I have a business google apps account to handle my email. If I use python to write an email and use the google SMTP server [login to view URL] (looked up from my domain's mx record) and forge the from as anything @ [login to view URL], the email comes through even though I never authenticated to the SMTP server.
This project is to talk to me, and tell me why this works, and how to defend against it.