Success with Sending email without a SMTP Server!!!!

Andre Garzia soapdog at mac.com
Sun Jan 30 16:00:12 EST 2005 

Richard,

yes, you are right! theres no password! Thats the same technique SPAM 
makers use, I checked how they did it so that I could send a email out 
of nowhere. The trick is, instead of me (mail client) talking to my 
SMTP server and then my SMTP server (authentication goes here) talking 
to yours SMTP server (no auth needed) to store a mail for you. The 
protocol is dumb easy... Let me glue a terminal window here for you to 
see:

[soapdog:~] andregar% telnet smtp-mx.mac.com smtp
Trying 17.250.248.49...
Connected to smtp-mx.mac.com.
Escape character is '^]'.
220 smtp-mx.mac.com ESMTP Service
helo localhost
250 mac.com Hello [200.99.97.67], pleased to meet you
mail from: <me at myMailProvider.com>
250 2.1.0 <me at myMailProvider.com>... Sender ok
rcpt to: <soapdog at mac.com>
250 2.1.5 <soapdog at mac.com>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
From: <me at WhateverEmailIWant.com>
Subject: My subject

The body of the email.
.
250 2.0.0 j0UKnhfH008111 Message accepted for delivery
quit
221 2.0.0 mac.com closing connection
Connection closed by foreign host.
[soapdog:~] andregar%

See that's all it takes to send an email! the lines starting with 
numbers are the server answers, the others are my hand typed ones. What 
the stack does is exactly that. It talks directly to the receivers SMTP 
server, which is acquired by Shao Sean getMXRecords(). And yes, you can 
use this for SPAM, but your soul will be damned to hell, like all tools 
one can use this for good use or bad use, this would end the problem 
Dan had for he would be able to send emails from his app without the 
need of servers, settings, whatever...


and quoting you: "Surely no one in 2005 aids spammers by turning off 
the default requirement for SMTP authentication (if they did they 
should be fired and forced to wear T-shirt in public reading "I'm the 
reason you get spam")." We can start making the T-shirts....

Of course theres a huge movement not to allow this thing to work, and 
some SMTP Servers will not allow this, they will check to see who's 
talking to them, but since theres a battle between Yahoo! and Microsoft 
on how this spec will come out, no one is making progress. I think AOL 
servers will not allow this thru... but since this was build to send 
reports back home for feedback on our apps, we can try it with our 
server, I checked with my mails from gMail, Apple .Mac and my own 
WeCode.org domain and all those SMTP servers accepted the email without 
complain.

I'll be putting the stack for download in revOnline in couple minutes.

andre





On Jan 30, 2005, at 6:41 PM, Richard Gaskin wrote:

> I don't understand:
>
> If a conversation with an SMTP server doesn't include a password, what 
> will be the outcome?  Surely no one in 2005 aids spammers by turning 
> off the default requirement for SMTP authentication (if they did they 
> should be fired and forced to wear T-shirt in public reading "I'm the 
> reason you get spam").
>
> So if I understand you correctly it still comes down to the question: 
> Is Dan comfortable handing is SMTP password to anyone with a copy of 
> Interarchy or other traffic monitoring tool?
>
> Did I miss something?  Are you suggestion Dan build a mini-SMTP-server 
> capability with into his software?
>
> He could always bypass email altogether and get a working system this 
> afternoon with a CGI....
>
> -- 
>  Richard Gaskin
>  Fourth World Media Corporation
>  ___________________________________________________________
>  Ambassador at FourthWorld.com       http://www.FourthWorld.com
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
>
-- 
Andre Alves Garzia ð 2004 ð BRAZIL
http://studio.soapdog.org

More information about the use-livecode mailing list