ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] MAC Constructed Message Ids.

2003-04-06 19:36:00
from [Hallam-Baker, Phillip] [Permanent Link] 


Filtering returning bounces based on Message-ID requires 

that the MX

keep a DB of known-valid IDs.  This is a non-trivial expense.


No it does not.

Let the MUA choose a random value X, store it in a place that
is persistent.

Each time a MessageID is constructed the following algorithm 
is used:

stem = date + serial + '@'
checksum = MAC (stem, X)
ID = stem + base32 (checksum)

We thus end up with an id that is guaranteed unique (to a much 
higher degree of confidence than ordinary IDs, especially the
ones my behind 3 NATs MUA constructs). It also leaks a lot less
info than the recommended construction with the domain name
which these days looks to me like a privacy bug.

It also has the property that anyone who knows X can check that
the message ID was in fact generated by the client.


So basically simple rules for whitelisting could be something 
like:

        Accept if the reply-to has a message-ID you sent
        Accept if one of the references has a message-ID you sent
        otherwise filter through spamfilter

Bounces are a special case since it would be nice if we could
create a construction so that we could reject mail bounces
from malfunctioning MTAs that are bouncing to the original
author of a message on a mailing list.


If we combine with authentication we could automatically 
white, better greylist by domain.

Score    Message that is

100pts - a direct reply-to one you sent
 80pts - a reference to one you sent
 50pts - from someone you got a reply from in the past
 30pts - same domain as someone you got a reply from

+40pts if IP address authentication
+60pts if Certificate authentication

[Can tune these via minimum least square optimization]


Another thing you can do with this is to automatically 
file lists using the opt-in message reply-to.

So imagine this, you get an email of the opt-in variety,
you reply to it and when the mail comes from that list
it is automatically filled in a folder just for that
list.

This can be done quite easily if you can recognize an
opt-in challenge, easily done with a custom header. It
should not cause any intrusive GUI interaction since it
could be spam until responded to affirmatively.

From then on you filter on the basis of the List: headers.

        phill
 
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Relay honeypots (RE: [Asrg] define spam), Brad Spencer
Next by Date:  Re: [Asrg] Whitelisting on Message-ID (Was Turing Test ...) honypot plug, Brad Spencer
Previous by Thread:  RE: [Asrg] Whitelisting on Message-ID (Was Turing Test ...), Hallam-Baker, Phillip
Next by Thread:  Re: [Asrg] MAC Constructed Message Ids., J C Lawrence
Indexes:  [Date] [Thread] [Top] [All Lists]