"Dave" == Dave Crocker <dhc(_at_)dcrocker(_dot_)net> writes:
Dave> On Tue, 11 Jan 2005 20:01:56 -0500, Sam Hartman wrote:
>> I understand you can get headers to replay. It seems
>> that defining a largish replay window (say 30 days) and
>> keeping enough information to uniquely identify a message
>> from this replay window is an option worth considering.
Dave> serious spammers work within windows measured in hours or,
Dave> at most, relatively few days.
Sure, but presumably spammers would be willing to go grab a message
from 20 days ago in a mailing list archive.
Here's a rough algorithm:
1) If the date stamp you're using is outside your replay window,
consider the message suspicious. This date stamp could come from
the date: header, some header associated with the signature, etc.
It's important to pick; there are a lot of tradeoffs involved in
picking it.
2) If the date stamp you are using is inside your replay window, check to see
if you have seen the message before. If so, consider it suspicious.
3) Check the signature. If the signature check fails consider the
message suspicious otherwise add it to your replay list.
--Sam