ietf-asrg
[Top] [All Lists]

Re: [Asrg] 0. General

2003-10-22 12:04:24
At 12:09 AM -0400 2003/10/22, Richard Rognlie wrote:

 And remember, I'm not specifying that mail from rrognlie(_at_)gamerz(_dot_)net
 has to come from "the" gamerz.net RMX... just taht the HELO line
 claiming to be play.gamerz.net (my MTA) must be the specified
 IP (or one of the specified IPs).

Trivially easy to by-pass. Just claim to be 127.0.0.1, or 10.0.0.1, or some other IP address. Or maybe your "real" external IP address (assuming you have some reliable way of determining that, even though you might be behind a NAT or whatever).

There's a reason why the RFC says that you don't validate the hostname claimed in HELO/EHLO. It takes too much time, and is too easy to by-pass.

--
Brad Knowles, <brad(_dot_)knowles(_at_)skynet(_dot_)be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
    -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>