Checking mail origin?

What is "Wishes" and what are they for?

Hello Guest

• Login
• Register…
• Start blog

• Who, Where, When
• What can I do?
• What to Read?

• Polls
• Avatars
• Interests

• Cities and Countries
• Random blog
• Users search

• Search
• Games
• Tests
• QAIX

• Сообщества
• Talxy Chat
• Horoscope
• Online

Зарегистрируйся!

QAIX > Java Programming > Checking mail origin? 9 January 2002 07:51:38

Recent blog posts:

How to make a Christmas photo…
Every Christmas people take a off from their busy schedule. This is the time they can enjoy with their…

Car web design, motorbike…
If you are looking for Car website design, Auto web design, bike web design, or anything similar our…

The Best Video Converter-a…
iOrgSoft Inc. has released the powerful Video Converter - iOrgSoft Video Converter 1.6.0, the latest…

Photo DVD Maker New Website…
AnvSoft Inc., the multimedia software developer, unveils a new website…

How to rip DVD movie, convert…
It is no doubt that PSP is an excellent game player. However, it is not playing games all the time; you…

World’s Most Unusual Christmas…
This Christmas, don’t go with that ho-hum, run-of-the-tree-farm tree your family always gets…

Facebook account cracker
facebook account cracker (50 GBP) Before you're told what this tool does, it's worth noting that…

BlackBerry Storm review…
As BlackBerry fans, you can’t miss the BlackBerry Storm. At Nov 6th, 2008, the word on the street is…

Review on Any DVD Cloner
Have you ever had a DVD Movie collection broken or lost? Have you ever wanted to backup movies but…

All recruitment agencys come…
What is RCCSS? RCCSS is a new unique peice of software which will scan millions of major sites and…

They have birthday today:

akram mellice

Daffy little vampire

все >>

Forums:

topic feeds

• QAIX all topics, blogs and comments

• PHP web-programming

• Perl web-programming

• ASP web-programming

• Visual Basic Programming

• .Net Development

• C/C++ Programming

• Java Programming

• Javascript web-programming

• Apache HTTP Server

• Web-design

• Web-hosting, dedicated, colocation

• HTML web-programming

• XML development

• General Web-programming

• Content Management Systems

• ColdFusion

• Search Engine Optimization

• Hardware

• Software, Computer Help

• MySQL database development

• PostgreSQL database development

• MS Access database development

• Oracle database development

• MS SQL database development

• Informix database development

• Buy / Sell

• Open discussion

• Anonymous

Discuss:

[EJB 3.0] - PersistenceContext…
I have tried to inject a PersistenceContext into a JSF managed bean POJO as is outlined here. The…

[JBoss jBPM] - Re…
Raj, as I just stated in the other thread you will have to lock on processInstance. What seems to be…

Passing LARGE (1500-2500 chars)…
I want to pass a large (easily 1500-2500 characters) variable between a DHTML object using Jscript over…

Rebuild trailer not found…
Hi, in an application that read information from an Oracle database and create a PDF I get this error…

Recent forum topics:

Rakudo bug reports still go to…
Some of you may have seen the announcements on the Parrot lists that Parrot will be starting to use…

Stop sql Injection attacks and…
HI there, not long ago I found a website explaining a feature of a dbi-addon (or catalyst-addon) which…

[JCA/JBoss] - getOutputStream()…
Hi Guru, My project was developed by using JDeveloper10g. I have deployed the EAR file to…

Recent forum comments:

RE: Macro: Substitution font and…
Not a macro approach, but after you have the data in the page you could just use Edit Select All in…

RE: Macro: Substitution font and…
You wouldn't want to use points to size your characters on the web page. Use pixels, em, en, ex…

RE: Problem with uploader
Matthew Whipple wrote: If the open failed then wouldn't the die kick in and at least say something in…

RE: [JCA/JBoss] - getOutputStream()…
Put Your Java Code in Servlet. It will work fine Try to avoid scriplet in jsp

RE: ASP Access Recordset Paging
Thanks a lot! You've been really helpful. What eventually solved the problem was moving the DB from…

RE: ASP Access Recordset Paging
e.l. wrote: You are not using odbc, so you should have removed those groups from the crosspost. I…

RE: ASP Access Recordset Paging
Thanks for the quick reply. 1. I use MS Office Access 2003 (11.8166.8202) SP3 2. The code of my…

RE: ASP Access Recordset Paging
e.l. wrote: We can't answer without seeing: 1. your database type and version 2. your connection string…

RE: ASP Access Recordset Paging
Hi, I'm having a different problem, but the same error message (ADODB.Recordset (0x800A0CB3) ). I…

