Information Is Leaking Out When Email Is Sent Across the Internet

You face two separate problems when sending emails via the Internet. The most well-known problem involves the unencrypted nature of SMTP. The other problem is probably as big and ugly: identity spoofing, or hijacking, as shown in Figure 30.2.

Figure 30.2. SMTP incorporates two problems: identity spoofing and clear-text messages

So now we have two problems to solve:

• Reading of unencrypted emails: By simply collecting IP packets, anybody with the right tools can capture a complete SMTP session and easily read the plain ASCII information. The attachment will have to be converted from MIME-encoded format to its native file format, but this is an easy task with so many tools available. Quite often, the local email client can handle the conversion task.

• Identity spoofing or hijacking: It's also rather easy to send an email on behalf of somebody else. Just use your own SMTP server and add another Internet domain. Many recipients' sites will accept these kind of emails. In a world where more and more transactions and information exchanges are conducted via Internet email, it's spooky to realize how simple it is to hijack somebody's email identity.

Surprisingly, as shown in the next section, there are several ways to tackle the first problem, but these are more or less worthless if you don't tackle the much-more-difficult second problem.