|I logged into my outlook, changed my email address to his email address, and sent the email to email@example.com.|
Dustin mentioned in his article that he didn't require a password, and I wanted to see if he had used the confirmation skip.
Just wanted to apologise to Dustin about any inconvenience, but I do hope I opened his eyes to security a little!
EDIT: A little bit of backstory.
Dustin seems to think, that I did this because of a comment he made, on how the headers could be forged. I had not read this comment. Infact, I read his article, and using the knowledge that I picked up years ago, that you could change the outgoing email address in Outlook (Although, it was Outlook Express in them days) I changed my email to his email.
I saw his email on his website (firstname.lastname@example.org) and thought, "No, he wouldn't be sending his personal emails from that address, that's silly."
I checked the WHOIS on his domain, and saw another email address there. I changed my email, sent a quick "Apparently..." message, and then changed it back to my original email address. I checked his blog, and it didn't seem to work.
I then went to sign up for my own posterous, to play a bit more, and I saw that you had to authorise your posts. Then I saw how this could be disabled for convenience. A few minutes later and the post showed up.
I am a Web Developer, I have experience with bash scripting, curl, sendmail and everything else you would need to fake headers.
I did not fake headers, I changed one field in Outlook. I didn't do this maliciously, and I just did it to prove a point.
Posterous should not be using email alone to authorise posts, and they should not let you disable submission checking.