(edited slightly)
>Possibly the reason is that teachers and administrators have one server and
>students have another. The students is called "stumail" and any recipient of
>mail from a student would recognize that it came from a student.
It's totally trivial to redirect outgoing mail to a different SMTP server
than the one on which you receive incoming mail. You can even embed
multiple layers in the address and send your message on a grand tour of the
network (some servers will refuse to forward mail with this sort of
address, but most will). I often use this capability to test my server's
reception of off-campus messages.
>In addition, our mail program requires that real names must be attached to all
>mail messages. Without it, the mail would be returned to the sender. We use
>POPMail, a free program from the University of Minnesota. We like this program
>because it is visual and easy to set up...even for the first graders who have
>their own accounts.
I haven't seen POPMail in a while (we use Eudora), but the last time I saw
it you could fill in pretty much anything you wanted in the name slots and
it would still work as long as you use a valid server. Only receiving mail
requires a password.
>If a student would try to use teacher/administrator mail, the student would
>need to know the teacher's password which is different that what the students
>use; teachers/administrators can and do change their password so that no one
>would know it.
They don't have to sign on as the teacher, all they have to know how to do
is fill in a bogus address and redirect the mail. You can even Telnet
directly to the SMTP port on a server and type commands to it like you were
another server. This is a little more complicated, and requires knowledge
of the SMTP protocol, but it's easily done. Again, some servers are more
secure than others, but the vast majority are wide open.
>Unless I'm missing something here, I don't see how mail spoofing could occur.
>The trick is to have two servers.
You are missing a fair amount. Fortunately, most of the students are
probably missing it too. One of our Data Center consultants once claimed
on a campus-wide listserver list that it was impossible to send spoofed
messages on campus. The resulting flood of bogus addresses on messages
almost choked the list... *heh*. It would be pretty easy to send a spoofed
message from the president or some other unlikely source to EdTech to
demonstrate these techniques, but I'm sure Vickie and the other moderators
and helpers don't need the resulting headaches (subscribing from
non-existant addresses, bouncing echoed messages, etc.).
-- Bruce Carter, Instructional Software Designer (208)385-1851@voice Boise State University, Boise, ID 83725 (208)385-1856@fax http://mentor.idbsu.edu/BruceCarter/home.html bcarter@mentor.idbsu.edu