forging SMTP


Phil R. Karn (karn@mouton.bellcore.com)
Sun, 28 Sep 86 20:22:47 edt


Not only is paper mail also easy to forge, but so is UUCP mail. At least
with SMTP and the internet you have the means to tighten things up if you
wish. You can tell who's actually sending you mail by looking at the address
on the remote socket, notifying the user if it doesn't match the name the
remote sender specifies in the HELO command. Sendmail, at least, will
mention this in the Received headers, though you have to know what you're
looking at. Certainly not foolproof, but better than UUCP where you
generally have NO idea who's really calling you on the phone (unless you've
gone whole hog and gotten rid of your generic uucp logins).

Electronic mail is fundamentally a datagram service. You should never trust
isolated datagrams you receive from any network (be they email messages or
IP datagrams) without either some authentication in the message itself or
until you've conducted a three-way-handshake with the remote party to check
for spoofing. As long as the real person is up and reachable, and the bad
guy hasn't subverted routing, this will suffice.

Phil



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:36:36 GMT