LESSON 9 E-MAIL SECURITY part II

9.1.2 POP and SMTP
After your e-mail client knows your e-mail address, it's going to need to know where to look for
incoming e-mail and where to send outgoing e-mail.
Your incoming e-mails are going to be on a computer called a POP server. The POP server –
usually named something like pop.smallnetwork.net or mail.smallnetwork.net – has a file on it
that is associated with your e-mail address and which contains e-mails that have been sent to
you from someone else. POP stands for post office protocol.
Your outgoing e-mails will be sent to a computer called a SMTP server. This server – named
smtp.smallnetwork.net – will look at the domain name contained in the e-mail address of any
e-mails that you send, then will perform a DNS lookup to determine which POP3 server it
should send the e-mail to. SMTP stands for simple mail transfer protocol.
When you start up your e-mail client, a number of things happen:
1. the client opens up a network connection to the POP server
2. the client sends your secret password to the POP server
3. the POP server sends your incoming e-mail to your local computer
4. the client sends your outgoing e-mail to the SMTP server.
The first thing to note is that you do not send a password to the SMTP server. SMTP is an old
protocol, designed in the early days of e-mail, at a time when almost everyone on the
Internet knew each other personally. The protocol was written with the assumption that

everyone who would be using it would be trustworthy, so SMTP doesn't check to ensure that
you are you. Most SMTP servers use other methods to authenticate users, but – in theory –
anyone can use any SMTP server to send e-mail. (For more information on this, see section
9.2.4 Forged Headers.)

 

9.1.2 邮局协议和简单邮件传输协议

在电子邮件客户端知道你的邮件地址后，就会知道向哪个地址接收邮件和发送邮件。

将发送给你的邮件被存放到POP服务器上，POP服务器---通常称作pop.smallnetwork.net 或者mail.smallnetwork.net ---该服务器上有一个文件，这个文件存放着你的电子邮件地址和要发送给你的电子邮件。POP是邮局协议的简写。

你要发送的邮件将会被送到SMTP服务器上，该服务器---通常称作smtp.smallnetwork.net ---会查看你要发送的地址的域名，然后通过DNS查询器来决定要将该邮件发送到哪个POP3服务器上。SMTP是简单邮件传输协议的简写。

当你登陆电子邮件客户端同时，会发生一系列的事：

1、客户端请求和POP服务器进行连接

2、客户端将你的密码发送到POP服务器上

3、POP服务器将发送给你的邮件发送到你的电脑上

4、客户端将你要发送的邮件发送到SMTP服务器上

要注意的第一件事密码不会发送到SMTP服务器上。SMTP是一个比较早的协议，是在使用邮件的早期设计的，那个时候网络上所有的人基本上都认识对方。该协议设计出来的前提是每个使用电子邮件的人都是诚信的。所以SMTP没有检查发送邮件的人。绝大多数的SMTP服务器采用过其它方法去检查用户的真实性，但是，理论上，任何人都可以通过SMTP发送协议（要了解更多信息，查看9.2.4 伪造的邮件标题）

 

The second thing to note is that, when you send your secret password to the POP server, you
send it in a plaintext format. It may be hidden by little asterisks on your computer screen, but
it is transmitted through the network in an easily readable format. Anyone who is monitoring
traffic on the network – using a packet sniffer, for instance – will be able to clearly see your
password. You may feel certain that your network is safe, but you have little control over what
might be happening on any other network through which your data may pass.
The third, and possibly most important thing that you need to know about your e-mails, is that
they are – just like your password – transmitted and stored in a plain-text format. It is possible
that they may be monitored any time they are transferred from the server to your computer.
This all adds up to one truth: e-mail is not a secure method of transferring information. Sure, it's
great for relaying jokes, and sending out spunkball warnings, but, if you're not comfortable
yelling something out through the window to your neighbor, then maybe you should think
twice about putting it in an e-mail.
Does that sound paranoid? Well, yeah, it is paranoid, but that doesn't necessarily make it
untrue. Much of our e-mail communications are about insignificant details. No one but you,
Bob and Alice, care about your dinner plans for next Tuesday. And, even if Carol desperately
wants to know where you and Bob and Alice are eating next Tuesday, the odds are slim that
she has a packet sniffer running on any of the networks your e-mail might pass through. But, if
a company is known to use e-mail to arrange for credit card transactions, it is not unlikely to
assume that someone has, or is trying to, set up a method to sniff those credit card numbers
out of the network traffic.

 

要注意的第二件事：发送给POP服务器的密码是以未加密文件形式发送的，在屏幕上是用*符号掩盖，但是在网络中却是以一种极容易查看的格式传输的。任何一个监控网络的人通过一个嗅探器就能很容易的窃取到你的密码。你会觉得你电脑连接的网络是安全的，但是你无法控制你发送的数据所要经过的网络是不是安全的。

第三件事，也是最重要的一点，你需要知道你的邮件，和你的密码一样，是以未加密文件的形式被传输和储存的。很可能它们在传输途中被扫描到。通过这些我们要知道：电子邮件不是一种安全的传输信息的方法。当然用它开玩笑，发送警告还是不错的选择，但是你不会喜欢通过窗户大骂你的邻居的感觉，所以如果要这么做的话，你要三思而后行。

听起来像幻想狂吗？好吧，是，但是没有必要说假话。大多数通过电子邮件传输的信息都是不重要的。假如你想通过邮件和Bob和Alice商量下周二吃什么，除了你，Bob，Alice外没有人想知道你们怎么安排。就算Carol非常想知道你，Bob，Alice下周二在哪儿吃饭，她通过嗅探器扫描整个网络来查看你的邮件的这种事情发生的机会会非常小。但是，如果知道一个公司通过邮件来进行信用卡交易，肯定会有人想方设法的通过网络得到那些信用卡的号码。