Faking Sender Addresses in E-Mails

Last Update 2001-09-16
Many people complain that sendmail allows faking e-mail addresses or ask related questions like how do I reject mails with local sender addresses coming from external systems?

The simple answer is that SMTP does by default not require authentication just like snail mail. Everyone can write any sender address on an envelope and send it to you. Why do you trust snail mail? Maybe because it is signed? So why do you trust e-mail if it isn't (digitally) signed?

So the answer to how to avoid faked e-mails to my users is not by some rulesets in sendmail to maybe avoid some forms of forgery, but by digital signatures as available via PGP or S/MIME.

Note: even if an (e-)mail is (digitally) signed, you can trust it only if you can verify the signature. For PGP this refers to the Web of Trust, for S/MIME it relies on a hierarchical approach.


[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.