Hello,
E-mail goes from server to server based upon DNS MX (mail exchange)
records. On each server the message is whole and intact with additional
information attached. I can't speak for how it's treated by anything other
than sendmail, but sendmail has a queue directory which has two files for
each message, one for the message (minus the header) and a second file with
the header and sender/sending/tracking information, etc.. I will get back
to MX records in a minute but each mail server first accepts the message and
writes it to some type of queue before trying to deliver it. The admin of
these mail server can configure them anyway they want, even setting them
only to queue mail (and then after they copy them they can release them, or
they could automate this as simply as setting the server to queue only and
then automatically copy the message out of the spool file and shipping them
to the next mail server. Now, back to MX records. Each domain should
configure their DNS with a minimum of one MX record, usually 2 or three are
better...however these should be either mail server that they control
directly or mail servers that someone they trust are maintaining. The only
other mail server that should handle the message is the one which is being
used by the sender of the message, which should be under control of someone
the sender trusts. Grabbing e-mails off of a server is by far the easiest
way to steal them.
Now, if you trust the IT department of your company and the IT
department of the company you are sending the message to, them the next
thing to consider is the route between your sending computer to your first
mail server, the connections between all the mail servers and finally the
connection from the final mail server to the receivers computer. Here it's
a matter of bandwidth, in general pack sniffers can only handle so much data
which means someone targeting YOUR e-mail has a much much better chance the
closer they are to you and a person targeting e-mail sent to that SOMEONE
has a much much better chance the closer they are to that someone. Let's
take a fictitious example, your company used Netcom for their connection and
the person you are sending the e-mail to used Vitts for their connection.
If the person sniffing is sniffing directly from some point between your
computer and your mail server then they can use filters to only look at
connections from your IP to the mail server's port 25 and probably fairly
easily see your e-mail (yes, I have seen lots of e-mails fly by a sniffer
when we had it unfiltered on a company's LAN, but without the filters you
see a little of this e-mail, then a little of that e-mail, etc... as the
packets all pass you by). If the person sniffing is sniffing between your
mail server and the next mail server in the chain (let's assume they already
know what the next server is because otherwise they will see much more
e-mails) then they can filter on the IP address of your mail server and the
IP address of the destination mail server port 25 again. This will net them
all the e-mails that pass from your mail server to the next mail server
which will probably be all e-mails between the two companies. However, the
'if' of knowing the next mail server is moderate and the chance of getting
between the two servers is iffy because of dynamic routing and even with the
filters they still have to check the headers of ALL the IP packets going by
them which in the case would probably be all traffic processed by your
provider. Fairly unlikely I would guess but, I have no experience. Now,
if they are on the other side the situation again gets simpler when they are
between the final mail server and the receiving computer, here they filter
on the two IP address and (source port of 110 for POP3 {returning traffic
from the mail client's connection to port 110}). Again, sniffing on a local
LAN I have seen lots of e-mail fly by on pop3 connections.
Summary, if they are sniffing on either the sender or the receiver's LAN
then fairly easy, or if they have hacked either the senders or receivers
mail servers it's cake. Otherwise I would say rather remote possibility,
but possible...as they say.... where there is a will there is a way.
Hope this helps,
Robert
----- Original Message -----
From: "Dave Bujaucius" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 22, 2002 11:57 AM
Subject: Unencrypted Email
> It is common knowledge that unencrypted messages sent over an unsecured
> Internet connection *can* be viewed in clear text and thus the contents
> compromised. My questions:
>
> 1. Is it really easy? How readily available are sniffing tools that
> can do this?
> 2. Can it be done from a user's home dial up or DSL type connection?
> Can someone in California somehow be scanning mail leaving a New York
> location?
> 3. Outside of government agencies that have access to selected ISP's,
> how likely is it that a company could be targeted by an outside person
> or organization?
>
> I realize that like most IT issues everything is relative. I'm
> questioning the relative risk in sending confidential information over
> the Internet. Real life experiences versus theory.
>
> Dave Bujaucius
