Sam asked:
> So my question is: Why does one need to authenticate himself to his own
> system's smtp server? They already know who you are and they know you are
> OK because you are already logged on to their own system by using a
> username and a password that they have already authorized and they have
> already matched to your identity. My ISP's smtp server does not have an
> authentication protocol, but unless you are connected to "shentel.net" I
> don't think there is any way you can send a message out of
> "smtp.shentel.net" unless you have obtained some subscriber's username and
> password
Actually, this is a decent idea, Sam, for deterring Spam: What you say
is not quite correct. Assume that sleezynet.com is my IP. I can login
to Sleezynet.com, using my own id/password, and then TELNET to smtp.verio.com
(or use some mass mail program), and get in with only these SMTP commands:
telnet smtp.verio.com 25
helo sleezynet.com
mail from: [EMAIL PROTECTED]
Now the server, thinks I am anyverio-user, and I can send 10,000 copies
of my get rich quick mail to whoever I want, all apparently from anyverio-
user.com. Without, separate authentication, there is nothing to stop any
other user at another ISP from entering the mail server and sending mail.
With authentication, the sleezy fellow can still get in, but he can only
send mail to local accounts on verio.com.
In the past, mail server software did not ``match your identity''.
That is, the smtp server did not check you against the nameserver logs.
How could it, when you do not need to give an id/password to access
an SMTP server (see above)? There have been attempts to match users
against prior pop sessions or logs in the past. But, apparently, it
was decided to extend ESMTP to require an independent ID/password,
that COULD be matched. That way, even if you were in another state,
accessing the mail server through another person's local POP, you could
still use your own ISPs mail server.
Unfortunately, this upgrade will affect a lot of ``survpc'' software,
I am afraid. Had they upgraded differently by, for instance, including
an id/password in the HELO or MAIL From: command, we could configure
old software to authenticate. But of course, then we would not need
netscape or MS outlook.
------------------------------
Howard Schwartz
-------------------------------
theo "at" ncal.verio.com
