Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!spool.mu.edu!think.com!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!ra!Ra.MsState.Edu!fwp1
From: fwp1@CC.MsState.Edu (Frank Peters)
Newsgroups: comp.mail.sendmail
Subject: User setting From: address in sendmail input
Message-ID: <FWP1.91Jun19183837@Jester.CC.MsState.Edu>
Date: 19 Jun 91 23:38:39 GMT
Sender: usenet@ra.MsState.Edu
Organization: Computing Center, Mississippi State University
Lines: 15
Nntp-Posting-Host: jester.cc.msstate.edu

A user just noticed that he can put any from address into the From:
header of a file and pipe it to /usr/lib/sendmail and have that address
appear in the From field of the delivered message.  The unix From header
has the correct address (if it is present).  

I realize how easy it is to spoof via smtp.  But I would have thought this
case would be coverend under the sendmail.cf trusted user declarations.

This is the sendmail as shipped with SunOS 4.1.1.  Is there some way to
prevent this?

Frank
--
Frank Peters   Internet:  fwp1@CC.MsState.Edu         Bitnet:  FWP1@MsState
               Phone:     (601)325-2942               FAX:     (601)325-8921