Glaring secuirty hole?

[lobos]

I was trying to send email with my wamp server on localhost and I found somewhere on the net saying to edit the php.ini file like this:

[mail function]
; For Win32 only.
SMTP = mail.mydomain.com
smtp_port = 25

so I did this and used my mail server. and it worked, which was cool for awhile until I realised that ANYONE can do this because I didn't authenticate in anyway...

So I could set up a script and send out a million emails ... ???

So what's the deal with this? Sounds like a spammers dream...

-Lobos

[Vin DSL]

I didn't authenticate in anyway...

Are you *sure* about that?

[lobos]

yep i'm sure - PM me what the address to your smtp and i will see if it works, plus your email as well and I will send to you so you can check the headers.

-Lobos

[jason]

Without knowing the specifics of your setup it is hard to say exactly what is going on, but my guess is that your SMTP server is set (or can be set) to allow unauthenticated sending from localhost. Does your server require authentication to send from your mail client on a different machine?

With the setup I just described mail originating from your PHP scripts can pass through the server without restriction, but if you were to change the address to something else (a different server) it would likely fail, likewise, if you were to use mail.mydomain.com on a different physical server, that server would probably not be able to send mail.

Still, it is not unwise to test this out just to be sure.

--Jason

[Pawel Kowalski]

Jag's servers are set up to require authentication. Try setting up your outgoing server on your email client such as outlook to your SMTP server without authentication and it will not let you send email.

[lobos]

I did it from wamp installed on my pc, via my own localhost, and it worked with no auth.

[Pawel Kowalski]

I did it from wamp installed on my pc, via my own localhost, and it worked with no auth.

If you are absolutely sure that your wamp server is sending the emails out using your JagPC server and not its own localhost I would contact support about that, sounds like a serious misconfiguration. When you check the headers in your email messages what server does it say it came from?

Off topic: based on your name you're not from new mexico by any chance?

[JPC-Masood]

I realised that ANYONE can do this because I didn't authenticate in anyway...

Do you have an email account on the server such as pop3/imap? if yes you are already authenticating.

[lobos]

here is the header

From - Wed Feb 13 15:40:12 2008
X-Account-Key: account9
X-UIDL: UID82-1194652489
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <sender@sender.com>
Envelope-to: adam@corephp.com
Delivery-date: Wed, 13 Feb 2008 12:40:08 -0500
Received: from corephp by server.corephp.com with local-bsmtp (Exim 4.68)
(envelope-from <sender@sender.com>)
id 1JPLaS-0002Wj-K5
for adam@corephp.com; Wed, 13 Feb 2008 12:40:08 -0500
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on server.corephp.com
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MIS SING_MID,RCVD_IN_BL_SPAMCOP_NET,
RDNS_NONE autolearn=no version=3.2.3
Received: from [69.73.186.132] (port=43280 helo=kraken.nocdirect.com)
by server.corephp.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.68)
(envelope-from <sender@sender.com>)
id 1JPLaS-0002Wf-GP
for adam@corephp.com; Wed, 13 Feb 2008 12:40:00 -0500
Received: from [201.54.226.35] (helo=webvida)
by kraken.nocdirect.com with smtp (Exim 4.68)
(envelope-from <sender@sender.com>)
id 1JPLaT-0001Ur-69
for adam@corephp.com; Wed, 13 Feb 2008 12:40:01 -0500
Date: Wed, 13 Feb 2008 15:39:56 -0200
Subject: test subject
To: adam@corephp.com
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: sender@sender.com
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - kraken.nocdirect.com
X-AntiAbuse: Original Domain - corephp.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sender.com
X-Pass-two: yes
Message-Id: <E1JPLaS-0002Wj-K5@server.corephp.com>

test body testing email

[JPC-Masood]

Yes, you are authenticating via pop3. It is all over in the logs

[lobos]

thehotweb, I just tried thru your server mail.thehotweb.com and got this back

<b>Warning</b>: mail() [<a href='function.mail'>function.mail</a>]: SMTP server response: 550-(webvida) [201.54.226.35] is currently not permitted to relay through this
550-server. Perhaps you have not logged into the pop/imap server in the last 30
550 minutes or do not have SMTP Authentication turned on in your email client. in <b>C:\wamp\www\svn\KFC\www\apps\digitalM enus\api\digitalMenus_lander_main.php</b> on line <b>32</b><br />

so it is definetly a problem this...

[Pawel Kowalski]

thehotweb, I just tried thru your server mail.thehotweb.com and got this back

<b>Warning</b>: mail() [<a href='function.mail'>function.mail</a>]: SMTP server response: 550-(webvida) [201.54.226.35] is currently not permitted to relay through this
550-server. Perhaps you have not logged into the pop/imap server in the last 30
550 minutes or do not have SMTP Authentication turned on in your email client. in <b>C:\wamp\www\svn\KFC\www\apps\digitalM enus\api\digitalMenus_lander_main.php</b> on line <b>32</b><br />

so it is definetly a problem this...

As masood said you seem to be authenticating through pop3.

[lobos]

Well this is the default set up of the semi-dedicated hosting plan cause I haven't changed anything. Don't you think we should be warned about this? It's not like it's dedicated...

[Ron]

Maybe two sentences about what that means might help?

Here is what I have thought it means from context, maybe Masood can correct where I'm wrong or fill in the holes:

I think it means when your email client (outlook?) logs into the pop3 to retrieve mail, the server remembers you (your IP?) for some time period and allows you to send email without further authentication.

How'd I do?

[lobos]

well I don't see any mention of pop3 in the header.. but I am blind as a bat when it comes to these things