At 02:13 10-10-2008, Charles Lindsey wrote:
Which suggests a much simpler answer to the whole problem. The authserv-id
is chosen by the MTA. So you simply state that the authserv-id MUST NOT be
the domain name of the MTA as obtainable from the (any) MX record, or be
easily derivable from it. That is not to say it may not contain that
domain name, but it must also include some other "magic word" which could
not be guessed by the Bad Guys, but which could be hidden in the
documentation provided by that HTA to its end users.
The "Bad Guys" could easily find out the authserv-id as a person can
set up an account on the receiving domain to figure it out.
Bear in mind that phishers are in the business or emailing their scams by
the million, addressed to random recipients culled from a variety of
sources, thus making it totally unprofitable to do the necessary research
to discover the "magic word" for other than a small proportion of them.
There's a new business opportunity to sell "magic words". :-) Your
suggestion of using "magic words" might only be beneficial for
domains with a small number of mailboxes.
NOTE WELL: This list operates according to