Newsgroups: alt.security From: Mark Crispin Subject: Bernstein on SMTP tracing Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Sender: news@u.washington.edu (USENET News System) Organization: University of Washington Mime-Version: 1.0 Date: Tue, 5 May 1992 07:33:15 GMT Lines: 34 I hope that anyone who takes Bernstein's advice on using RFC-931 only has to deal with clueless kiddies and not with real hackers. Bernstein lists five categories of people that have to be trusted in order for RFC-931 to work. To this, let me add a sixth category: any user on a personal workstation. But, you protest, we just disallow SMTP connections from personal workstations by IP number and that solves the problem. Titter. Giggle. Tee-hee. Ha ha. HAR HAR HAR HAR HAR HAR HAR. Let me go further. I can send a forged message to an RFC-931 machine A that alleges to be from a user (other than me) at RFC-931 machine B. I can do this with a combination of knowledge and experience on the Internet (and ARPAnet before that) that I have acquired in the past 18 years. I am not unique; people with less knowledge and experience possess the requisite knowledge to accomplish this as well. Fortunately, most of us are on the side of the good guys, and most of the bad guys are quite clueless. RFC-931 is alright against the clueless. Unfortunately, such measures tend to motivate the clueless to get a clue before they possess sufficient maturity to handle this knowledge responsibly. Personally, I think it is better to have the wave of forged mail at the beginning of the school year and let the novelty wear off. It also teaches mail recipients a healthy distrust of what comes over the wire. RFC-931 does not, and can not, eliminate the forged mail problem. It merely reduces it. I also take offense at Bernstein's repeated bad-mouthing of the good work being done by the PEM folks. I have no relationship to them, but I have been tracking their work. They are trying to do something real, not a half-assed hack that is UNIX-dependent and involves trusting a potentially large number of people of questionable trustworthiness. What does Bernstein have against PEM? It seems as if he actually is *opposed* to PEM now and in the future, as opposed to merely pushing RFC-931 as an interim measure.