Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!purdue!decwrl!ucbvax!PARIS.ICS.UCI.EDU!raj From: raj@PARIS.ICS.UCI.EDU Newsgroups: comp.protocols.tcp-ip Subject: Re: anonymous messages Message-ID: <19432.595013634@paris.ics.uci.edu> Date: 8 Nov 88 17:33:54 GMT References: <8811072122.aa04460@ICS.UCI.EDU> Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 34 I've been meaning to bring this topic up for quite a while so maybe this is the time to do it. We all know (don't we?) that anyone can use telnet to connect to the SMTP port on a machine and directly type in mail, thus making it appear as though it comes from anyone they like. This has been taken advantage of here at UCI by our undergrads a few times. (Enough that it started becoming a bother!) It seems to me as if we could solve this whole problem once and for all by simply requiring the originating port for SMTP deliveries to be a privileged port ( < 512 ). As a matter of fact, we could probably require the originating port to be 25 as well as the destination port. (Afterall, a pair of IP addresses and port numbers fully specify a TCP connection and why would you want 2 SMTP deliveries between the same pair of machines at the same time? Anyway, if you do we can always make it simply "any port number < 512.") Now, before people start complaining about how this change isn't backward compatible, etc., let me finish. For a period of a year or so everyone could simply insert a header like: X-Warning: This message arrived at xyz.site through an insecure port. into any message originating from a non-privileged port. This way, people would know to question the authenticity of that message. After everyone has changed their SMTP delivery processes (a very minor change, afterall), we could all remove this notice and actually reject connections from unprivileged ports, but this may take quite a while (consider how long it's taking for some places to change over to using nameservers!). Well, what's wrong this idea? I figure there has to be something wrong with it or else it would have been suggested long ago. ----------------------------------------------------------------------------- Richard A. Johnson raj@ics.uci.edu (Internet) UCI ICS Assistant Support Manager ucbvax!ucivax!raj (UUCP) Postmaster / Network Services raj@tertius.ics.uci.edu (via Nameservers)