Staff Report 2002-01 Email attribution (the 'from' field issue) Preamble Complaints have been received recently about the mail server changing the domain on outgoing mail from "ncf.ca" to "freenet.carleton.ca". Discussion NCF has a long-standing policy requiring members to identify themselves truthfully when posting, sending, chatting, or otherwise using NCF facilities. The intention of this policy is to promote accountability and responsible behaviour. This policy is enforced by NCF software, such as the news and mail programs, but is not enforced by software operated by users on their personal computers. For example, PC-based mail programs such as Outlook Express allow the user to put any name and email address as their identity, causing their email to appear to come from whomever they like (eg., "Mike Harris", mike@gov.on.ca). This violates NCF's accountability policy. It is technically possible to overwrite what the user specifies in their mail program, as their email passes through NCF from their PPP connnection, forcing their outgoing email to have the return address associated with their NCF account, no matter what the user specifies. At the moment, the system is overwriting the domain name only (probably to avoid overwriting a PFA). All email sent by NCF users goes out with a domain of 'freenet.carleton.ca' no matter what the user specifies in their PC-based email program. Thus if a user puts mike@ncf.ca or mike@gov.on.ca, the outgoing email will be overwritten as mike@freenet.carleton.ca. The immediate issue is that people are annoyed that if they specify 'ncf.ca' as the domain, it is being changed to 'freenet.carleton.ca'. People seem to accept the principle of accountability but some don't like ncf.ca being changed to freenet.carleton.ca Alternatives I considered 1. Tighten the implementation so that email from a particular user can only have outgoing 'from' fields that are valid for that user account (eg., xx999 or the user's PFA). Implementation cost unknown; benefits are desirable (policy is implemented). 2. Rather than forcing freenet.carleton.ca, allow any valid NCF domain. This would probably resolve the current complaints (but allows members to 'forge' email from other NCF users, eg., 'board@ncf.ca'). Implementation cost unknown; benefits are desirable (immediate complaints are resolved but policy is half-implemented). 3. Do not alter outgoing 'from' fields (do not enforce the accountability policy for email). Easy to implement; policy not implemented. 4. Do nothing. Puts into question the effectiveness of the organization in implementing policy. Policy is half-implemented. Ian Allen has summarized the issue quite well in a post to the admin newsgroup. Dave Sutherland provided some historical background on board intentions. Finally, Andre Dalle provided an update on the issue with respect to the current technical infrastructure. (See Appendix). Recommendation That the NCF implement the policy that will allow users to specify any valid NCF domain in their From: header line, but that all From: headers include a valid userid or PFA. I'm recommending this action because it satisfies the immediate complaints and maintains and reinforces the implementation of NCF's accountability policy. Appendix Posting by Ian Allen > From: aa610@freenet.carleton.ca (Ian D. Allen) > Newsgroups: ncf.admin,ncf.board.speakers-corner > Subject: ncf.ca vs. freenet.carleton.ca : The History > Date: Mon, 4 Feb 2002 06:39:11 +0000 (UTC) > > Here's some background on ncf.ca vs. freenet.carleton.ca, including > how to remove the rewriting if you want to. > > The NCF text-mode mail program (BBmail) discards any attempt to use a > custom "From:" line when sending email. This is (was?) intentional - > one of the things you knew about an NCF email was that the person in > the From: line was accurate. If you sent email from NCF, you were > exactly who you appeared to be. The Board wanted it this way. > > With the introduction of PPP access, NCF no longer had control over the > "From:" line. Users could submit anything they wanted using the mail > programs on their home computers. Roy implemented a mail-header rewriting > scheme on the firewall that regained control - mail originating from NCF, > even via PPP, was rewritten to come from the real NCF userid, no matter > what you entered on your home computer. Board policy was maintained. > > Sometime, years ago, in the course of some upgrading or troubleshooting, > that rewriting scheme was turned off. I doubt the Board was informed. > Since then, PPP users have been able to forge any name they please on > outgoing email. With the change in Board personnel over the years, > I doubt anyone noticed that the change in practice went against early > Board wishes. > > An eventual consequence of this lack of enforced "From:" lines was that > people started to expect that they could set their outgoing "From:" > line to be anything they wanted, not realizing that this was a Board > policy issue that had gotten lost over the years. The NCF mail system > was not designed to permit arbitrary outgoing email addresses (it went > against Board policy), so some of the mail implementation details became > visible when the rewriting was turned off some years ago. > > One of the implementation details that became visible is the mapping of > "ncf.ca" onto "freenet.carleton.ca" for outgoing email. The "sendmail" > program that NCF uses to transmit outgoing (SMTP) email has a list of > domains that get translated into "freenet.carleton.ca". This is the list > (freenet1:/etc/mail/sendmail.cw): > > freenet.carleton.ca freenet.ncf.carleton.ca freenet1.carleton.ca > freenet1.ncf.carleton.ca freenet2.carleton.ca freenet2.ncf.carleton.ca > freenet3.carleton.ca freenet3.ncf.carleton.ca freenet4.carleton.ca > freenet4.ncf.carleton.ca freenet5.carleton.ca freenet5.ncf.carleton.ca > freenet6.carleton.ca freenet6.ncf.carleton.ca freenet10.carleton.ca > freenet10.ncf.carleton.ca freenet-news.carleton.ca > mail.ncf.carleton.ca news.ncf.carleton.ca smtp.ncf.carleton.ca > www.ncf.carleton.ca ncf.carleton.ca ncf.ca www.ncf.ca > > You can see that if your "From:" line ends in "@ncf.ca", it will be > translated to "freenet.carleton.ca". It's easy enough to turn this off, > if the Board is happy with it and people want it turned off. Just copy > the file that contains the above addresses and remove "ncf.ca" from > the copy. (Don't remove it from the original file.) > > The old restrictive behaviour of the text-mode mail program is somewhat > pointless now that any PPP user can pretend to be anyone they like. > If the Board really doesn't care that anyone on NCF can forge their > outgoing email address, this old restrictive code should be removed to > give text-mode users an equal chance at it. > > I think, first, the Board needs to revisit its moribund policy that > "all mail originating from NCF shall contain the real email address of > the sender". Drop the policy or actually make it true. > -- > -IAN! Ian! D. Allen Ottawa, Ontario, Canada idallen@ncf.ca > Home Page on the Ottawa FreeNet: http://www.ncf.ca/~aa610/ > College professor at: http://www.algonquincollege.com/~alleni/ > Board Member, TeleCommunities CANADA http://www.tc.ca/ E-mail from Dave Sutherland Nice to hear from you. I trust all is going well. There are two issues raised here: 1. the intent of the policy to ensure that email could not be forged. This ends up saving a lot of trouble when people harass or spam. Ian is correct: the filtering for ppp users should be turned back on. 2. the mapping of @ncf.ca to @freenet.carleton.ca. I don't believe this was the intent of the board policy. If this what people object to, I'd say follow Ian's advice. Those are my thoughts, anyway. E-mail from Andre Dalle The left side of the address is another matter. The SMTP protocol provides no authentication so Sendmail does not know or care whether the email being sent is truly from "az999" or "Bill_Gates". On the text side, we circumvent fraudulent addresses with the mail client software used. We simply feed Sendmail the correct information. On the PPP side, we cannot do this so easily. We would have to catch email between the Sender, and the SMTP server and rewrite the headers manually. We used to have this in place for the Annex servers, but with the advent of RADIUS this will require some development to re-implement. This can be done at the Linux gateway.