RE: how to retrieve CheckBox value…
Evertjan. wrote: More like .Count…

Moderators:

Administrator
Protorioris


Checking mail origin?
Bogdan Stancescu 9 January 2002 07:51:38
	Hi all! I'm working on a free software package due to be launched on freshmeat some time soon (next month most probably). The program is a project development environment, somewhat similar to phpGroupWare but, I like to think, better and with less bugs. Due to the nature of the project I need to be able to give registered users the ability to upload data in the system via e-mail. This obviously means checking who the originator of the e-mail is, apart from actually processing the e-mail (which works fine). My problem is, how do I check that securely? I'm currently using the headers of the e-mail for the "from:" field and check it against the registered users' e-mail addresses. Works fine. But I guess that's pretty easy to trick. I basically have two concerns: one is that a person may send an e-mail with fake headers. The other is that a user (or non-user) on the same domain with another user would be able to send messages using the second guy's e-mail account (that's because SMTP doesn't have any security mechanism and one can easily impersonate somebody else once they're logged on a computer with SMTP permissions on the mail server). Did anybody run into this kind of problem? Any suggestions? Thanks in advance - I'll let you know when we release this thing if you're interested. Bogdan
		Add comment


Bogdan Stancescu 9 January 2002 06:19:24 [ permanent link ]
	Billy Harvey wrote: Bogdan, a technique I've used in the past may work for you.> When someone wants to upload something, I have them request a cookie by> sending a blank email to a specific address. This automatically> generated cookie is good for some limited time (whatever works for you),> and will only be sent to appropriate return addresses (I use a web form> to allow the proper registration of those addresses).> This cookie then needs to be used in the subject-line of the email - a> reply to the message would work for example.> So, if your system gets an email with a specially formatted, and> short-lived (randomly generated) cookie in the subject, it knows what to> do with it.> Billy Thanks for taking the time to reply! That's the proper (and definitely secure) way to do it. However I'm looking for something not necessarily that secure, because the servers won't be public, but with a more "on-the-fly" approach for the user. You see, this feature is the alternative to uploading data by logging in the system. Logging in is no big deal - just type your username and password and you're there. Two clicks away and you can upload. This, however, would be a simple way to send an e-mail on a project you're working on to another user and simply CC the system so there's a copy there for everybody to see without spamming all the people involved. The same can be accomplished by sending the e-mail to the user, logging in and pasting the message and upload the document via HTTP. But isn't this too complicated for the average user? I have two vague directions to accomplish the results I'm looking for, but I don't know if any of them is reliable/possible. The first method involves taking a better look at those headers. I noticed there are a bunch of originating information headers in the e-mail. How secure would it be to use them? Should I expect them to be there or is it that the mail servers I tested this on are nice enough to include that information? The second approach is based on the fact that the environment this system will work in is known - it's made of people who trust the company which installed the system. As such, they can easily be persuaded to perform action "X" which would result in adding a certain "secret" header to their e-mail messages. This secret header would be an all-time cookie for the respective user - the system would recognize the user by it and allow the e-mail to get posted. The second approach is rather poor even if someone can suggest some practical directions for action "X" because the whole idea behind the system is mobility and I wouldn't want users not to be able to send e-mail messages to it just because they're not using the computer in the office. I jotted it down however, so you can get an idea of where my thoughts are going... Bogdan
		Add comment


Tom Rogers 9 January 2002 06:52:22 [ permanent link ]
	Hi You could get all your users to add an encrypted signature to their emails and check that on recieipt. Tom At 11:35 AM 9/01/02, Bogdan Stancescu wrote:>Hi all!> I'm working on a free software package due to be launched on freshmeat>some time soon (next month most probably). The program is a project>development environment, somewhat similar to phpGroupWare but, I like to>think, better and with less bugs.> Due to the nature of the project I need to be able to give registered>users the ability to upload data in the system via e-mail. This>obviously means checking who the originator of the e-mail is, apart from>actually processing the e-mail (which works fine).> My problem is, how do I check that securely? I'm currently using the>headers of the e-mail for the "from:" field and check it against the>registered users' e-mail addresses. Works fine. But I guess that's>pretty easy to trick.> I basically have two concerns: one is that a person may send an e-mail>with fake headers. The other is that a user (or non-user) on the same>domain with another user would be able to send messages using the second>guy's e-mail account (that's because SMTP doesn't have any security>mechanism and one can easily impersonate somebody else once they're>logged on a computer with SMTP permissions on the mail server).> Did anybody run into this kind of problem? Any suggestions?> Thanks in advance - I'll let you know when we release this thing if>you're interested.> Bogdan> -->PHP General Mailing List (http://www.php.net/)>To unsubscribe, e-mail: php-general-unsubscribe@lists.php.net>For additional commands, e-mail: php-general-help@lists.php.net>To contact the list administrators, e-mail: php-list-admin@lists.php.net
		Add comment


