At 11:53 AM 9/17/2004 +0100, David Woodhouse wrote:
Also there's the possibility of replay attacks. One possible answer is
to merely declare that the likelihood of these is low and that we hence
don't care -- the signed reverse-path is rarely made public since it's
changed by mailing lists and generally omitted by mailing list archives.
There are other sources from which the signed reverse-path can be gotten. The
best example I can think of is that a Trojaned MUA would have access to signed
reverse-paths from all of the messages that the user had received.
If you do need to assume that the reverse-path addresses are somewhat private,
I wonder if it would be reasonable to just set the envelope-from on messages to
some specific address, like fenton12345(_at_)cisco(_dot_)com, and just not
accept bounces to, for example, the 2822 "from" address. It doesn't allow for
the prevention of the bounce in the first place, but it's real simple to do.
The only thing that would be new is the ability to reject messages to certain
addresses based on a null 2821 mail-from, indicating a bounce.
I feel like I must be missing something here -- what is it?
-Jim