On Tue, Feb 03, 2004 at 07:34:32AM -0500, Hector Santos wrote:
So, if you do this, message ID's need to become harder to spoof than TCP
sequence numbers. Or need to be signed with the sending server's key.
People are not going to spoof message-id, well, I don't see a reason for it
because you can already create unique ids.
They will for DoS reasons. If I can make your mail server think that every
messages it's going to see for the next 24 hours is a duplicate, don't you
think if I was Very Evil (tm), I might try?
This is OLD and PROVEN technology Paul. Just because it wasn't done in the
"Internet Email" does not mean it was ever discovered in other forms of
"netmail", designed, debated and implemented successfully. :-)
I'm not disputing that. I'm just saying that in the context of modern DoS
and security policies, extra care needs to be taken that Very Evil people
are not able to spoof the message ids as part of a DoS attack.
The point is, you still design the home with doors and windows and the
potential to lock them. How people live in them is another issue,
non-techical in nature.
Absolutely. It is often said that you can't please all of the people all of
the time. With mail-ng, we have to try. :-)