Actually, Sendmail v8 (or at least 8.6.9, which I'm using) has a feature that
provides a basic level of authentification. When the HELO line is used, a
reverse lookup is used to verify that this is correct. If the reverse lookup
doesn't match, a line is put in the mail to inform the reader, as well as a copy
being sent to the administrator. This contains the name of the system that was
found using the reverse lookup.
Now, reverse lookups are certainly not the end-all of authentification, but at
least it is something ...
______________________________ Reply Separator _________________________________
Subject: Re: SMTP mail spoofing
Author: smb @
research .
att .
com at Internet
Date: 6/26/94 8:35 PM
--------
Sounds like you're talking about the privacy flags option
("Op") in sendmail 8. If you have "authwarnings" on for that
option, it will insist that it gets a HELO/EHLO before the
mail is sent, but all that does is makes sure the person
sending the fraudulent e-mail has to type "HELO foo.bar.com".
It doesn't attempt to verify it. It's why you see some e-mail
around now from mh users that says "X-Authentication-Error:"
on it.
It's worse than that. I can telnet to, say, uunet's port 25, but
still send mail to some other host, and from some other host.
In fact, I hand-sent this message using just that technique, as a
glance at the Received: lines will show.
|
|
