[imp] IMP as an open relay

Carlton Thomas carlton@gifford.co.uk
Mon, 27 May 2002 18:25:41 +0100 (GMT/BST)


On Mon, 27 May 2002, Chuck Hagenbuch wrote:

> No.
> 
> If we tried to follow his suggestion and made the user supply an SMTP 
> server, chances are about zero that we could actually _use_ that SMTP 
> server to send mail on the user's behalf.
> 
> IMP demo site -> connects to user's local SMTP server -> tries to send mail 
> to someone not at that ISP -> Whoops! Relaying denied.

Chuck,

You are missing one important detail from my original message. What I said
was :-

>> However, if the                      
>> user is allowed to specify a POP3/IMAP server by typing its name (just
>> like the IMP demo site) then I believe that the facility should be
>> built into IMP to also request the SMTP server authentication details.
>> IMP should then send mail using the specified SMTP server.

You seemd to have missed the "SMTP server authentication details" bit.
When you authenticate against an SMTP server, that SMTP server *will*
relay mail on your behalf. So to go back to the demo site example:
The user should be asked for:-

a) POP3/IMAP server
b) POP3/IMAP Username
c) POP3/IMAP Password
d) SMTP server
e) SMTP Username (if not the same as POP3/IMAP Username)
f) SMTP Password (if not the same as POP3/IMAP Password)

If the user cannot supply a valid SMTP Username and Password, he should
*not* be allowed to send mail and/or if the supplied SMTP server will
not relay on the user's behalf then "tough titties" (as we say in the UK).

I think it was Jan that said that it is not easy to spam via a web
interface. My response to that is "Try telling that to all the ISPs
who had their FormMail scripts used for spamming". It is very easy
to find applications on the web which will emulate users accessing
websites. Spammers can use this same technique to automate the sending
of a large volume of mail via IMP, trust me, its relatively easy to do.

Unfortunately, I am speaking from experience here!!  My reason for
persisting with this thread is to ask you guys, the designers, to
assist the end users, by providing the necessary tools to allow us
to "Lock the stable doors before the horse bolts" (as we say in the UK).
Having your mail server blacklisted is "a real bummer".

Regards !

--
Carlton
=============================
GIFFORD INTERNET SERVICES
Bristol, United Kingdom 
Tel: 0845 111 0032
Tel: 0117 939 7722
Fax: 0845 111 0033
Email: admin@gifford.co.uk
Web: http://www.gifford.co.uk
=============================