Re: hosers-talk: Radiohead Concert

[Jeff Schroeder <jeffs@xxxxxxxxxxx>]

At 01:15 AM 8/15/2001, you wrote:
> Quoth "Jon Stewart":
> > > I did not send this. If it was Jon, then you can go to hell, Jon.
> > > If it was anyone else, than you can get fucked by your mother with
> > > a rusty tire iron. Up the ass.
> > >
> > > No, wait. Jon too.
> >
> >
> > Whaddya' know? The MTA doesn't verify mail from local users. All ya'
> > gotta' do is include a forged "From:" line. Nifty.
>
> Hmm. That's not good. I wonder how I can fix that... Jeff, you use qmail.
> Suggestions?
>
> Anyway, I knew it was Jon because it was sent by uid 525, which you can
> verify is Jon by checking /etc/passwd.


qmail obviously trusts any sender.  Which is the same for most SMTP 
programs.  Most do not check the return (or from) field for 
correctness,  although some check for the existance of the sender via DNS 
or /etc/hosts! I am surprised that qmail didn't include anything in the 
headers that showed the sending account name, however.  The problem lies in 
where it should look for the appropriate value.  A lot of people change 
their From: line to be a different e-mail account.

I'd say that you need to find a plug-in to do it!  It should be simple to 
set the From account to the user e-mail w/o exception and only allow them 
to change the name field.

jeff