Seth responded thus:
for a sufficiently large ISP (think AOL, or a cable modem business),
keeping track of the tuples of <sender, recipient> for any length of time
will require a _substantial_ database infrastructure.
> Under 1K of data. Remembering stuff is doing it the hard way. Create
> the lhs of the Message-ID signed with a private key that changes
> daily. If the "response" doesn't have one you could have generated
> recently, it's bogus.
Just to clarify, you should use here a MAC (Message authentication code,
e.g. HMAC), not a public-private key signature scheme (e.g. RSA), to
ensure validation is efficient. I am sure this is what Seth meant but I
thought clarifying can't hurt.
Of course, as others noted, this does not help if the original message
went thru a different MTA (e.g. road warrior, home vs. office), unless
done by the client sw itself.
Best, Amir Herzberg
Asrg mailing list