email spoofing

Alex Neuman alex at
Thu Jun 14 01:51:28 IST 2007

Res wrote:
> Lazy? WTF is the point of smtp auth for your own lan...
> I abandoned smtp-auth years ago because too many customers can use it 
> to get you blacklisted (deliberate spam) it was more of a hassle then 
> thats its worth, if they are not on our network they can use their own 
> ISP's smtp and not ours.
> I will always allow all of our IP ranges for relay on the 
> cust-out-smtp's as there is nothing at all wrong with doing so, so 
> long as you don't add in IP ranges that aren't your own, and since no 
> network competently setup routes RFC1918 addresses, its moot point.
The F point, to use your own terms, is to avoid (read: make it more 
difficult to happen) spam zombies spewing stuff out of your network and 
getting you blacklisted. Most spam zombies will not authenticate - 
therefore, the e-mail won't leave your network. This, combined with a 
firewall policy that only allows port 25 traffic on your own servers can 
mitigate a spam zombie problem before it begins.

That and using other ports like 587 (for SMTP+AUTH with optional TLS) or 
465 (SMTPS) will also allow your users to bypass such filtering at other 

You can also tell sendmail (and probably postfix and other MTA's) to 
include the *who authenticated* information (look for REC_FULL_AUTH 
instead of REC_AUTH in the cf files) so you can tell who sent the e-mail 
more surely. For example, in your setup nothing prevents a person from 
spoofing another user's known (or guessed at) IP address and sending an 
e-mail purporting to be someone else. If you force people to 
authenticate, you get a header like:

Received: from mini.local (nkcenter [])
	(user=alex mech=PLAIN bits=0)
	by (8.14.0/8.14.0) with ESMTP id l5DNf4nd026079
	for <mailscanner at>;
	Wed, 13 Jun 2007 18:41:33 -0500

... which at least tells you the user who sent the e-mail did so using 
the "alex" account and knows the password for it.

I know that *anything* is circumventable in one way or another - and 
that's what I meant by *lazy*. I believe the UK expression is "I can't 
be bothered to...", in this case, set up SMTP AUTH so that spoofing 
becomes just a bit more difficult.

That, along with checking for valid recipients using milter-ahead or an 
LDAP lookup, and proper SPF records, for example, makes it even more 
difficult for spoofing and backscatter to occur.

More information about the MailScanner mailing list