Re: lynx-dev sendmail

[David Woolley]

Fote wrote:
> 
> address@hidden (Al Gilman) wrote:
> >>In this case, I would try access.digex.net as the -h.  I am not 100% su=
> re
> >>what the "right" value is, but I thought it pertained to where the mail=

The right value for -h is the reverse resolved form of your IP address;
if you can't reverse resolve it  at all, change ISP, as you will have a
lot of hassle from the better protected servers on the net.  However,
resolving it on the fly can be a hassle.  Using the relay's own name
is characteristic of spam generated by Stealth Mailer, so I wouldn't 
do it unless your ISP tells you to do so.  In default of a properly
reverse resolved name, I would use asgilman.access.digex.net, but 
generally SMTP predates dynamic IP.  (Don't use a domain literal - 
that's another spam marker!)

> >
> >The two values for -r I have used are "mail.access.digex.net" and
> >[204.91.241.5]", which is one of the two IP numbers in the above

I wouldn't particular expect it to work with the square brackets, but
if you have a reasonable TCP/IP implementation, you should use the
relay's name, not the IP address.

> 
>       I seems unlikely that any ISP would let you access its SMTP server
> using Lynx from a PC (as opposed to an already logged in shell account)
> without authorization, either via your username and a mail account passwo=
> rd,

There is no provision for authorisation in the standard SMTP protocol,
Eudora and Pegasus will check your POP3 password, but that is a precaution
against naive forgery in the user agent, not against a sophisticated
forger.

Any well run site, these days, will, however, check your IP address and
reject mail unless it belongs to a customer or the destination address
belongs to a customer (the lynx list host site appears to do this, and
to reject outright addresses that don't reverse resolve).  Some will
reject mail if the -h (HELO) value doesn't cross-check, but you wouldn't
expect that of a dynamic IP ISP.

Note that it is normal, in all but the Windows world, to make an SMTP
connection direct to the destination's incoming mail relay, which
can't know how to authenticate you.  (KA9Q will do this for DOS,
hence the limitation to Windows!)

> or using your usual login password encrypted with Virtual Key.  That
                                                    ^^^^^^^^^^^
Sounds like a marketing name for the, far from universal, APOP protocol,
which requires the service provider to hold a clear text password.  I
think there may be a very recent authentication option for SMTP as well.

> ill
> at that stage of trying to become familiar and facile with the stock MS
> stuff, which in this case is Outlook Express for mail, but I presume it

Outlook Express is generally quite broken.  I'd advise Eudora Lite for
a competent but simple program and Pegasus Mail for a power user program,
although still simple in basic use.  Both of which use MIME much more
correctly and don't generate broken HTML at the slightest provocation.

> similarly has a configuration menu for choosing username/password versus
> Virtual Key authorization.  The issue is that a snooper could capture you=
> r
> username/password and use it to spam from your network email account.  Th=
> e

Currently the only reliable way of tracing spam is to correlate the
source IP address and time in the mail logs, or Received headers, with
the authentication logs for the PPP server.  This is what most ISP who
are competent enough to trace it will do.

Incidentally, the reality is that it is very difficult to tap a 
high speed modem connection (you need a four wire tap, which means the 
telco central office or backbone or physically cutting the wire).  For
most people the real threat is from the ISP, and they may need a clear
text password for encrypted passwords.  Even if you double hash, like
Microsoft's authentication protocol, the first stage of hashing is only
done if you use the official user agent; anyone implementing the protocol
directly can treat the hashed password as though it were a clear text one.