Educause Security Discussion mailing list archives
Re: authenticated "from" email address (fwd) (fwd)
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Mon, 1 Nov 2004 16:15:08 -0500
Hi, I sent your question to my Postmaster .. this is his reply. Thanks, Joel Rosenblatt
------------ Forwarded Message ------------ Date: Monday, November 01, 2004 12:00 PM -0600 From: Kevin Shalla <kshalla () UIC EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] authenticated "from" email address Because most of my legitimate email is from people within my email domain, I would like to be able to trust that email from users in my domain is actually from the account in the "from" field. If this were the case, I would get less spam, viruses, and worms, because now I get many messages with spoofed "from" addresses of internal users. Since both "blacklist" and "whitelist" strategies for dealing with spam require identifying the sender, this spoofing hobbles those strategies.
Accurate white- and blacklists depend on what host sent the message, or on a combination of sender address and host. You might for example trust mail from servers in your domain that require people to log in before sending (shell, webmail, smtp auth). They are unlikely to send junk, and if those users do send junk they can be identified and action can be taken. Those hosts could be configured to force the login address to appear in the header From line, but there would be many objections. People might be sending mail on behalf of someone else, or may want to show an alias or list address. Remember that many clients show the header From in the list of messages in a mailbox, so people want to set it to something useful. But mainly, this does nothing to make the From line reliable, because any other random host on the net could still fake From lines with your domain.
Recently I heard about the SMTP Service Extension for Authentication <http://www.ietf.org/rfc/rfc2554.txt>, and had high hopes for it, but I've heard that once authenticated, the user is not restricted to sending messages with the "from" address of that authenticated user. Does anyone know if there is any protocol (or anything in the works) for restricting this way?
The purpose of smtp auth is to authenticate a hop, not a message. It verifies who is responsible for transmitting the message from one host to another. The authentication is good only for that hop. It is not part of the message. Authenticating the actual message is the domain of encryption and digital signatures. Anything in the header can be faked. ---------- End Forwarded Message ---------- Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: authenticated "from" email address (fwd) (fwd) Joel Rosenblatt (Nov 01)