Charlie Tame wrote:
t-4-2 wrote:
The " keeper " is a classmate with her husband as technical support.
None of them could it figure out.
t-4-2

"FromTheRafters" wrote in message
...
"t-4-2" wrote in message
...
Not sure where to post this question.
WLM 14v.
My alumni group website received an anonymous letter with invalid
(fake ) address.
This alumni group site is Membership Only. Members must provide
valid e-mail addresses and nobody is to send messages to the group
without membership and valid acknowledged address.
So, my question is, how did this happen ? How did the message get
through, and how did the sender use faked address and still be able
to send the message out ? We want to stop this. Please advise. Thank
you.
P.S. The anonymous message is NOT malicious. It contains concern of
group's policy and requests changes. It is obviously sent by a
current member. But still ........ did we get hacked ?
t-4-2

It seems to me that the software at the website that is supposed
to filter out e-mail that doesn't comply with having acknowledged
addresses is broken - or that the perpetrator has access to the
acknowledged and accepted e-mail to edit it with a fake address
after it has arrived.

Who has the keys to the kingdom?



Most mail clients allow a person to use a "Reply to" address. Most of
them use this if you supply it, if you do not then they use the "Real"
email address you used to set up the account. For example I could have
for one account and for another but in
the first I use as the "Reply to" address thus no
matter which I am using to "Send" with, the replies when people click on
"Reply" will come to the same address, .

(Both of those are "Fake" by the way because posting an email address in
a newsgroup like this will get you 1000 spam emails a day

So it is perfectly possible that the person has a fake address for good
reason and accidentally posted to the group using it, the address your
server saw may have been his / her real one, although you would normally
"See" the fake reply to address listed in the post.

But, you also asked how he / she was able to send the post. Well, his /
her sending server probably doesn't care, in fact it's your receiving
server that has to care, and generally there would be a list of
acceptable senders usually called a "White List". Even if there IS a
white list it can still fall victim to "Fake" addressing, but that's not
something you can ever totally prevent.

I think you may be worrying about something that is not terribly
important, especially as the post was not malicious.

"FromTheRafters" wrote in message
...

Spam often uses *real* e-mail addresses - not the *correct* ones, but real
nonetheless.

More often they don't. Most often it is not possible to find an email
address in the message that identifies who sent the message. If it were that
easy, spam sent by that person would be eliminated. Only an amateur spammer
would send spam with a *real* e-mail address anywhere in the message, except
for using someone else's address in which case it is worse than none at all.

If *real* e-mail address means someone else's email address, then in the
context of my message, it is irrelevant whether the e-mail address is
*real*. I said "separate the good from the bad", and when someone else's
email address is used, a *real* e-mail address is either not useful or
results in an invalid diagnosis. The invalid diagnosis is exactly why they
use *real* e-mail addresses.

"Sam Hobbs" wrote in message
...
"FromTheRafters" wrote in
message ...

Spam often uses *real* e-mail addresses - not the
*correct* ones, but real nonetheless.

More often they don't. Most often it is not possible to
find an email address in the message that identifies who
sent the message.

Still not the point. Even if the e-mail address does not
identify who actually sent the message - it can still be a
*real* e-mail address.

If it were that easy, spam sent by that person would be
eliminated. Only an amateur spammer would send spam with a
*real* e-mail address anywhere in the message, except for
using someone else's address in which case it is worse
than none at all.

But it is *real* and can be verified as *real*.

If *real* e-mail address means someone else's email
address, then in the context of my message, it is
irrelevant whether the e-mail address is *real*.

Sorry, I substituted *real* for the OP's *valid*. There is a
difference between *my* real address and *any* real address.
If his software is supposed to check the validity of e-mail
addresses before allowing e-mail to be posted, that doesn't
necessarily mean it checks that it is the real address of a
member.

If that *is* the function, then it is even more broken than
I imagined.

I said "separate the good from the bad", and when someone
else's email address is used, a *real* e-mail address is
either not useful or results in an invalid diagnosis. The
invalid diagnosis is exactly why they use *real* e-mail
addresses.

Yes, if all it took to filter out spam was to check the
validity of e-mail addresses (and all spam used invalid
addresses) it would be a snap. That is *not* the case, and
the OP was not talking about spam filtering. He evidently
wants accountability for members' posted e-mails.

Anyway, either the filtering doesn't work, or the e-mail's
*valid* address is edited out after being posted.