Re: lynx-dev changing mail user (was Your Mail)

[Foteos Macrides]

Heather Stern <address@hidden> wrote:
>I ate the fortune cookie first, then read what Foteos Macrides wrote:
>> 
>> Wayne Buttles <address@hidden>
>> >Try this:
>> >
>> >SYSTEM_MAIL:sendmail -f address@hidden -h access.digex.net -r 
>> >mail.access.digex.net SMTP
>> >SYSTEM_MAIL_FLAGS:
>> 
>>      Since Al reported that it worked for him, I tried it
>> from here (both with and without the -m before the SMTP, which
>> apparently doesn't matter because SMTP is the default) to see
>[snip]
>>      I got no indication from Lynx that anything had failed,
>> but it's been a while and I still haven't received the test
>> message I sent to address@hidden as if from Al, so it
>> apparently did not, in fact, work.
>
>It's possible that your site simply ignored it, or that a relaying site
>dropped it.  Relays that drop this sort of thing usually send some sort of 
>bounce note, though.
>
>>      Do you know if sendmail.exe is checking a database for
>> authorization info, e.g., that used by Outlook Express, such
>> that it could be modified to make this type of misuse actually
>> work?  I presume the sources for sendmail.exe are not available.
>
>The configuration file is /etc/sendmail.cf.  While sendmail is open source
>(sendmail.org) I'm pretty sure a local admin would be annoyed at finding a
>user copy floating around, much less a user with the gumption to tweak the
>code on it...  
>
>The entry you would want to change would be T - trusted user.  Usually root
>is on this list (big surprise), and you might add mailing list software (so
>you wouldn't have to waste a uid for every list onsite) or a Postman account
>that isn't root.
>[...]

        We've been talking in this thread about the sendmail.exe which is
included in lynx-w32.zip for use with the WIN port or Lynx, not the real
Unix sendmail.  What appears to have been established thus far is that
the split in lynx.cfg into two symbols, one for the mailer's path, and
the second for its switches, has not been extended to that port, so you
put both for the SYSTEM_MAIL definition.  The .exe is used with tin (and
Wayne got it that way), and was written and copyrighted by someone from
MicroSoft.  It does not have a -T switch, and perhaps other things that
you might expect from the Unix sendmail.  Here's the screen output for
it's help (i.e., when envoked with no switches):

Welcome to sendmail/NT, a mailer stub for Windows/NT and Windows/95.
(c) Nigel R. Ellis <address@hidden> 1994 - 1995.

This version built on Jun  5 1995 at 14:56:11

Usage: SENDMAIL.EXE [-h localhostname] [-r smtphost] [-m transport]
          [-U MAPIUser] [-P MAPIPasswd]
           -t {ToList} -f From [-s Subject] -F File

   {ToList} is a space, comma or semi-colon delimited list of recipients
   Valid transports are XMAPI (allow edit before send), MAPI and SMTP
   Default transport is SMTP


        Al reported that it worked for him with the transport specified
as SMTP, and presumeably his PC having a dialup connection already
established with his ISP (digex).  I tried it from here with exactly
the same switch values as quoted above (and bogus for me) with a dialup
connection established between my PC and my ISP, to see if the software
was capable of being used to send email as if from Al, but in fact from
a spammer.

        If it did work, but bounced, then Al should see the bounce, not
me.  But I doubt it worked as all, even though there were no messages to
indicate that it failed.

        Basically, I'm new to using software of this sort actually on the
PC with dialup connections to ISPs (as opposed to via VMS or Unix shell
accounts), and trying to assess what potentials for abuse exist in such
setups, so as to be sure they are guarded against.

                                Fote
-- 
Foteos Macrides (address@hidden during April, '98)