On Tue, 17 May 2005 19:42:09 CDT, wayne said:
Now if your proposed tag said:
ID SPF=YES,YAHOO=NO,CVS=YES
*THAT* I can do something with (namely, short-circuit that auth method with
whatever I do for a 'info-not-found' for that method).
Why would you trust this? I mean, if a phisher wants to impersonate
big-bank.com, all they would have to do is say "ID SPF=NO,YAHOO=NO,CVS=NO".
Hmm. Good point. An attacker could conceivably intentionally *omit* listing
an auth method that would prove him a bogon. There's a big difference between
'SPF authoritatively failed' and 'no SPF info available'.
Damn. :)
Maybe allow/suggest that the server randomly attempt a given auth method some
small (2%? 5%?) amount of the time, and apply punitive scores for sources that
do that? Probably need a DCC/Razor sort of distributed system to keep track
of people trying to do this while spreading it across enough
sources/destinations
so they aren't likely to be punitively scored by any single site?
pgp87jos8lxzD.pgp
Description: PGP signature