[Mailman-Users] List Security
J C Lawrence
claw at kanga.nu
Wed Oct 23 19:32:56 CEST 2002
On Wed, 23 Oct 2002 19:00:06 +0200
Dan Richter <daniel.richter at wimba.com> wrote:
> Pardon me for being a pain here, but isn't it ridiculously easy to
> forge a From:, and also rather easy to forge an envelope?
From: is trivial under many MTAs. Envelope requires understanding SMTP
and driving that manually. However, this is largely moot: if you need
strong(er) authentication in email systems, period, and this is not just
limited to Mailman, you're basically into the realms of PKI.
Exception: (I do this in a couple case) I require mail arriving with
specific From: and Envelopes to also list specific addresses in the
Received: headers. This is not strong, it is equally trivially forged
as the envelope, but it is (currently) a sufficient barrier to entry
to cut even the few who do forge envelopes that I've found.
> Now I'll be humble and admit that I don't even know what an envelope
> is.
Crudely, its the "From " header (note the space). More usefully the
envelope contains the return-path, the address to which a bounce should
be sent back to if this message bounces.
> So my question about the envelope really boils down to: if I have root
> access on a machine other than the one Mailman is running on, can I
> fool Mailman's envelope recognition?
Absolutely.
You don't need root access on any system to forge email.
--
J C Lawrence
---------(*) Satan, oscillate my metallic sonatas.
claw at kanga.nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
More information about the Mailman-Users
mailing list