From: "Mark Delany" <tcrcn-6ugsc(_at_)qmda(_dot_)emu(_dot_)st>
...
This could be as simple as a new header field that tells the MUA to
generate a unique token - let's call it a confirmation token - as part
of the confirmation reply. Heck, even the Message-ID might do.
...
The one down side is that all mailing lists have to send individual
mails to each recipient and we all know what sort of red flag that is
to some bulls.
...
If you are willing to use some trivial crypto, you don't need to suffer
that hassle. All that the target's MUA or MTA needs to do is recognize
or authenticate traffic from the mailing list. For that it does not
need unique-per-target tokents. Simple public key signatures using
a public key conveyed in the initial subscription confirmation would do.
If you believe as I do that the reason genuine mail forgery (as opposed
to using a legitimately owned Hotmail dropbox) fell off dramatically
a year or three ago is related to the laws criminalizing header forger,
then you don't need any crypto. Simply have the MTU or MTU choose
and record a suitable RFC 2369 List-whatever header from the confirmation
message.
Consider the common claims about spammers forging headers. When was
the last time you saw spam supposedly from CERT? Don't you think that
if spammers were willing to forge headers to get around simple
whitelists, at least some would use that envelope or header From value?
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg