zwang@CS.UCL.AC.UK (Zheng Wang, Ext: 3701) (11/08/88)
There is a person who keep sending anonymous messages to soc.culture.china. He/she sometimes uses a fake name and sometimes uses someone else's real name which causes great confusion. Once there were two messages and each of them claimed that the other were forged. Now I guess this person could use sendmail to forge a message. Is there any methods to prevent messages from being forged? Zheng
raj@PARIS.ICS.UCI.EDU (11/09/88)
I've been meaning to bring this topic up for quite a while so maybe this is the time to do it. We all know (don't we?) that anyone can use telnet to connect to the SMTP port on a machine and directly type in mail, thus making it appear as though it comes from anyone they like. This has been taken advantage of here at UCI by our undergrads a few times. (Enough that it started becoming a bother!) It seems to me as if we could solve this whole problem once and for all by simply requiring the originating port for SMTP deliveries to be a privileged port ( < 512 ). As a matter of fact, we could probably require the originating port to be 25 as well as the destination port. (Afterall, a pair of IP addresses and port numbers fully specify a TCP connection and why would you want 2 SMTP deliveries between the same pair of machines at the same time? Anyway, if you do we can always make it simply "any port number < 512.") Now, before people start complaining about how this change isn't backward compatible, etc., let me finish. For a period of a year or so everyone could simply insert a header like: X-Warning: This message arrived at xyz.site through an insecure port. into any message originating from a non-privileged port. This way, people would know to question the authenticity of that message. After everyone has changed their SMTP delivery processes (a very minor change, afterall), we could all remove this notice and actually reject connections from unprivileged ports, but this may take quite a while (consider how long it's taking for some places to change over to using nameservers!). Well, what's wrong this idea? I figure there has to be something wrong with it or else it would have been suggested long ago. ----------------------------------------------------------------------------- Richard A. Johnson raj@ics.uci.edu (Internet) UCI ICS Assistant Support Manager ucbvax!ucivax!raj (UUCP) Postmaster / Network Services raj@tertius.ics.uci.edu (via Nameservers)
jam@RADC-LONEX.ARPA (11/10/88)
>From: raj@PARIS.ICS.UCI.EDU > >I've been meaning to bring this topic up for quite a while so maybe this is >the time to do it. We all know (don't we?) that anyone can use telnet to >connect to the SMTP port on a machine and directly type in mail, thus making >it appear as though it comes from anyone they like. This has been taken >advantage of here at UCI by our undergrads a few times. (Enough that it >started becoming a bother!) It seems to me as if we could solve this whole >problem once and for all by simply requiring the originating port for SMTP >deliveries to be a privileged port ( < 512 ). As a matter of fact, we could >probably require the originating port to be 25 as well as the destination port. >(Afterall, a pair of IP addresses and port numbers fully specify a TCP >connection and why would you want 2 SMTP deliveries between the same pair of >machines at the same time? Anyway, if you do we can always make it simply >"any port number < 512.") > Many services (rsh, etc.) require the port number to be in the range 512 to 1024. Under UNIX this is considered a privleged port, the lower ports are reserved for servers. One potential problem I see, what if someone tries to establish a connection to send you mail while your busy trying to talk to another system. If you are using port 25 to send with, who's listening for mail? Because the 1024 bit is not standard, some implementations of TCP allow any old program to use lower port numbers... Also this is great, until someone with root on another machine tries to pull another fast one. Of course if you monitor your machine closely you would notice the attempt... >Now, before people start complaining about how this change isn't backward >compatible, etc., let me finish. For a period of a year or so everyone could >simply insert a header like: > >X-Warning: This message arrived at xyz.site through an insecure port. > ... text deleted "insecure"? Of course many people in government circles (check my address) are distinctly paranoid at the moment... What exactly would this buy us? If it was really a mail item it doesn't matter, if an attack nobody gets the mail! Just have the mailer log ports too. Joel
kent@WSL.DEC.COM (11/12/88)
Only Unix (that is, 4.2-derived systems) reserve ports less than 512. There's no restriction on, say, an IBM PC running a random implementation of TCP and Telnet. chris
barmar@think.COM (Barry Margolin) (11/14/88)
