johndix@ix.netcom.com (John Dix) writes:

I've mentioned to Netnews that a good first step would be to make it harder to forge messages by changing the news software to no longer accept a user-supplied "Sender:" line in the article header, and he has agreed. However, I fail to understand just *what* is taking so long to make this (much needed) change.

The problem here is that the news transport mechanism is not particularly resistant to arbitrary text being posted by a user. Newsreaders can check for forged "From:" or "Sender:" lines, but newsreaders then call shell scripts like inews and injnews to process their material. Users can call these scripts directly and bypass any checks by the newsreader. None of this requires any special privs, and only the lowest level of the news transport mechanism, relaynews, requires set-user-id netnews to function. The latest version of Tin does check for forged "From:" lines, but the version Netcom runs allows anything to be posted. Fudging the lower levels of the news transport mechanism to check "From:" and "Sender:" lines can mess up other things, since processes may need to inject news into the news stream which they themselves did not author. One solution to the problem is to have a secure level of the news transport mechanism add an "Originator:" line to every message which it handles. This will identify users attempting forgeries, and will not require munging of an existing header line. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $