------------------------- Week 11 Notes for CST8165 ------------------------- -Ian! D. Allen - idallen@idallen.ca Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) ------------------- INDEX to this file: - access to external SMTP at Algonquin (none) - SMTP "open relays" - SMTP service extension for authentication RFC 2554 - (continued...) coding an HTTP server in Java - Eclipse Java IDE demo ------------------- Algonquin SMTP restrictions prevent access to other SMTP servers from on campus. You must connect to the Algonquin SMTP server to send email. SMTP open vs. closed relays --------------------------- http://en.wikipedia.org/wiki/Open_mail_relay An open mail relay is an SMTP (e-mail) server configured in such a way that it allows anyone on the Internet to relay (i.e. send) e-mail through it. http://www.ordb.org/faq/ An open mail relay occurs when a mail server processes a mail message where neither the sender nor the recipient is a local user. http://whatis.techtarget.com/definition/0,,sid9_gci782509,00.html An open relay (sometimes called an insecure relay or a third-party relay) is an SMTP e-mail server that allows third-party relay of e-mail messages. By processing mail that is neither for nor from a local user, an open relay makes it possible for an unscrupulous sender to route large volumes of spam. In effect, the owner of the server -- who is typically unaware of the problem -- donates network and computer resources to the sender's purpose. http://email.about.com/library/glossary/bldef_open_relay.htm Definition: When the Internet was young, people trusted each other (or there simply weren't too many of them) and everybody was allowed to use everybody else's SMTP server. The server would take the email message and forward it to the intended recipient. Spammers exploited that openness. They sent their unsolicited messages through somebody else's mail server, thereby masking their real identity to the recipient. This is why most mail servers will not accept messages for relaying today. Servers that will accept such messages are known as open relays. Q: What is an SMTP "open relay"? E-mail Authentication http://en.wikipedia.org/wiki/E-mail_authentication Ensuring a valid identity on an e-mail has become a vital first step in stopping spam, forgery, fraud, and even more serious crimes. An essential second step will be ensuring the entity has a good reputation. Unfortunately, the Simple Mail Transfer Protocol (SMTP) that handles most e-mail today was designed in an era when users of the Internet were mostly honest techies who expected others to be equally honest. This article will explain how e-mail identities are forged and the steps that are being taken now to prevent it. Open Relays are not the major problem any more: http://www.imc.org/ube-relay.html - random sample of 500 SMTP servers in August 2002 "To date, there have been mostly anecdotal reports on how many publicly-known SMTP servers allowed anyone to relay through them. Because the reported percentages varied widely, and the test methodologies went unstated, IMC tested a large random sample of SMTP servers in January, 1998 to see how many of them allowed relaying from users not within their realm. IMC repeated the test in July, 1998, July, 1999, January 2001, and August 2002 to show the trends in open relays. The results show that fewer than 1% of mail servers that are named in mail addresses allowed relaying in August 2002, a very sharp reduction from over 6% from a year and a half earlier. In the same 18 months, the amount of spam a typical Internet users receives has gone up significantly. This shows that the amount of spam is not related to the number of open relays available. T/F: Open Relays are a major source of SPAM on the Internet. SMTP Service Extension for Authentication ----------------------------------------- SASL: Simple Authentication and Security Layer SMTP AUTH http://tools.ietf.org/html/rfc2554 http://www.faqs.org/rfcs/rfc2554.html Section 4 p.3: - After a successfule AUTH SASL negotiation, the client starts over from scratch with EHLO again. - Clients can try multiple AUTH commands if first fails. T/F: If a client fails an SMTP AUTH authentication, it must disconnect and reconnect to try again. Brute forcing AUTH using Microsoft guest account: http://www.spamcop.net/fom-serve/cache/372.html For example, by default, Microsoft Exchange 5.5, 2000, 2003 and the Exchange server with IIS/5 set up a guest account. This allows anyone to connect to and use the server. Even if you have set up "require authentication" (meaning the user must supply a username and password) the guest account will allow the user to send mail through the server even if their login fails. Q: Why didn't "require authentication" improve the security of early Microsoft Exchange servers? Coding an HTTP server (Java) ---------------------------- W3C Java server (HTTP 1.1): Jigsaw http://www.w3.org/Jigsaw/ Lab 5 is posted: http://teaching.idallen.com/cst8165/06f/notes/lab05.txt A working Java HTTP server with basic functionality (in 145 lines) is available here: http://www.brics.dk/ixwt/examples/FileServer.java - this version does not adhere to the HTTP RFC in many respects - needs comments on functionality (not on how Java works) - has many "public" items that should be made private - may be missing things such as closing opened files... (Older version: http://www.brics.dk/~amoeller/WWW/javaweb/index.html ) An overview of TCP, HTTP and servers using Java: http://www.brics.dk/ixwt/http.pdf Sun Guides/Tutorials on Java networking (mostly client side): http://java.sun.com/j2se/1.5.0/docs/guide/net/overview/overview.html http://java.sun.com/docs/books/tutorial/networking/index.html http://java.sun.com/docs/books/tutorial/networking/urls/index.html java.net references: http://java.sun.com/j2se/1.5.0/docs/api/java/net/package-summary.html Java 5.0 (also known as 1.5) package documentation: http://java.sun.com/j2se/1.5.0/docs/ http://java.sun.com/j2se/1.5.0/docs/api/ - java.io.File, java.lang.String, etc. Eclipse IDE demo ---------------- - see also the NetBeans IDE from Sun - Sun Java is now fully Open Source