On Fri, 4 Jun 2005, John Levine wrote:
This is exactly the problem with SES and why I told them its not workable
large-scale, although otherwise its good idea.
BTW - the same is also true for BATV (in fact the technologies are really
identical except SES allows for public dns verification server and BATV
its all private).
BATV doesn't require the sending host to remember anything about
messages it's sent. It uses signatures.
So does SES. But what happens is that if you just encrypt bounce address
this is visible on the net and the address can be reused (replay attack).
The partial solution to that is to include timestamp and change keys
often, but that does not eliminate it - just makes it more difficult to
Another approach is to include message body in signature hash. But that
means that to validate the signature you must have original message body
as well. The problem is that unfortunetly when bounce is received back
it does not always include original message and when it does it can be
mangled or it could have been changed in transmission before it is
bounced or more likely the mail server doing bouncing is responsible
when it adds its own comments or when it removes some attachment, etc.
So in the end you're left with option of using message body to create
unique bounce-address signature at the time email is sent but also have
to keep that signature in your database to be able to validate it. So
why bother with cryptography then? It might as well be that you create
long random number (alphanumeric random) and use that for each bounce
address and keep that in database.
Asrg mailing list