[Mimedefang] smtp spoofing
David F. Skoll
dfs at roaringpenguin.com
Thu Jun 2 13:50:40 EDT 2005
Matthew Schumacher wrote:
> I have this running at one site:
[...]
> This pretty much stops mail from our domain from being spoofed by users
> that don't authenticate, then I turn off relaying for everything that
> doesn't authenticate.
Uh, no.
You can't prevent me from pretending to be <matt.s at aptalaska.net> and
e-mailing to <someone at aol.com> or <victim at hotmail.com>.
SPF might be able to help, but probably not, because I can send mail
with an envelope sender of <dfs at roaringpenguin.com> and a From: header
of <matt.s at aptalaska.net>. 99% of the time, the recipient will only
see the header value and not the envelope value. And it will pass the
SPF tests.
DomainKeys might help, but only if a site is using DomainKeys. As
far as I know, only Yahoo does.
SMTP was never designed to provide strong end-to-end authentication.
About the only way to enforce it would be to require everyone to
sign every piece of e-mail he/she sends, and also somehow manage
the nightmarish PKI or web-of-trust infrastructure that implies...
Regards,
David.
More information about the MIMEDefang
mailing list