Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Student Charged with Breaking Into Roommate's E-Mail Account (26 February 2004)

From: Christopher Cramer <chris.cramer () DUKE EDU>
Date: Thu, 4 Mar 2004 17:10:12 -0500
On Thu, 2004-03-04 at 16:25, Bruhn, Mark S. wrote:

"...the majority of mail servers still do not require authentication..."


Where??




smtp.duke.edu unless you want to relay from off campus to off campus.

a local linux machine's sendmail is also non-authenticated and so could
forge a From: address

since there was no evidence (in the article) that the student actually
read the other's email, all we know is that they set a From: address of
the victim.

although that brings up a good question - how many universities are
requiring smtp-auth for ALL access to their smtp servers where the "mail
from:" is local?  so, for example, does external-relay.indiana.edu allow
me set a "mail from:" and "rcpt to:" that are both indiana.edu
addresses?

-c
--
Christopher E. Cramer, Ph.D.
Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  email: chris.cramer () duke edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: