On Sat, 3 Feb 01 17:16:05, [EMAIL PROTECTED] (Howard Schwartz) wrote:
> Sam asked:
>> So my question is: Why does one need to authenticate himself to his own
>> system's smtp server? They already know who you are and they know you are
>> OK because you are already logged on to their own system by using a
>> username and a password that they have already authorized and they have
>> already matched to your identity. My ISP's smtp server does not have an
>> authentication protocol, but unless you are connected to "shentel.net" I
>> don't think there is any way you can send a message out of
>> "smtp.shentel.net" unless you have obtained some subscriber's username and
>> password
> Actually, this is a decent idea, Sam, for deterring Spam: What you say
> is not quite correct. Assume that sleezynet.com is my IP. I can login
> to Sleezynet.com, using my own id/password, and then TELNET to smtp.verio.com
> (or use some mass mail program), and get in with only these SMTP commands:
> telnet smtp.verio.com 25
> helo sleezynet.com
> mail from: [EMAIL PROTECTED]
> Now the server, thinks I am anyverio-user, and I can send 10,000 copies
> of my get rich quick mail to whoever I want, all apparently from anyverio-
> user.com. Without, separate authentication, there is nothing to stop any
> other user at another ISP from entering the mail server and sending mail.
> With authentication, the sleezy fellow can still get in, but he can only
> send mail to local accounts on verio.com.
I didn't know it was that simple. I have never used Telnet to send mail,
but only to receive mail. When you use Telnet to receive mail you have
to send your username and your password, thereby identifying yourself to
the POP3 server. I have just now reviewed the popular web-page "I sit
in Siberia", http://stud1.tuwien.ac.at/~e8926506/siberia.htm, about how
to use Telnet, and it appears that it is indeed true that no authentication
is required under "normal" protocols to use any smtp server anywhere. I
was amazed to discover such a gaping security hole. Maybe this problem can
be fixed simply by adding some login queries to the Telnet protocol used
for smtp. I don't know if this would require also some authentication
features for ordinary mail clients because I don't think the email clients
are programmed to send mail by accessing Telnet. I have tried just as an
experiment setting up my DOS email clients to send mail through various
ISPs other than my own. I get an error message saying something to the
effect that "you are not allowed to use the mail server smtp.sleezynet.com".
This will happen even if I have a POP3 account at sleezynet.com and even
after I have downloaded my POP3 mail first. I can send mail through their
smtp server only by relaying it through shentel.net. Some ISPs are said
to allow direct access by anyone, but they get reported to ORBS. Then they
have to either clean up their act or lose their subscribers because not
even their own subscribers would be able to send messages successfully to
people who have email addresses at many other ISPs.
Question: Do most
> In the past, mail server software did not ``match your identity''.
> That is, the smtp server did not check you against the nameserver logs.
> How could it, when you do not need to give an id/password to access
> an SMTP server (see above)? There have been attempts to match users
> against prior pop sessions or logs in the past. But, apparently, it
> was decided to extend ESMTP to require an independent ID/password,
> that COULD be matched. That way, even if you were in another state,
> accessing the mail server through another person's local POP, you could
> still use your own ISPs mail server.
> Unfortunately, this upgrade will affect a lot of ``survpc'' software,
> I am afraid. Had they upgraded differently by, for instance, including
> an id/password in the HELO or MAIL From: command, we could configure
> old software to authenticate. But of course, then we would not need
> netscape or MS outlook.
Shentel.net may now use some kind of ESMTP protocol. I can see the word
ESMTP flash across my screen when I access the SMTP server; however,
so far I have not yet received any error messages about failure to
authenticate. Maybe they just have the capability of requiring ESMTP
protocol but they just haven't yet activated and implemented this "feature".
I really appreciate your concern about the potential negative implications
of the ISP's adopting this ESMTP thing.
Sam Heywood
-- This mail was written by user of The Arachne Browser - http://arachne.cz/
