Not the theory but the SMTP behind it (Simple Mail Transfer Protocol). Is it only cs people who see such giant problems with how the current system works? I'm assuming the only reason it's still around is because there hasn't been enough of an uprising from the common people.

Eh, it's simple and does the job. I don't have anything against it.

Do you guys know about these? Or do any of them bother you?

1) anyone on your network, or anyone on any of the computers your email travels through (usually about 15-20 hops) can read your email with very little effort what so ever. (some systems prevent this but 95% of them don't)

2) anyone can send email as you and there is nothing keeping them from doing so. I could send an email to you right now and list you (or wgates@microsoft.com or anything) as the sender.

3) Unless they let you there is nothing in the email protocol that lets you track down who sent you the message. If I sent you an email from wgates@microsoft.com there is nothing there that is letting you know I was the true sender and Bill Gates wasn't

Those 3 things sum up about 90% of the problems people have with email (security, viruses, spam). All of them could be severly reduced, if not completly fixed by using a better protocol.

So fix it, don't just complain about it.

Originally posted by exciv2000
So fix it, don't just complain about it.

::Snaps fingers::

and done :rolleyes:

Obviously it isn't fixed... I'm trying to get a better understanding of why. One theory I have is that the general public has no clue of the problems... thus needs to be made more aware.

I feel there is a big problem with the current system... I also like to make a difference, so if I find people aren't aware, rather than spending my time complaining about everyone else, I'll try and do something about it.

Like making resist banners (i suck at teh photoshop, what do you guys think?)


http://www.mines.edu/students/p/pfchrist/resistsmtp.jpg

I don't email much.. it's mostly forum talk or or IM for me. Occasional customer support or something related, but not much else for sending mail.

No. I love email. SMTP is a PITA, and someday someone will come up with a really GOOD protocol, but I still love it

Sendmail, on the other hand, SUCKS.

http://www.exim.org <-- :)

If your mailer is broken (75% of them are), then fix it. It's VERY simple to NOT relay.

the junk mail blows but all the other stuff is ok. On the other hand, I dont get email very much.

Originally posted by john
SMTP is a PITA, and someday someone will come up with a really GOOD protocol

I'm sure some comitee or organization already has a far superior protocol (the RFC for SMTP is as old as me, protocol itself is older). Especially with the past few years and all that has gone on about spam and cyber crimes and all that... i'm sure someone (probably multiple groups) have better systems. It's all a question of why aren't we using them yet?

1) I'm well aware of that. It's also easy for people to intercept anything else you do over a network or the Internet. But, I couldn't see your traffic unless I'm somewhere along your route to whatever server you're connecting to, and that route changes depending on who you're connected to, and it even sometimes uses a different route to go the same place. So I'd have to be at your only gateway to see everything you do. But, the point is that it's not exactly practical to just chose any person you like and tap into their traffic. Well, unless you're the government (Echelon, anyone?). Encryption is the obvious solution.

2) True and that can be a problem, fortunately the message headers will reveal where it came from or at least if something is not quite right.

3) See #2. The only exceptions are compromised SMTP relays and the ones that intentionally don't include message headers, but both of those are rare.


Your whole case against SMTP is that is has a lack of security, which is true, but everyone who knows their stuff knows this and acts accordingly.

Originally posted by Weston-work

2) True and that can be a problem, fortunately the message headers will reveal where it came from or at least if something is not quite right.


Good point. I agree with your issue on 3 also.

However, the reason that is a problem is because of flaws in the protocol. The header is the only way to track the email. But there is a problem... all the header information comes from two sources, the original sender, and the mail server software, neither of which have to tell the truth.

That's the problem.... they don't have to tell the truth, so naturally the people who want to abuse the system will take advantage of that.

Two situations
1) I want to send an email and not let anyone know it was me. All i have to do is find a mail server that supports Open Relaying. Thus it allows email to be sent from anyone, anywhere. They are somewhat rare, but there are tons of mail servers on the internet, many of which are runing old outdated software. Finding an open relay server is easy, there are scripts that will find them for you. After you find one you can literally telnet into it and send an email that looks like it came from anyone@anyplace.com.

The issue here is that chances are the mail server will put a RECEIVED: tag in the header of the message when it forwards it on. That tag will have yourcomputer.yourdomain.com listed as where it came from. Of course this is an easy problem to overcome, simply use one of the (many) telnet proxy servers on the internet. Then the address listed is that of the proxy server, not you. This makes it much much harder to track.

2) I start up my own spam server business. I configure a mail server that I let spamers send from. My mail server doesn't add the 'RECEIVED: tag on messages I send. It simply forwards on the message. There is nothing illegal about that... nothing even against protocol standards. Just about any mail server out there will contue to forward the message untill it reaches its sender. Of course the IP of my mail server is added to it by the next guys mail server, so they could trace it back to me. But due to a convieniently badly configured system, I don't keep any logs and have no way of tracing that mail back to who originally sent it.

See... it's not very difficult to exploit all this. There are plenty of other ways to do it too (such as adding additional RECEIVED: lines to the header pointing to real domains). If there is a way to exploit this kind of thing then the people who want to take advantage of it will. With a better protocol you could avoid these problems.

The encryption issue is tough. Yes it would just about solve the problem. With some of the methods they are using today your encrypted data is pretty much safe. If not perfectly safe about 1000x more safe than it is today. Think about all the people who use email for business nowadays. It's very very common... and a lot of what is trasfered is probably very sensitive information. True a lot of people are smart enough not to do that, but there are a TON of people out there who have no clue how the internet works. If you look at the huge ammounts of email being sent there would be millions of messages sent each day that contain sensitive information. With how cheap bandwidth is nowadays there is no reason not to encrypt stuff. One packetsniffer on a companies website (not IT company, but average company who doesn't know about this kind of stuff) could theoritcally read all the email that goes through that company.

Yea these problems aren't life threatening... but I certainlly think they give more than enough motive to move towards a better system. Just by adding encyrption and authentication you would fix just about all these problems

&lt/rant&gt

Originally posted by john


Sendmail, on the other hand, SUCKS.



:werd:

that's gotta be the program with the most exploits written for it ever i think haha.

i used to run qmail back in the day but that was like 3 years ago so i have no idea what's taken it's place since then.

I like fan mail.

I hate e-mail and I e-hate mail

Not too sure if I'm right but isn't your ip and isp sent out with the email you send whether you exploit the hell out of it or not? I think it is but you gotta do some reading to get the numbers?;ScratchHe

Originally posted by HondasTrail
Not too sure if I'm right but isn't your ip and isp sent out with the email you send whether you exploit the hell out of it or not? I think it is but you gotta do some reading to get the numbers?;ScratchHe

Not necessarily. If you send the mail to your mailserver and have them send it then they do, but if you use an open relay mail server, or your own, then they don't.