Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site ucbvax.BERKELEY.EDU Path: utzoo!decvax!ucbvax!TOPAZ.RUTGERS.EDU!hedrick From: hedrick@TOPAZ.RUTGERS.EDU (Charles Hedrick) Newsgroups: mod.protocols.tcp-ip Subject: Re: SMTP, 2600, and the security of mail Message-ID: <8609280249.AA16461@topaz.rutgers.edu> Date: Sat, 27-Sep-86 22:49:11 EDT Article-I.D.: topaz.8609280249.AA16461 Posted: Sat Sep 27 22:49:11 1986 Date-Received: Sun, 28-Sep-86 16:46:23 EDT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 28 Approved: tcp-ip@sri-nic.arpa It is moderately obvious from the protocol that you can spoof SMTP. What we tell our users about mail is the following: - here is how to tell from the headers whether a message was delivered locally or via SMTP. (Details vary per system.) - mail that is delivered locally is probably from the person it claims to be. That depends upon the overall security of the system, which is never perfect, but probably it is OK. But don't stake your life on it. - for mail that came in via network, all you can really be sure of is the identity of the most recent host in the link. The received line will show the name of that host. If the host claimed to be someone other than it was, we will tell you. (This is in the DEC-20 implementation. I'm not sure whether our Unix code does this. But I think it does.) Unfortunately, the protocols are such that even if that machine is secure, a user on it could send mail to us claiming to be absolutely anyone he wanted to be. In general, if you want to be more certain who the mail came from, send a response back, referring to the message. If you get a message "what are you talking about?" you know you have been spoofed. This assumes that the system the author is residing on keeps his mail private. You don't need C code to do this spoofing. Just say "telnet host 25". That will connect you to their SMTP server. You can then type a message claiming to be anybody you like. We use this for debugging. The format of the commands is simple enough that it is perfectly practical for a person to do.