Quote:
Originally Posted by sclitheroe
If I knew they were a user, and they were linked to Twitter, I could tweet obfuscated URL's to their followers leading to a compromised site. And I'd pull that off without needing a login or password.
That seems fairly significant to me.
|
If there was an email server dumb enough to just accept the values it was sent, sure, but in reality it's not so easy to spoof. That whole telnet to port 25 trick sure isn't going to work. Hell, Flexamail receives probably 300 emails a week with spoofed FROM addresses. Just because you send a message and claim to be X person, doesn't mean the receiving server is going to believe it.
Think about it, if email was so easily spoofed betweens domains, who would ever trust it, as one of every 3 emails sent would be from Steve Jobs or Barack Obama.
Now, emails sent within the same domain that isn't properly locked down, that is easy to spoof. But even that can be fairly easily defeated.
EDIT: Ironically, our security logs show a half dozen spoofed email attempts since 11:52 EST.