<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
Yeah, that's awesome... Why don't you try and actually deliver some
messages that way without authenticating and see if they get
through.<br>
<br>
--- BEGIN PASTE ---<br>
[null@sapsec01 ~]$ nc -vvv aspmx.l.google.com 25<br>
Connection to aspmx.l.google.com 25 port [tcp/smtp] succeeded!<br>
220 mx.google.com ESMTP h9si11359631paz.63 - gsmtp<br>
HELO aspmx.l.google.com<br>
250 mx.google.com at your service<br>
MAIL FROM:<a class="moz-txt-link-rfc2396E" href="mailto:spam.lord@gmail.com"><spam.lord@gmail.com></a><br>
250 2.1.0 OK h9si11359631paz.63 - gsmtp<br>
RCPT TO:<a class="moz-txt-link-rfc2396E" href="mailto:march.tim@gmail.com"><march.tim@gmail.com></a><br>
250 2.1.5 OK h9si11359631paz.63 - gsmtp<br>
DATA<br>
354 Go ahead h9si11359631paz.63 - gsmtp<br>
From: Spam Lord <a class="moz-txt-link-rfc2396E" href="mailto:spam.lord@gmail.com"><spam.lord@gmail.com></a><br>
To: [Tim March] <a class="moz-txt-link-rfc2396E" href="mailto:march.tim@gmail.com"><march.tim@gmail.com></a><br>
Date: Fri, 01 Mar 2013 17:02:27 +1100<br>
Subject: Your mum...<br>
<br>
Is on the top of my things to do list.<br>
<br>
<br>
<br>
.<br>
*crickets*<br>
^C<br>
[null@sapsec01 ~]$ <br>
--- END PASTE ---<br>
<br>
<br>
<br>
T.<br>
<br>
<div class="moz-cite-prefix">On 1/03/13 4:38 PM, Scott Howard wrote:<br>
</div>
<blockquote
cite="mid:CACnPsNU-50wHua_OLe_TcOMVTJvbOKwS5yVZMTMjiQYZjYsmYA@mail.gmail.com"
type="cite">On Fri, Mar 1, 2013 at 5:33 AM, Tim March <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com" target="_blank">march.tim@gmail.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<div>On 1/03/13 12:22 PM, Heinz N wrote:<br>
</div>
<blockquote type="cite">IMHO : If the ausnog SMTP MTA
relays for <a moz-do-not-send="true"
href="http://ausnog.net" target="_blank">ausnog.net</a>,
then the external spammer can pretend to be FROM <a
moz-do-not-send="true" href="http://ausnog.net"
target="_blank">ausnog.net</a>, sending TO <a
moz-do-not-send="true" href="http://ausnog.net"
target="_blank">ausnog.net</a>. The SMTP agent will
then relay with no questions asked. No pwnage required.
</blockquote>
<br>
</div>
This is a Bad Thing <span>™</span> from a security
perspective. Imagine the amount of spam you'd get if Google
allowed unauthenticated localdomain relay for <a
moz-do-not-send="true" href="http://gmail.com"
target="_blank">gmail.com</a>.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Umm.. They do. It's called "inbound email".</div>
<div><br>
</div>
<div>
<div>
<div>
scott@zaphod:~$ telnet <a moz-do-not-send="true"
href="http://gmail-smtp-in.l.google.com">gmail-smtp-in.l.google.com</a>
25</div>
<div>Trying 2607:f8b0:4001:c02::1a...</div>
<div>Connected to <a moz-do-not-send="true"
href="http://gmail-smtp-in.l.google.com">gmail-smtp-in.l.google.com</a>.</div>
<div>Escape character is '^]'.</div>
<div>220 <a moz-do-not-send="true"
href="http://mx.google.com">mx.google.com</a> ESMTP
pd3si9862485icb.71 - gsmtp</div>
<div>helo there</div>
<div>250 <a moz-do-not-send="true"
href="http://mx.google.com">mx.google.com</a> at your
service</div>
<div>mail from:<<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com">march.tim@gmail.com</a>></div>
<div>250 2.1.0 OK pd3si9862485icb.71 - gsmtp</div>
<div>rcpt to:<<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com">march.tim@gmail.com</a>></div>
<div>250 2.1.5 OK pd3si9862485icb.71 - gsmtp</div>
</div>
</div>
<div><br>
</div>
<div> Scott</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</body>
</html>