By Dr. Philip Baczewski, Associate Director of Academic Computing

Doom and More Doom

The recent outbreak of the MyDoom virus/worm and its variants has reminded me of just how fragile is the state of E-mail technology. One of the ways that the virus spreads is to send E-mail to whatever "to" addresses it can find or make up while using a random "from" address found stored on the infected computer. While leaving a backdoor for future misdeeds is bad enough, this misappropriation of E-mail addresses even more egregious in my book.

Much to my displeasure, over the last two weeks, I have received a flood of mail delivery errors for messages that I never sent. Those probably originated from infected Windows machines, probably belonging to spammers, on which my address was stored. The original recipient addresses in most cases were no longer active, which caused the mail to be returned to the "from" address (although, in some cases, the delivery agent detected the virus and rejected the mail for that reason).

Who's to blame?

My first thought is that I wish spammers would at least keep their virus protection up to date so that I wouldn't have to deal with messages that are even more annoying than the spam they send. As an avowed non-Windows user, I feel that I am justified in my righteousness, since I could click on attachments all day without fear that they would be able to use Windows weaknesses to spread, but also that I know better than to click on attachments sent from people I've never heard of before (whether they love me or not).

Sloppy humans make mistakes and create bugs or weaknesses in computer programs. Sloppy humans don't use virus software or don't keep them up to date. Sloppy humans create, use, or configure Internet software which does not comply to the standards upon which the Internet is based. It's the latter case which aggravates the mess with spam and viruses like MyDoom.

Long ago (1982), a specification was written for formatting Internet text E-mail. RFC822 is one of those terms which trips off the tongue of us longstanding Internet habitué. It's the bible of Internet E-mail headers. The E-mail header tells machines and humans where an E-mail came from and where it is supposed to go. RFC822 defines different header elements that provide various information about an E-mail.

Some of these are real familiar, such as From, To, and Subject. But there are other fields which report on the routing of E-mail. "Received" is supposed to be written by any mail router through which a piece of mail passes. The Received header items show the path that the E-mail took from its entry into the network to its final destination.

In addition to From and ReplyTo there is an additional field, "Sender" which is supposed to show the "authenticated identity of the . . . person, system or process . . . that sends the message". If all E-mail showed the real sender, then spam messages would be much easier to track back to their source. But unfortunately, people and programs don't always respect the spirit or the letter of RFC822.

Security versus freedom?

One idea to better identify E-mail is to demand authentication whenever you want to send an E-mail message. When RFC822 was written, there were very few single-user computers attached to wide area networks (compared to today, in 1982 there were very few single user computers). Instead, you logged on to a multi-user computer with a username and password which to some extent provided legitimacy and authentication of any E-mail you sent. Today the picture is quite different. Most people who use the Internet use it from a single user machine.

The down side to authenticated SMTP (SMTP is the E-mail relay protocol used by servers that route mail), is that it requires a username and password for each mail message injected into the network. Your E-mail client is probably programmed to accept your name and password once and then provide it each time a mail message is sent, but requiring this authentication takes away from the flexibility of E-mail. It's power is in its simplicity. Its simplicity allows E-mail to be sent from a wide variety of people and devices from a wide variety of networks and locations. Adding a password barrier to E-mail will make it a much less efficient and adaptable technology.

Another idea would be to agree to better enforce the sender field, but without strict authentication. Servers that accept mail for injection into the Internet could make their best attempts to identify an E-mail's source and provide a user name and network address for the person or machine which generates the E-mail. But unfortunately, this probably leaves a loophole for those dishonest folks who will forge such information whether is impolite or downright illegal (as the recent CAN-SPAM act has enacted).

So, maybe authenticated SMTP is the answer. But it's not all of the answer. The other part is a system of trust among mail transfer servers to be able to tell whether or not the connecting system can be identified later. Requiring reverse DNS registration is one way to accomplish this. AOL has instituted this on all their mail exchange servers. UNT has as well, although such attempts in the past have generated complaints that some mail can't get to UNT.

So, it comes down to security from spam and virus mail versus the freedom to correspond without the blessing of some central or governmental authority. Security versus freedom. Never mind. I can keep throwing away those spam, virus, and bogus bounce messages. I'll side with the U.S. Constitution and pick freedom, thank you.