Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Sender Authentication part 1: The basics of sending email

Sender Authentication part 1: The basics of sending email

  • Comments 6

This is my first post in my series on email authentication.  In order to understand how to authenticate the sender of an email, we need to understand how email works.

I remember back in my 4th year of university when we learned how to send "fake" email.  The basic idea behind this was that we could send email to whoever we wanted to and specify any return address we wanted, even a domain that didn't exist.  So, I sent a few fake messages to friends of mine.  At the time, it never occurred to me that ethically-challenged people could seriously exploit this for nefarious purposes.

In this post and the next one, I am going to summarize the information found this page from stopspam.org (ie, most of this material was not originally written by me).  That's a very good web page that provides a coherent overview of email headers.  If you're like most internet users (including myself) and rarely bother clicking links, then read on.

To begin with, let's try to understand how email gets from point A to point B.  Email travels through connections called ports.  To keep track of all the different connections, the ports are numbered.  Port 25 is the one that is used to transmit and receive email.  When a computer attempts to transmit email, it opens a connection to port 25 and attempts to transmit using the Simple Mail Transfer Protocol, or SMTP. 

This whole transaction depends on five commands which constitute the core of SMTP: HELO, MAIL FROM, RCPT TO, DATA, and QUIT.

HELO identifies the sending machine. "HELO mail.tzink.com" should be read as "Hello, I'm mail.tzink.com". However, the sender does not necessarily have to tell the truth; in fact, nothing prevents the sender from saying "Hello, I'm bonjour.hola.guten-tag" or "Hello, I'm woozle.wozzle.gov", or even "Hello, i.am.not.configured.properly".  However, in most circumstances, the receiver has some tools with which to discover this and find out the sending machine's real identity.

MAIL FROM is the command that initiates the mail processing.  It means "I have mail to deliver from so-and-so". The address that is specified becomes envelope From or envelope sender and it does not need to be the same as the sender's own address! This apparent security hole is inevitable (after all, the receiving machine doesn't know anything about who has what username on the sending machine), but in certain circumstances it turns out to be a useful feature.

RCPT TO is the flip-side to MAIL FROM; it specifies the intended recipient of the message. One piece of mail can be sent to multiple recipients by including multiple RCPT TO commands. The specified address becomes the envelope To, which is also referred to as the envelope recipient.  It is this recipient that determines who the mail will be delivered to, regardless of what the To: line in the message says.

DATA starts the actual mail entry. Everything entered after a DATA command is considered to be part of the message and there are no restrictions on its form. Lines at the beginning of the message (before the first blank line) that start with a single word and a colon are considered to be headers by most mail programs. A line consisting only of a period terminates the message.

QUIT terminates the connection.

Below is an example mail conversation between the sending domain, tzink.net, and the recipient domain, tzink-is-awesome.com.  The commands in bold are the transmitting machine while the ones in normal text are the recipient machine.

220 mailhost.tzink-is-awesome.com ESMTP Sendmail 8.8.5/1.4/8.7.2/1.13; Fri, Jun 15 2007 14:38:58 -0800 (PST)
HELO mail.tzink.net
250 mailhost.tzink-is-awesome.com Hello mail.tzink.net [292.13.130.22], pleased to meet you
MAIL FROM: me@tzink.net
250 me@tzink.net... Sender ok
RCPT TO: me@tzink-is-awesome.com
250 me@tzink-is-awesome.com... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Received: from svengali.tzink.net (svengali.tzink.net [264.81.13.12]) by mail.tzink.net (8.8.5) id 004A21; Fri, Jun 18 2007 14:36:17 -0800 (PST)
From: Terry Zink <my.alias@tzink.net>
To: me@tzink-is-awesome.com
Date: Fri, Jun 15 2007 14:36:14 PST
Message-Id: <elmsley-flushtration-484@mail.tzink.net>
Subject: How's it going?

So this is pretty cool, I'm sending an email message.

-- tzink
.
250 FAA214578 Message accepted for delivery
QUIT
221 mailhost.tzink-is-awesome.com closing connection

Note the five important commands, HELO, MAIL FROM, RCPT TO, DATA, and QUIT.  That's the basics of what it takes to send an email.

Leave a Comment
  • Please add 6 and 6 and type the answer here:
  • Post
  • In your example, you missed the blank line between Subject: and "So this is pretty cool".

  • Fixed.

  • I think the subject of this blog entry is mail transfer commands rather than headers?  You only mentioned the headers a bit in order to mention that they don't have to match the commands.

    Prior to TCP-IP e-mail (using TCP port 25), there was UUCP e-mail (using serial links).  In some systems the uucp account lives on even though they don't use it any more.  If I recall correctly, when AOL connected to the internet, AOL didn't know about the old UUCP method, so they let some human get an account named uucp.  He got all kinds of interesting mail, most of which wasn't intended for him.

  • As we saw in our previous post, 5 basic commands are needed for SMTP. When the receiving mail transfer

  • Yeah, it was originally going to be email headers but I realized that I had to first go into how SMTP works before I started on things like SPF and SenderID.

    I've gone back and changed the title.

  • Authentication?  What authentication?

Page 1 of 1 (6 items)