[jdev] spoofing "from" attributes
Richard Dobson
richard at dobson-i.net
Tue Feb 22 05:37:18 CST 2005
> I was seeing the problem from the admin side: I can trust my components
> but not my clients and therefore the check should be enforced only for
> clients.
It will be inforced for clients, clients cannot spoof addresses at all, on
all implementations they should be simply replacing the from if it has been
set with the proper address.
Components as far as I understand it should be able to spoof messages as
much as you like, but if you try to send those outside your server and want
them to be delivered you must ensure that the domain in the from address is
the domain of the server you are trying to send it from, otherwise remote
servers will reject your attempts to deliver messages they see as spoofed to
them.
> Why? I don'get this. If I write my s2s component sending messages from
> anyuser at myserver, who can block me? AFAIK, from the outside nobody can
> detect that those are fake users.
I see, so you are not really spoofing addresses in regard to spoofing the
domain name (which you will never be able to do).
> Getting back to the original problem. Thus if a want to be able to have a
> webservice enabling users to send message with rpc-like calls, the only
> solution with the present server is to keep a connection open for any
> possible user of this server. Am I right?
You will be able to spoof messages to your local users, but any messages you
try to send remotely will only work if you are trying to send them from a
domain name your server is responsible for, and dialback is working for.
Richard
More information about the JDev
mailing list