Re: hosers-talk: Radiohead Concert

[Joel Uckelman <uckelman@xxxxxxxxx>]

Quoth Jeff Schroeder:
> At 01:15 AM 8/15/2001, you wrote:
> >Quoth "Jon Stewart":
> > > > I did not send this. If it was Jon, then you can go to hell, Jon.
> > > > If it was anyone else, than you can get fucked by your mother with
> > > > a rusty tire iron. Up the ass.
> > > >
> > > > No, wait. Jon too.
> > >
> > >
> > > Whaddya' know? The MTA doesn't verify mail from local users. All ya'
> > > gotta' do is include a forged "From:" line. Nifty.
> >
> >Hmm. That's not good. I wonder how I can fix that... Jeff, you use qmail.
> >Suggestions?
> >
> >Anyway, I knew it was Jon because it was sent by uid 525, which you can
> >verify is Jon by checking /etc/passwd.
> 
> 
> qmail obviously trusts any sender.  Which is the same for most SMTP 
> programs.  Most do not check the return (or from) field for 
> correctness,  although some check for the existance of the sender via DNS 
> or /etc/hosts! I am surprised that qmail didn't include anything in the 
> headers that showed the sending account name, however.  The problem lies in 
> where it should look for the appropriate value.  A lot of people change 
> their From: line to be a different e-mail account.
> 
> I'd say that you need to find a plug-in to do it!  It should be simple to 
> set the From account to the user e-mail w/o exception and only allow them 
> to change the name field.
> 
> jeff

Well, since I trust everyone who has an account here not to impersonate 
Josh and send nastygrams to his professors, I think I'm going to let this 
one go for now. Heh.

-- 
J.