I have a website, example.com hosted at godaddy. I was just messing around with PHP’s mail function and uploaded the following to my website at example.com:
mail( "someone@yahoo.com", "test", "test message", "From: someone@gmail.com" );
Why does this work? I mean, it shouldn’t, right? The “From” address domain isn’t “@example.com”. Yet, when I check my email at someone@yahoo.com, I get the message from someone@gmail.com… How is it that I’m able to (potentially) send an email from anyone’s email account without their password?
This is possible, as in, you can put into the E-Mail headers whatever you want, including a totally arbitrary sender address. You are right, though, security-conscious providers will usually configure their outgoing mail services in a way that allows only sender addresses residing on the server the mail gets sent from; but they don’t have to.
Also, on the receiving end, messages where the sender address belongs to a domain that is not associated with the sending mail server very often end up in the Spam folder.
It’s (as you already know) very bad practice to make use of this. As to whether the provider is at fault – it could be anything from a sign of trust (if you are the only user on the server, or one of select few clients) to carelessness. You may have reason to complain because if one of your web hosting neighbours misuses this to send spam, the server’s IP address might get blacklisted, causing any E-Mail coming from it (legit or not) to get caught in spam filters.