Re: authenticated "from" email address (fwd) (fwd)

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Hi,

I sent your question to my Postmaster .. this is his reply.

Thanks,
Joel Rosenblatt


> ------------ Forwarded Message ------------
> Date: Monday, November 01, 2004 12:00 PM -0600
> From: Kevin Shalla <kshalla () UIC EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] authenticated "from" email address
>
> Because most of my legitimate email is from people within my email domain,
> I would like to be able to trust that email from users in my domain is
> actually from the account in the "from" field.  If this were the case, I
> would get less spam, viruses, and worms, because now I get many messages
> with spoofed "from" addresses of internal users.  Since both "blacklist"
> and "whitelist" strategies for dealing with spam require identifying the
> sender, this spoofing hobbles those strategies.


Accurate white- and blacklists depend on what host sent the message,
or on a combination of sender address and host.

You might for example trust mail from servers in your domain that
require people to log in before sending (shell, webmail, smtp auth).
They are unlikely to send junk, and if those users do send junk they
can be identified and action can be taken.

Those hosts could be configured to force the login address to
appear in the header From line, but there would be many objections.
People might be sending mail on behalf of someone else, or may want
to show an alias or list address.  Remember that many clients show
the header From in the list of messages in a mailbox, so people
want to set it to something useful.  But mainly, this does nothing
to make the From line reliable, because any other random host on
the net could still fake From lines with your domain.


> Recently I heard about the SMTP Service Extension for Authentication
> <http://www.ietf.org/rfc/rfc2554.txt>, and had high hopes for it, but I've
> heard that once authenticated, the user is not restricted to sending
> messages with the "from" address of that authenticated user.  Does anyone
> know if there is any protocol (or anything in the works) for restricting
> this way?


The purpose of smtp auth is to authenticate a hop, not a message.
It verifies who is responsible for transmitting the message from
one host to another.  The authentication is good only for that hop.
It is not part of the message.

Authenticating the actual message is the domain of encryption and
digital signatures.  Anything in the header can be faked.
---------- End Forwarded Message ----------

Joel Rosenblatt, Senior Security Officer & Windows Specialist, AcIS
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.