Great Circle Associates Majordomo-Users
(October 1998) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: security problem with sender in config
From: Jason L Tibbitts III <tibbs @ hpc . uh . edu>
Date: 23 Oct 1998 11:42:28 -0500
To: Jeffrey Goldberg <J . Goldberg @ Cranfield . ac . uk>
Cc: Majordomo Users List <majordomo-users @ GreatCircle . COM>
In-reply-to: Jeffrey Goldberg's message of "Fri, 23 Oct 1998 11:04:43 +0100 (BST)"
References: <Pine.OSF.4.02A.9810231058530.14165-100000@nassau.pegasus.cranfield.ac.uk> 
>>>>> "JG" == Jeffrey Goldberg <J.Goldberg@Cranfield.ac.uk> writes:

[By setting sender you can make it look like mail comes from anywhere.]

JG> Is this true?

Well, sure.

JG> Is it a problem?

Is it a problem that most MUAs let you change the From: header?  You can
send mail through Majordomo with any From: header you like.  Being able to
change the envelope sender isn't any more of a big deal, because you can do
that with 'telnet localhost 25' anyway.  Most people these days can't even
see the envelope sender.

You can't do anything with downstream Received: headers, so you still can't
forge anything any better than you can using any other method.

If this still bothers you, with the development version you could make
'sender' a variable that you need additional privileges to change.

 - J<
Follow-Ups:
References:
Indexed By Date Previous: different queue
From: Mike Robinson <mrobinsn@wharton.upenn.edu>
Next: Re: Restrict-post by domain?
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Indexed By Thread Previous: security problem with sender in config
From: Jeffrey Goldberg <J.Goldberg@Cranfield.ac.uk>
Next: Re: security problem with sender in config
From: Jeffrey Goldberg <J.Goldberg@Cranfield.ac.uk>
Google
 
Search Internet Search www.greatcircle.com