September 12th, 2010, 05:38 AM
Can somebody please explain to me how could this possibly happen?
I have a website example.com. I wrote a simple php script to send an email. I set the FROM field to "personA@gmail.com" and I set the TO field to "personB@yahoo.com" (i am not listing the actual emails or domains, but i used real emails). The strange thing is that I recieved the email message in my Yahoo inbox. Is it me or this should not happen!!! I mean I could cause a fight between "personA" and "personB" if I write an offensive message. How come Yahoo or Gmail did not authenticate the sender of the message? What am I missing here?
September 13th, 2010, 02:48 PM
You're seeing two things. The first is the "To:" field - your mail server must be saying "this isn't a message for me - I'll forward it". This could be very bad if you don't require some sort of authentication to forward the mail as anyone could use it as an Open relay. If you do require authentication then it is not a problem.
The second is the "From:" address problem. You have just seen how a Joe Job works. The SMTP standard does not do a particularly good job enforcing anything about the "From:" address. Add-ons such as DKIM help but are not widely enough used to be super valuable.
I have periodically been the victim of a "Joe Job" attack and I get emails from the world over telling me what errors occurred during the delivery of the email. Contacting any of the administrators of the poorly configured mail systems to tell them that they should read a bit before running a mail server is an utter waste of time so I just set up a filter in my mail server to quietly dump everything that is a bounce message to /dev/null.
September 17th, 2010, 04:12 PM
Tools such as SPF attempt to deal with Joe Job attacks but there is nothing you can do to stop someone from spoofing the From address on an email.
In fact, spammers often use a spoofed Reply-to address in case the server will bounce a message. The message goes to the spoof replied to. People will often open these messages thinking it was something they sent only to discover the Reply-to was spoofed.