SMTP By Antoinette Davis

What is SMTP? Simple Mail Transfer Protocol A TCP/IP protocol used in sending and receiving email

SMTP Mail Processing Model

What does that mean TONI?! The email address of the originator is always enclosed in angle brackets (“<”and “>”). The SMTP receiver acknowledges the command with a 250 (“OK”) reply message, sometimes sending back the address as a confirmation. For example: 250 <joe@someplace.org>… Sender ok Next, the SMTP sender uses RCPT commands to specify the intended recipients of the e-mail that is being sent. Assuming the server accepts the e-mail, it will give a 250 “OK” reply again, such as this: 250 <jane@somewhereelse.com>… Recipient ok The SMTP sender then issues the DATA command, which tells the SMTP receiver that the message is coming: DATA The SMTP receiver responds with a 354 “intermediate” reply message, such as this: 354 Enter mail, end with “.” on a line by itself

Transaction Example MAIL FROM:<joe@someplace.org> 250 <joe@someplace.org>… Sender ok RCPT TO:<jane@somewhereelse.com> 250 <jane@somewhereelse.com>… Recipient ok DATA 354 Enter mail, end with "." on a line by itself From: Joe Sender <joe@someplace.org> To: Jane Receiver <jane@somewhereelse.com> Date: Sun, 1 Jun 2003 14:17:31 —0800 Subject: Lunch tomorrow Hey Jane, It's my turn for lunch tomorrow. I was thinking we could [rest of message] Hope you are free. Send me a reply back when you get a chance. Joe. . 250 OK

SMTP Limitations Body must be encoded in 7 bit ASCII: no binaries g7 bit = 128 possible characters Images, video, etc, are inherently g8 bit No National Language Characters (8-bit) SMTP servers may have arbitrary size limit SMTP gateways have inconsistent ASCII to EBCDIC Mappings SMTP gateways to X.400 cannot handle non-textual data X.400 is the messaging (notably e-mail) standard specified by the ITU-TS (International Telecommunications Union - Telecommunication Standard Sector).

Because of limitations… it is usually used with one of two other protocols, POP3 or IMAP that let the user save messages in a server mailbox and download them periodically from the server users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail On Unix-based systems, sendmail is the most widely-used SMTP server for e-mail

Sendmail When a sendmail server receives e-mail, it attempts to deliver the mail to the intended recipient immediately and, if the recipient is not present, it queues messages for later delivery However, because it does not provide a mailbox facility and for other reasons, other software such as a POP3 or Internet Message Access Protocol server are also needed Most Internet service providers provide both an SMTP server (such as sendmail) and a POP or IMAP server.

POP3 POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server POP3 is designed to delete mail on the server as soon as the user has downloaded it some implementations allow users or an administrator to specify that mail be saved for some period of time

IMAP IMAP (Internet Message Access Protocol) is a standard protocol for accessing e-mail from your local server IMAP (the latest version is IMAP Version 4) is a client/server protocol in which e-mail is received and held for you by your Internet server. You (or your e-mail client) can view just the heading and the sender of the letter and then decide whether to download the mail. You can also create and manipulate multiple folders or mailboxes on the server, delete messages, or search for certain parts or an entire note. IMAP requires continual access to the server during the time that you are working with your mail.

POP3 vs IMAP less sophisticated protocol is Post Office Protocol 3 (POP3). With POP3, your mail is saved for you in a single mailbox on the server. When you read your mail, all of it is immediately downloaded to your computer and, except when previously arranged, no longer maintained on the server. IMAP provides the user more capabilities for retaining e-mail on the server and for organizing it in folders on the server. IMAP can be thought of as a remote file server. POP3 can be thought of as a "store-and-forward" service.

How the SMTP, POP3, and IMAP relate POP and IMAP deal with the receiving of e-mail and are not to be confused with the Simple Mail Transfer Protocol (SMTP), a protocol for transferring e-mail across the Internet. You send e-mail with SMTP and a mail handler receives it on your recipient's behalf. Then the mail is read using POP or IMAP.

Think you can trust unsigned email. Think again Think you can trust unsigned email? Think again. Here's how easy it is to spoof SMTP mail on some servers: C:\>telnet whatever.com 25 Connected to whatever.com. Escape character is '^]'. 220 whatever.com ESMTP Exim 4.20 Tue, 15 Jul 2003 14:09:37-0700 MAIL FROM: <god@heaven.com> 250 OK RCPT TO: <scott@wannabe.guru.org> 250 Accepted DATA 354 Enter message, ending with "." on a line by itself Subject: a message from God Don't fake any more email or I'll send you to hell. . 250 OK id=19cX3k-0000Cw-Mm QUIT 221 whatever.com closing connection Connection closed by foreign host.

Email Spoofing Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

How Spoofing can affect security.. email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

Step 1 A mail spoofer connects (either directly or indirectly) to the victim mail server and begins to deliver mail normally. Once accepted by the Victim Mail Server, the mail spoofer provides a false (or possibly blank ) MAIL FROM command to the mail server. In the example, MAIL FROM: indicates a fake address and domain.

Step 2 The Victim Mail Server accepts the false MAIL FROM command and continues to accept delivery. At this point the mail spoofer provides a destination address (or addresses) and proceeds to the DATA portion of the email transaction. In the example, the mail spoofer sends email with a fake address and domain, which is accepted by the Victim Mail Server. The acceptance is due to the previous acceptance of the mail spoofer. In the DATA portion of the email transaction, the spoofer provides false FROM: information (which will be displayed in the email client of our victim).

Step 3 The spoofer may at this point continue with mail delivery as normal, delivering any number of negative payloads to the victim(s)

Who uses email spoofing? Mail spoofing, when performed for malicious reasons, is used mostly by spammers as a method of delivering malicious payloads (viruses, worms, etc.) to unsuspecting victims

What Can you Do to Protect Yourself from Spoofing Theft DON'T click on the link in an email that asks for your personal information. If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information. Be suspicious if someone contacts you unexpectedly and asks for your personal information. Act immediately if you’ve been hooked by a phisher. Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. Stay educated of latest spoofing techniques

Cites Used SMTP: http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#Mail_processing_model SMTP: http://searchexchange.techtarget.com/definition/SMTP POP3: http://searchexchange.techtarget.com/definition/POP3 IMAP: http://searchexchange.techtarget.com/definition/IMAP Model: http://www.tcpipguide.com/free/t_SMTPMailTransactionProcess-3.htm

Limitations: http://www.soi.wide.ad.jp/class/20000009/slides/11/8.html Sendmail: http://searchenterpriselinux.techtarget.com/definition/sendmail Spoofing: http://www.cert.org/tech_tips/email_spoofing.html http://www.symantec.com/business/support/index?page=content&id=TECH82284 Prevention: http://www.consumerfraudreporting.org/spoofing.php