I just noticed on making an identity, a user can actually clone an existing email to use for malicious purpose. Like he can create an identity of
[email protected] and set it to reply to his email. This is a crude way to fetch vital info but it actually works. So in this case, the mail server (your site) may be in any way reliable to such action.
The pros is it is really fun to play around with the identities. LOL.
What do you guysthink of this?
You can do this with pretty much any mail client program in existence, so it's not a new issue.
It might be nice to have the option to lock identities to @yourdomain.com, but some people rely on the fact that they can put any e-mail in there, especially if they have multiple addresses filter into one single account.
There are also very few mail servers out there that restrict this on the SMTP level (Verizon used to, I don't know if they still do) It's also one of the things that SPF is trying to protect against.
It's one of the many fundamental flaws of SMTP...