ietf-822
[Top] [All Lists]

Re: a header authentication scheme

2004-10-21 04:22:21

I guess I wasn't clear. Sorry. Let me try again.

1. Quoting the time isn't good. If I'm allowed 150 tries and can bounce some mail off your server to read the bounce messages, I can guess when you'll process a message.

2. Quoting the "with" ID may provide protection, depending on whether the ID is guessable.

3. A receiver can make its IDs less guessable. A few bytes of randomness are easily obtained. (A receiver cannot easily make the time of day more difficult to predict.)

4. Most MTA authors seem eager to implement anything that helps against spam.

Conclusion. Quoting the "with" ID is good, and the MTAs that currently have guessable IDs will change that quickly if spammers ever exploit it.

(In a different message, someone mentioned that there's no reason to allow such processing before the last hop. There is, IMO: It's too difficult to do otherwise. For example, suppose teamx(_at_)example(_dot_)com is an alias for local user Alice and remote user bob(_at_)beispiel(_dot_)de(_dot_) For mail to teamx(_at_)example(_dot_)com, the example.com MTA is last hop for one user, not for the other.)

Arnt