Thus, instead of creating DNS entries containing the IP
address of
each legitimate relay for a domain, the provider can give each
legitimate relay a certificate that allows them to authenticate
themselves as coming from that domain. Such a technique
would work
even in the face of IP address spoofing, which the marid
techniques
are susceptible to.
Once again, where is there a practical, or even possible, IP spoofing problem
where the source IP can be spoofed in a TCP (where you need to talk back to
the client machine) connection?
And asymmetric routing doesn't count, because the receiving end of the
asymmetric route isn't going to be in any domain's allowed hosts list (or
said host has worse security problems than being spoofed in a spam run).
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1>