|Peter Bowditch's Web Site|
|Home | Interests | Writing | Speaking | Videos and Photos | Books | Podcast|
That's not how email works!
November 20, 2014
I recently spent time in a large public library which provides a free Wi-Fi service for people bringing their own computers or smart phones. This is totally separate, or should be, from the computers provided by the library for use by visitors. There is no reason to suggest that anybody using the Wi-Fi service has any access to the internal network or computers in the rest of the library. In fact, no IT department with any concept of security whatever would configure their system that way. One of the things I did during the day caused someone to send me an email which required immediate attention, but when I tried to collect the email I found that I could not access my mail server. Using my mobile phone is a Wi-Fi hotspot I was able to download my mail without a problem, thus demonstrating that the problem was with the Wi-Fi connection in the library, not with the configuration of my computer or the email server at the other end.
I sent the email below to the generic email address of the library, obtained from their website. For reasons explained below I had to use the phone hotspot to send a message, and this would have applied even if I had been able to download my mail through the Wi-Fi network.
Am I correct in assuming that collection of POP3 email is blocked on free WiFi in the library? I needed to collect an email and had to use my phone as a hotspot. If it is blocked it is a little bizarre, because web-based systems like Outlook.com still work
About six days later I received an email from the library with the advice and response they had received from their internal IT department.
"The public XXXXXX wifi only allow http(80) and https(443) due to security policy. Web-based email will work because it uses http/https. The reason we block POP3 is we don't want any unwanted threat (e.g. virus) to come to the library network. As the web-based email, any potential threat will actually be staying at the web server end which is outlook.com in the given example".
Leaving aside the poor use of English, this reply shows an ignorance of both how Internet email systems work and also how web browsers work. My experience over the years with many such departments, and also external IT support organisations, shows that such ignorance is quite common.
First a little bit of information about how the Internet email system works. (Note: I am not talking here about corporate installations when mail is managed by an internal mail server such as Microsoft Exchange. This is about how the majority of us collect our mail from our Internet service providers.) To collect mail your mail client program (Outlook, Pegasus Mail, Thunderbird,...) logs into what is called a POP3 server using a username and password which is unique to the user. As all mail addressed to me comes to one of three domains, I use the POP3 servers at mail.peterbowditch.com, mail.ausrally.com and mail.ratbags.com. These were the ones that I could not access through the library's Wi-Fi network. (Specifications for POP3 can be found in RFC 1939, or by using your favourite search engine to search for "pop3 rfc".) The protocol manages connection with the server, collection and downloading of mail, and deletion of mail from the server once it has been downloaded.
Email can be sent by logging into one of these servers using a username and password, but the most usual method is to use a mail server provided by the Internet service provider with whom you are currently connected, and because you have had to identify yourself to connect you don't need to login. I have three mobile broadband accounts which are used for different purposes at different times, so when sending mail I use the servers at smtp.vodafone.net.au, mail.optusnet.com.au, or mail.bigpond.com (tablet, mobile phone, Wi-Fi hotspot respectively). I didn't expect to be able to send email through the library's Wi-Fi network and I didn't even try.
Unless the people configuring the network in the library were so incompetent that they used a shared router for all forms of Internet access there is no possibility that a virus could get into the network by someone collecting POP3 email when using a private computer to download the mail from their own mail server. The message being downloaded would not be stored anywhere on the library network for any purpose, except maybe for an instant in a proxy server which should be exclusively used for the free Wi-Fi service. The fact that the IT department feels that there is some severe risk here indicates that they either have no idea how email works or are aware that shortcuts have been taken in configuring the network which exposes it to risk. In the real world the only risk of viruses from email is to the computer downloading the mail, and even if that happens (and I have three levels of virus protection) there is no way that that virus can get to any computer on the library's network except by deliberate case of sabotage - it requires someone to somehow copy the virus software onto a USB stick, book a library computer (which can only be done by someone holding a library card which requires photo identification to obtain), and then copying the virus onto the library computer. The sort of person who would do this sort of vandalism is probably not going to download the virus in the library anyway.
In the reply the IT people say that they don't block web-based email because the action happens somewhere else. If you open an email message in Gmail, Outlook.com, Yahoo!, Hotmail, or any other web-based system the email is downloaded into your browser, because that is the way that HTTP/HTTPS works. (The only real difference is that POP3 downloads all messages in the inbox but a web email program only downloads messages as they are read.) Saying "any potential threat will actually be staying at the web server end" shows that the speaker has to have a complete and total ignorance of the way the World Wide Web works. An email message at a web-based email server is just another example of a web page, and can only be processed and read by a human once it has been downloaded and decoded. It is worth noting that web-based email systems can generally deliver email from POP3 inboxes, so blocking POP3 direct access using a mail client program but allowing a service like Outlook.com or Gmail to deliver the mail makes even less sense.
So, in summary, the IT people at this library block access to a facility which carries virtually no risk whatsoever to their system but allow free access to websites where people can download email with malicious attachments. I mentioned above that any risk of viruses in this particular circumstances would have been confined to my own computer, but the irony is that by allowing access to web-based email servers on the library's own computers they are in fact exposing them to the risk of people downloading viruses.
I considered giving a lecture to the IT people at the library explaining to them why the response to me had been quite silly, but I want to go there on future occasions and one day I might have a real problem and I don't want to be flagged as the person who tried to tell them how to do their jobs. I was once placed on an "always assign the lowest priority to this clown" list by the tech support department of a large organisation for telling them how to do something which they claimed to be impossible so I have been burnt before, but that's a story for another day.
|Copyright © 1998- Peter Bowditch|
Logos and trademarks belong to whoever owns them