Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!shaman!jiro From: jiro@shaman.com (Jiro Nakamura) Newsgroups: comp.mail.sendmail Subject: Re: User setting From: address in sendmail input Message-ID: <1991Jun20.022606.1680@shaman.com> Date: 20 Jun 91 02:26:06 GMT References: Sender: jiro@shaman.com (Jiro Nakamura) Organization: Shaman Consulting Lines: 27 In article fwp1@CC.MsState.Edu (Frank Peters) writes: > A user just noticed that he can put any from address into the From: > header of a file and pipe it to /usr/lib/sendmail and have that address > appear in the From field of the delivered message. The unix From header > has the correct address (if it is present). > > I realize how easy it is to spoof via smtp. But I would have thought this > case would be coverend under the sendmail.cf trusted user declarations. > > This is the sendmail as shipped with SunOS 4.1.1. Is there some way to > prevent this? > I noticed that the sendmail as shipped out by NeXT also has this "feature." Great security hazard. I see now why Cornell now warns people to not believe any e-mail from root asking folk to change their passwords to certain words..... - Jiro Nakamura jiro@shaman.com -- Jiro Nakamura jiro@shaman.com Shaman Consulting +1 607 277-1440 Voice/Fax/Data "Bring your dead, dying shamans here!"