Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.mel.connect.com.au!munnari.OZ.AU!spool.mu.edu!usenet.eel.ufl.edu!news.mathworks.com!enews.sgi.com!news.sgi.com!swrinde!cs.utexas.edu!howland.erols.net!newsfeed.internetmci.com!news1.emplink.net!news
From: Richard Heaton <rheaton@empac.com>
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Re: Write Secret Love Letters
Date: Tue, 03 Sep 1996 10:50:24 -0700
Organization: Empac International
Lines: 67
Message-ID: <322C6FE0.41C67EA6@empac.com>
References: <Dx0p2v.7rn@konark.ncst.ernet.in> <50di6r$jmd@agate.nbnet.nb.ca>
NNTP-Posting-Host: salmon.empac.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 2.0 (X11; I; BSD/OS 2.0 i386)
Lance Cavener wrote:
>
> On stardate Sat, 31 Aug 1996 19:35:18 GMT, guest@konark.ncst.ernet.in
> (SANJEEV SHARMA) sent holographic email and wrote:
>
> >Use the following bug in the Mail Protocol - (RFC 822) where it does'nt
> >check the sender's identity even if he is on the same machine.
>
> >************************************************
> >Telnet MACHINENAME 25
> >HELO FICTITOUS_NAME
> >MAIL FROM :<FICTITIOUS_NAME>
> >RCPT TO :<RECIPIENTS_NAME>
> >DATA
> >HI DARLING, THIS IS TESTING
> >I COULD HAVE SENT ANY LETTER
> >TO U
> >.
> >QUIT
>
> Well isnt this nice. Fakemailing. Does this have anything to do with
> BSDI? No. Anwyay.
>
> If this was a bug, then it would have been fixed long ago BTW. Tell
> me, how are you suppost to check a users identy (I presume email
> address)? You can't, and if you tried, you would get really wierd
> headers.
>
> Anyway, keep crap like this off this newsgroup and put it in
> /dev/null. Im sure the last thing people want is for some lame newbie
> telnetting to their machines mailserver and sending fakemail from Root
> "System Administrator".
>
>
> --
> ,-------------------------------------------------------,
> |Lance Cavener Systems Administrator |
> |cavenerl@nbnet.nb.ca Senarius Inc. |
> |admin@novacon.com |
> |"Microsoft sent 54 programmers to Apple? You lie......"|
> `-------------------------------------------------------'
Actually , you are both wrong. Sendmail (SMTP actually) HELO will accept a fake name in the handshake, but new versions
of SMTP will try to identify the real identity with identd as well as reverse DNS lookups. It will put the real name
into the Recived header (which not all mailers display). This is well known and has been around for a while. See p 243
of "SENDMAIL" , Costales,B., O'Reilly & Associates, 1993 .
BTW Please try not to post crap like this to the net. If you are trying to do a service to the community by pointing out
possible security holes, then fine, great ( maybe use the correct forum, though, like com.unix.security) . If you are
trying to show us all what a great hacker (cracker in this case?) you are then keep it to the groups like alt.hackers
where stupid human tricks like this might be appreciated.
--
All opinions are mine , not my employers. ( They only rent my brain, they don't own it :-) )
rheaton@empac.com
System Engineer,Program Manager
EMPAC International
Fremont,California
http://www.empac.com
"A fanatic is one who can't change his mind
and won't change the subject."
-Winston Churchill