Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

The trouble with SMTP

The trouble with SMTP

  • Comments 1

SMTP, or Simple Mail Transfer Protocol, is the Internet protocol that the world uses to transmit email.  Its advantage is that it is simple to use (so simple, even a caveman could use it! But on a side note, I did not save 15% or more with Geico; in fact, by using them, it costs me about 30% more.  But I digress...).

As John Levine has said (somewhere), the great thing about SMTP is that anyone can use it to send mail to anyone else.  The crucial flaw about SMTP is that anyone can use it to send mail to anyone else.  I would agree with that, so let's see what exactly that statement means.

SMTP allows you to compose an email.  First, you say HELO (or EHLO in Extended SMTP), which is the mail server saying "Hello, my name is ...".  Next, you give a MAIL FROM, that is, who the message is from.  Then you specify a RCPT TO, who the message is going to.  You add the contents of the body of the message, say QUIT and bang, you're done.  The message is routed to the Interweb and it magically arrives in your inbox.

This all works well when people you can trust are the ones doing the communicating.  It also works if people who you don't know but are trustworthy want to communicate with you.  People who you trust you don't need to worry about, they will always send mail with the proper credentials.  But you don't want to receive mail only from people you trust; you also want to communicate with new people.  On Facebook, I recently had my birthday and well over a third of the birthday wishes were from people I didn't know a year ago; in the past year I've wanted to receive communication from new people.  You cannot simply lock down your communications interface and SMTP allows you to receive communication from those you have never heard from.  So long as the new communicator is trustworthy, there's no problem.  Anyone can send mail to anyone.

And that's the problem.  Because anyone can send mail to anyone, it is wide open to abuse.  You want to hear from your best friend, but what if your worst enemy (in my case, Korean kimchee) impersonates your best friend and sends you an email?  Someone who you thought you can trust is now intending to cause you harm.  In and of itself, SMTP does not have a mechanism to force the sender of the mail to identify themselves.  Because of this, spammers can abuse the protocol.  They can send mail to anyone and they don't need to worry about the consequences.  They can send mail as anyone without worrying about the consequences.

In a world where we all play by the rules and assign our credentials to the things we say and do, this all works fine.  But we don't live in that kind of world, we live in a world where small segments of the population abuse the trust of the rest of us and exploit it for financial gain.  I guess it doesn't have to be for financial gain, but it usually is in the case of spammers.

So, SMTP has low bars to entry and setting it up helps the world to communicate with each other.  But in doing so, its drawback is that technology has allowed spammers to abuse it and scale that abuse upwards.  It's a catch-22; we'd like a better email communication protocol but there's already a huge investment in it and replacing it would take years, if not more likely decades.

Leave a Comment
  • Please add 5 and 3 and type the answer here:
  • Post