Jeff Schroeder on 16 Aug 2001 03:09:24 -0000 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: hosers-talk: Radiohead Concert |
At 01:15 AM 8/15/2001, you wrote:
Quoth "Jon Stewart": > > I did not send this. If it was Jon, then you can go to hell, Jon. > > If it was anyone else, than you can get fucked by your mother with > > a rusty tire iron. Up the ass. > > > > No, wait. Jon too. > > > Whaddya' know? The MTA doesn't verify mail from local users. All ya' > gotta' do is include a forged "From:" line. Nifty. Hmm. That's not good. I wonder how I can fix that... Jeff, you use qmail. Suggestions? Anyway, I knew it was Jon because it was sent by uid 525, which you can verify is Jon by checking /etc/passwd.
qmail obviously trusts any sender. Which is the same for most SMTP programs. Most do not check the return (or from) field for correctness, although some check for the existance of the sender via DNS or /etc/hosts! I am surprised that qmail didn't include anything in the headers that showed the sending account name, however. The problem lies in where it should look for the appropriate value. A lot of people change their From: line to be a different e-mail account.
I'd say that you need to find a plug-in to do it! It should be simple to set the From account to the user e-mail w/o exception and only allow them to change the name field.
jeff