karn@MOUTON.BELLCORE.COM (Phil R. Karn) (09/29/86)
Not only is paper mail also easy to forge, but so is UUCP mail. At least with SMTP and the internet you have the means to tighten things up if you wish. You can tell who's actually sending you mail by looking at the address on the remote socket, notifying the user if it doesn't match the name the remote sender specifies in the HELO command. Sendmail, at least, will mention this in the Received headers, though you have to know what you're looking at. Certainly not foolproof, but better than UUCP where you generally have NO idea who's really calling you on the phone (unless you've gone whole hog and gotten rid of your generic uucp logins). Electronic mail is fundamentally a datagram service. You should never trust isolated datagrams you receive from any network (be they email messages or IP datagrams) without either some authentication in the message itself or until you've conducted a three-way-handshake with the remote party to check for spoofing. As long as the real person is up and reachable, and the bad guy hasn't subverted routing, this will suffice. Phil