This post I’m going to talk briefly about the SMTP protocol, upon which all email “functionality” is built. I’ll also describe why the protocol is the way it is, and what that means in terms of spam.
Now, I’m not going to go into any great detail, and I’ll probably gloss over a good many things in the interest of brevity, but hopefully you’ll get the idea.
The SMTP protocol consists of three basic commands, MAIL FROM, RCPT TO and DATA. A client connects to a server, issues the MAIL FROM command to let the server know who the sender is, one (or more) RCPT TO to let it know the intended recipient(s) are and DATA to actually send the data. The problem is, who you specify in MAIL TO could be anyone – there is no way for the server to “verify” that you are who you say you are. The only extra piece of information the server gets the IP address you’re connecting to it from.
One of the great benefits of this protocol is simplicity. I can use telnet to send an email, and it works. In a completely trustworthy environment, it’s perfect. And there’s your problem – email was “invented” before the internet really existed, and between the universities where it was created, everybody was trustworthy (to an extent).
Today, of course, that’s not true at all. We cannot trust that the sender will put the correct address in the MAIL FROM field, and even if they do put a “valid” address in there, we can’t be sure they are who they say they are. Now, this may seem like a jump in reasoning, but I’m going to assert that it’s because we can’t verify the sender’s identity that spam exists. The problem is that for any given piece of email, it’s very hard to know whether we want to read it or not because the system is unable to detect whether it came from our friends or coworkers, or from “Shady Enterprises.”
Of course, we’ve tried many different things to actually combat these problems, and I’ll get into those next time. Basically, they all boil down to one of two “methods” for identifying the source of an email, which I’ll call “sender-passive” and “sender-active,” depending on whether specific actions (in addition to the normal MAIL FROM, RCPT TO and DATA commands) are required by the sender or not.