Thursday, May 1, 2008

False Sense of Security in SMTP Authentication

Lately, I have been receiving spam e-mails sent to myself using my own e-mail address. I did a simple test using Microsoft Outlook Express. With SMTP authentication disabled, I sent an e-mail to myself and to another yahoo account. I managed to receive the e-mail to myself but not the yahoo account. But with SMTP authentication enabled, both e-mails were received.

Initially, I thought the setting of SMTP authentication on my hosted e-mail server has changed. So, I called my e-mail service provider. After a long conversation, it is possible for this to happen. Any person can spoof an e-mail address and send e-mails to the same e-mail address without SMTP authentication. But, if that person tries to send e-mail from a domain to a different domain e-mail address, it will not work. According to support, SMTP authentication only prevents the abuse of the e-mail server from sending spam e-mails to others but not to yourself. You can look at the header of the e-mail address to confirm the ip address of the sender.

No comments: