I recently recieved a message from one of my friend who uses spack.org as their mail server. It's a question I've been asked several times in the past so I figured I'd throw my answer up here. -- Adam.
XXXX YYYY wrote: > Hey Adam, > > I dig the new pine but I was wondering why we can edit the 'From' field > when sending mail. It just seems a little bit odd that you could put > someting fake in there (as I just did a little test) and I couldn't easily > figure out why they made that something that yo ucould easily alter. It > seems like it would open the door for a lot of bad people (read : axis of > evil types) to misrepresent themselves or others. What gives?
I don't use pine anymore, but all they have done is to turn this option on by default, you've always been able to edit the "From" header (I use this feature all the time to select between my spack.org, personaltelco.net and work email addresses depending on who I'm sending email to).
Here's an example of how easy it is for anyone to forge the "From" header.
# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 gotham.domain.com ESMTP Postfix ehlo foo 250-gotham.domain.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-XVERP 250 8BITMIME mail from: bigbadmofo@terrorist.com 250 Ok rcpt to: xxxx@spack.org 250 Ok data 354 End data with <CR><LF>.<CR><LF> Subject: see forging the from header is easy. i'm a terrorist, you're a terrorist! oops. i don't mean that. i'm a security professional, you're a security professional! . 250 Ok: queued as 40DA728975 quit 221 Bye Connection closed by foreign host.
So what's the lesson here? Email never was, and never will be a "trusted" or secure communication mechanism. If you really want to know who is sending you mail I suggest that you get them to start cryptographically signing their messages with PGP or S/MIME. Since that's never going to happen (because email crypto solutions suck), I'd suggest that a more realistic solution is to just acknowledge that the "From" header doesn't actually mean anything and to get on with your life. 