On 2/18/2021 12:15 PM, Jeremy Nicoll wrote:
On Thu, 18 Feb 2021, at 18:30, Seymour J Metz wrote:
SMTP is inherently insecure
OTOH, the envelope ... fields can be trivially spoofed
For the recipient of an email, the SMTP envelope data is stripped off
by the receiving system's SMTP server, then - often - placed inside
the email in a header whose format depends on the mail system
concerned. For example I see X-Delivered-To: headers in some of
my mail.
How would someone spoof that, unless they had access to my
mail hosting company's servers?
... or coded their own SMTP relay program, which I did a few years ago
for a older Windows program that would only send mail out on port 25 and
could not be altered. Hard to find an open port 25 on any public ISP
these days.
But maybe Seymour is talking about the MAIL FROM: envelope item, which
can easily be spoofed. In fact, on my relay I needed to fake that field
purposely or my home ISP wouldn't accept the outgoing email from my relay.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