Miles Thompson 9 January 2002 07:12:47 [ permanent link ]
	Bogdan, Penny just dropped with what Tom suggested. REad up on how Debian does it, use the web of trust approach. Miles At 12:52 PM 1/9/2002 +1000, Tom Rogers wrote:>Hi>You could get all your users to add an encrypted signature to their emails >and check that on recieipt.>Tom> At 11:35 AM 9/01/02, Bogdan Stancescu wrote:>>Hi all!>> I'm working on a free software package due to be launched on freshmeat>>some time soon (next month most probably). The program is a project>>development environment, somewhat similar to phpGroupWare but, I like to>>think, better and with less bugs.>> Due to the nature of the project I need to be able to give registered>>users the ability to upload data in the system via e-mail. This>>obviously means checking who the originator of the e-mail is, apart from>>actually processing the e-mail (which works fine).>> My problem is, how do I check that securely? I'm currently using the>>headers of the e-mail for the "from:" field and check it against the>>registered users' e-mail addresses. Works fine. But I guess that's>>pretty easy to trick.>> I basically have two concerns: one is that a person may send an e-mail>>with fake headers. The other is that a user (or non-user) on the same>>domain with another user would be able to send messages using the second>>guy's e-mail account (that's because SMTP doesn't have any security>>mechanism and one can easily impersonate somebody else once they're>>logged on a computer with SMTP permissions on the mail server).>> Did anybody run into this kind of problem? Any suggestions?>> Thanks in advance - I'll let you know when we release this thing if>>you're interested.>> Bogdan>> -->>PHP General Mailing List (http://www.php.net/)>>To unsubscribe, e-mail: php-general-unsubscribe@lists.php.net>>For additional commands, e-mail: php-general-help@lists.php.net>>To contact the list administrators, e-mail: php-list-admin@lists.php.net> -->PHP General Mailing List (http://www.php.net/)>To unsubscribe, e-mail: php-general-unsubscribe@lists.php.net>For additional commands, e-mail: php-general-help@lists.php.net>To contact the list administrators, e-mail: php-list-admin@lists.php.net
		Add comment


Bogdan Stancescu 9 January 2002 07:51:38 [ permanent link ]
	Thanks for all the suggestions! I found something which suits me just fine based on your ideas - wanted to share it. The system separates most of the elements in the database (including the e-mails) based on project. That means that the users are notified when a project is created and given a specific e-mail address to use for that specific project. They then use the respective e-mail address to send e-mail messages and the system parses the "to:" field to set the proper project for the newly uploaded e-mail. The addresses are of the form "OPT archive #7 <opt@server.com>" for project 7 (OPT is the name of the software package). So, my solution is simply using distinct e-mail addresses for each user of the form "OPT *A5BD8 #7 <opt@server.com>", where A5BD8 would be the first five characters in the user's hashed password in the database. I may implement an optional high-security mechanism based on Billy's suggestions, but I don't know if this would be actually needed for the access level breaching this security system allows - I mean, if you do trick the system, all you're able to do is post an e-mail. The real user you're impersonating doesn't have any problems deleting it once logged in, so no harm done! Thanks again! Bogdan
		Add comment

QAIX > Java Programming > Checking mail origin? 9 January 2002 07:51:38

	see also: OT: Re: pure virtual function eBook.pdf Re: ABOUT THE GROUP		пройди тесты:		see also: MY SISTER DREAMT SO MUCH ABOUT ME THOSE… MY SISTER AND ME, WOULD LAUGH TOGETHER… MY SISTER GOT A LITTLE ANGRY WITH ME…

Copyright © 2001—2008 QAIX
Idea: Miсhael Monashev
Помощь и задать вопросы можно в сообществе support.qaix.com.
Сообщения об ошибках оставляем в сообществе bugs.qaix.com.
Предложения и комментарии пишем в сообществе suggest.qaix.com.
Информация для родителей.
Write us at:

If you would like to report an abuse of our service, such as a spam message, please .




Get comments by e-mail Add to favourites

Пожалуйста, относитесь к собеседникам уважительно, не используйте нецензурные слова, не злоупотребляйте заглавными буквами, не публикуйте рекламу и объявления о купле/продаже, а также материалы нарушающие сетевой этикет или УК РФ.

Checking mail origin?

Add new comment