In article <19432.595013634@paris.ics.uci.edu> raj@PARIS.ICS.UCI.EDU writes: [Suggests requiring that the source port of an SMTP connection be <512.] >Well, what's wrong this idea? I figure there has to be something wrong with >it or else it would have been suggested long ago. There's nothing in the TCP spec that says that low-numbered ports are "privileged". While this is true on many systems, it is not true on all, and there's no way that it could be made so. What about TCP implementations on personal computers? You can't even depend on the source address in the IP header to be correct, and you want to base a security feature on the port number? The mechanism you describe is used in Berkeley Unix's rsh and rlogin protocols. However, it is only permitted between consenting machines. The server machine has a list of machines that it believes implements this level of security. If you come from a different machine, it ignores the fact that you are coming from a low-numbered port. (This still isn't completely secure, since it ignores the fact that some systems will allow the user to fake the source IP address, thus pretending to be coming from a trusted machine; unfortunately, it's difficult to do better than this.) This is why this mechanism is not really useful in the general case. Barry Margolin Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
smb@ulysses.homer.nj.att.com (Steven M. Bellovin) (11/14/88)
In article <19432.595013634@paris.ics.uci.edu>, raj@PARIS.ICS.UCI.EDU writes: > ... It seems to me as if we could solve this whole > problem once and for all by simply requiring the originating port for SMTP > deliveries to be a privileged port ( < 512 ).... > Well, what's wrong this idea? I figure there has to be something wrong with > it or else it would have been suggested long ago. According to the spec, there's no such thing as a privileged or reserved port. Berkeley has one, but (contrary to appearances) they do not define TCP/IP... More seriously, even if there were privileged ports defined, it still does nothing against someone with a PC, for which the very concept of trusting anything doesn't make sense. If you're really concerned about mail-spoofing, the only real answer is to use some sort of digital signature or end-to-end encryption.
jon@ATHENA.MIT.EDU (Jon Rochlis) (11/15/88)
Privileged ports are a concept whose time has come and (hopefully) gone. So has the idea that mail from "root" means you are a system administrator. For example, MIT's Project Athena publishes the public workstation root password in a piece of introductory documentation. Nothing in the system relies on "root" being trusted. If you want secure mail, take a look at RFC 1040, "Privacy Enhancement for Internet Electronic Mail: Part I: Message Encipherment and Authentication Procedures" by J. Linn. -- Jon
retrac@RICE.EDU (John Carter) (11/15/88)
In a message on tcp-ip, you proposed that requiring the originating port for SMTP deliveries to be a privileged port (< 512) would solve "once and for all" the problem of anonymous mail. Unfortunately, making the assumption that low numbered source ports are privileged is not a very good idea (although Unix does it all over). Many operating systems (including the V system) don't have consider low numbered ports "privileged". I can trivially create a source port with whatever number I desire and connect to your machine. Also, standalone machines (say a PC) can also rather easily create whatever port number you want. Unix's assumption that low numbered source ports for TCP connections are somehow `privileged' is not very safe. John Carter Rice University
smart@ditmela.oz (Robert Smart) (11/15/88)
In article <31376@think.UUCP> barmar@kulla.think.com.UUCP (Barry Margolin) writes: > The server machine has a list of machines that it believes implements > this level of security. If you come from a different machine, it > ignores the fact that you are coming from a low-numbered port. And SMTP could do the same and insert an X-Insecure-Message header on mail from places it doesn't trust. > still isn't completely secure, since it ignores the fact that some > systems will allow the user to fake the source IP address, thus > pretending to be coming from a trusted machine; unfortunately, it's > difficult to do better than this.) IP packets coming from the wrong ethernet address should cause a security alarm (and gateways shouldn't pass such packets on). And note that you have to do more than drop packets with the wrong IP address on the ethernet: you also have to pick up returning packets which will not be sent to your ethernet address, so you have to be in promiscuous mode. As Robert Elz <kre@munnari.oz.au> pointed out a while ago, the situation with electronic mail is no different to other communication media: anybody can write a letter and sign it Ronald Reagan, or phone someone and say "Hello, this is the New York State Lottery...". It seems likely that the legal sanctions preventing these things would apply to electronic mail and faxes if they have been worded with sensible generality. But I do think that SMTP and sendmail make these things much too easy. People without any technical competence at all can do mail spoofing. This means you get to include every idiot at an educational institution. With a little bit of effort it could have been restricted to idiots in the Computer Science courses! Bob Smart <smart@ditmela.oz.au>