On Thu, 30 Jun 2005 07:30:24 EDT, Hector Santos said:
Here's another one. This is the SendMail.com server:
220 foon.sendmail.com ESMTP Sendmail Switch-3.1.7/Switch-3.1.7;
Thu, 30 Jun 2005 03:55:50 -0700
250 foon.sendmail.com Hello adsl-10-44-25.mia.bellsouth.net [188.8.131.52],
ed to meet you
See the problem? [Hint: Spoofing]
Lets check Claus's esmtp.org server:
220 zardoc.esmtp.org ESMTP sendmail X.0.0.Alpha4.0
250 zardoc.esmtp.org Hi there
mail from: <>
501 5.1.7 Bad sender's mailbox address syntax.
Wonderful! Its worry about a space, but it doesn't protect its own local
What can I say? Claus is a standards-conforming kind of guy :)
In what sense is the handling of the HELO parameter failing to "protect"
Note that (a) the HELO isn't usually *used* for anything, (b) will get you a
nice little notation in the Received: header, and (c) the relevant RFCs
specifically say that bouncing mail solely because the machine is confused
about its name is prohibited (2821, section 4.1.4)
An SMTP server MAY verify that the domain name parameter in the EHLO
command actually corresponds to the IP address of the client.
However, the server MUST NOT refuse to accept a message for this
reason if the verification fails: the information about verification
failure is for logging and tracing only.
And sure enough, if you were to proceed with valid MAIL FROM/RCPT TO, you'd
find that the Received: header would contain *3* fields - your claimed HELO
name, the IP you *actually* came from, and the PTR that IP has. In addition,
if the hostname claimed by the PTR doesn't have an A record matching the IP,
there will be a 'might be forged' notation).
And rest assured, if you had tried to claim the same domain address on the
MAIL FROM, Claus's servers would have told you exactly what you could do with
Description: PGP signature