On 17/11/2011 23:27, Seth wrote:
Christian Grunfeld<christian(_dot_)grunfeld(_at_)gmail(_dot_)com> wrote:
sorry, I meant both of them ! you are obviously going to get the
validation from the evil domail but you also need one from phished
domain. The last one is only true if the mail was sent by paypal.com
No, it's true only if _any_ message was sent by paypal.com with that
Message-ID. Copying a Message-ID isn't difficult, nor is getting
legitimate mail from paypal.
So, you put the message-id AND recipient in the source's database
If evil spammer/phisher gets Paypal to send him a message, then reuses
that message-id in their own messages out, it would work with the
original idea, but if you add the recipient to the data, you defeat that.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg