Hi Ian, At 12:30 04-06-2003 +0100, Ian wrote:
Lets say that I do not actually have anything to do with the raq3 server. I do not have anaccount or any access rights on the server.I find out what domains are located on the server and then I create an email account within my local copy of say outlook, guessing what the smtp server for one of the domains might be, not hard really, could be mail., smtp. or www. or I just check the MX recordsfor the domain to get it quicker.I set my email address as anyname@xxxxxxxxxxxxxxxx for sender and return address.I then send an email using the raq3's smtp server ability to 50 other domains on the sameserver, purporting to being the company behind the domainonraq3.com.The relaying of this email to 50 others on the same server is not prevented, even though POP b4 SMTP is enabled. Admittedly it will not allow the relaying to domains that are not on the server, but will happily send on this email to the 50 or so domains on the sameserver.
This is not a exploit. Sendmail is only doing what it was told to do, that is, accept the mail if the recipient's email address matches one which is hosted on that mail server.
Then, we have 50 very unhappy teddies who have supposably received an email from someonewe host, but no infact, it came from someone know one knows masquarading asdomainonraq3.com, as they have managed to send an email through the same server as thecompany hosts on.
This is a common mistake. Your email to this list, for example, shows up as coming from Ian. However, It was the mailing list software that sent the email. The fifty teddies should be educated not to trust the email address that is in the email headers.
Surely this can not be right and the POP b4 SMTP should stop this sort of thing fromhappening.
POP3 before SMTP authentication controls relaying. It is not designed to stop this kind of behavior. There are different mechanisms to control relaying and POP3 before SMTP authentication is only one of them.
Regards, -smP.S. How do you know that this email is actually from me? :-)