Path: utzoo!attcan!uunet!munnari!murtoa.cs.mu.oz.au!ditmela!smart From: smart@ditmela.oz (Robert Smart) Newsgroups: comp.protocols.tcp-ip Subject: Re: anonymous messages Message-ID: <3080@ditmela.oz> Date: 15 Nov 88 02:17:38 GMT References: <8811072122.aa04460@ICS.UCI.EDU> <19432.595013634@paris.ics.uci.edu> <31376@think.UUCP> Reply-To: smart@ditmela.oz.au (Robert Smart) Organization: CSIRO, Division of Information Technology, Australia Lines: 34 In article <31376@think.UUCP> barmar@kulla.think.com.UUCP (Barry Margolin) writes: > The server machine has a list of machines that it believes implements > this level of security. If you come from a different machine, it > ignores the fact that you are coming from a low-numbered port. And SMTP could do the same and insert an X-Insecure-Message header on mail from places it doesn't trust. > still isn't completely secure, since it ignores the fact that some > systems will allow the user to fake the source IP address, thus > pretending to be coming from a trusted machine; unfortunately, it's > difficult to do better than this.) IP packets coming from the wrong ethernet address should cause a security alarm (and gateways shouldn't pass such packets on). And note that you have to do more than drop packets with the wrong IP address on the ethernet: you also have to pick up returning packets which will not be sent to your ethernet address, so you have to be in promiscuous mode. As Robert Elz pointed out a while ago, the situation with electronic mail is no different to other communication media: anybody can write a letter and sign it Ronald Reagan, or phone someone and say "Hello, this is the New York State Lottery...". It seems likely that the legal sanctions preventing these things would apply to electronic mail and faxes if they have been worded with sensible generality. But I do think that SMTP and sendmail make these things much too easy. People without any technical competence at all can do mail spoofing. This means you get to include every idiot at an educational institution. With a little bit of effort it could have been restricted to idiots in the Computer Science courses! Bob Smart