Jon Stewart on 16 Aug 2001 05:07:00 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: hosers-talk: Radiohead Concert


> qmail obviously trusts any sender.  Which is the same for most SMTP 
> programs.  Most do not check the return (or from) field for 
> correctness,  although some check for the existance of the sender via DNS 
> or /etc/hosts! I am surprised that qmail didn't include anything in the 
> headers that showed the sending account name, however.  The problem lies in 
> where it should look for the appropriate value.  A lot of people change 
> their From: line to be a different e-mail account.


I know that it's not always desirable to regulate the From: line strictly.  
But, like Jeff here, I was surprised that there wasn't an obvious
indication it was really from my account (unless you memorize everyone's
uid, in which case I guess it was obvious (notes that only Joel would
memorize everyone's uid)) -- the joke was to act like I was grossly
impersonating Josh, not to make a believable forgery. I figured my
username would be featured loudly in the headers, possibly with a warning,
even. But, I also wanted to try, anyway.

If you send a test message to yourself doing what I did, either to your
local ellipsis account or to another one (ie. locality is a non-issue),
the sender header will be correct and say it's really from your account.
The "problem", in this case, is that my forgery went to majordomo, which
replaced the sender header with its own, and did not say anything about
the original sender.

Thus, I don't think anyone can impersonate Josh to his professors (at 
least effectively), but it does seem possible on a mailing list. I'm not 
sure you could call this a bug in majordomo, but it certainly isn't a 
feature.



Jon
-- 
Jon Stewart
stew1@xxxxxxxxxxx

"Survey says: it was a bad idea in the first place."

	-- The Dismemberment Plan