde)

> I have a question... you can telnet to a mail port (25) and send mail 
> from it,,to any person, and put it's from anybody you want, are you not 
> suppose to do this,, or can anybody do this, can the mail be tracked ?? 
> It would seem like a big security flaw if you could send false mail so 
> easily... ??? 

Ease of forgery is a well-known problem with SMTP and NNTP. "You" are
"not supposed" to do this, but the ability to do so is hard to
remove without breaking universal mail delivery. 

Logging, "Received:" headers, and address/ident lookups by sendmail do make
forgery detectable in many cases, and use of digital signatures
like PGP can provide checks on who wrote a message.

This is not really an issue for www-security, however....

-- 
    Albert Lunde                      Albert-Lunde@nwu.edu

References:

mail port

From: "Ross F. Jimenez" <rfjimen@tesuque.cs.sandia.gov>

Previous: Re: mail port
Next: Re: How I plan to get off this list
Index(es):
- Index
- Thread