mouss schrieb:
the user can simply send any messages he wants with a tcp connection. so what's the problem?
A problem arises when an antrusted user is enabled to send any message he wants over that tcp connection. Imagine you create a cgi script that relies on the code in my earlier posting. If a web page visitor fills out a form and sends the data to that cgi script and if you do not check the submitted data you potentially enable anybody to send mail he wants to even if you didn't plan to. Even if most people wouldn't do that. That's what my question was about. I hope I could answer your question without going into detail. You will also find dozens of posting if you search the internet for "mail header injection". But now you know that some of the examples in those publications are only correct if the administrator invokes sendmail with the -bs option.:-) Best regards, Oliver Block
