Re: SMTP, 2600, and the security of mail


Charles Hedrick (hedrick@topaz.rutgers.edu)
Sat, 27 Sep 86 22:49:11 edt


It is moderately obvious from the protocol that you can spoof SMTP.
What we tell our users about mail is the following:
  - here is how to tell from the headers whether a message was
        delivered locally or via SMTP. (Details vary per system.)
  - mail that is delivered locally is probably from the person
        it claims to be. That depends upon the overall security
        of the system, which is never perfect, but probably it is
        OK. But don't stake your life on it.
  - for mail that came in via network, all you can really be sure
        of is the identity of the most recent host in the link. The
        received line will show the name of that host. If the host
        claimed to be someone other than it was, we will tell you.
        (This is in the DEC-20 implementation. I'm not sure whether
        our Unix code does this. But I think it does.) Unfortunately,
        the protocols are such that even if that machine is secure,
        a user on it could send mail to us claiming to be absolutely
        anyone he wanted to be.
In general, if you want to be more certain who the mail came from,
send a response back, referring to the message. If you get a
message "what are you talking about?" you know you have been
spoofed. This assumes that the system the author is residing on
keeps his mail private.

You don't need C code to do this spoofing. Just say "telnet host 25".
That will connect you to their SMTP server. You can then type a message
claiming to be anybody you like. We use this for debugging. The
format of the commands is simple enough that it is perfectly practical
for a person to do.



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:36:36 GMT