[Top] [All Lists]

Re: Sender's Declaration of Identity

2005-05-17 18:24:13
On Tue, 17 May 2005 19:42:09 CDT, wayne said:
Now if your proposed tag said:


*THAT* I can do something with (namely, short-circuit that auth method with
whatever I do for a 'info-not-found' for that method).

Why would you trust this?  I mean, if a phisher wants to impersonate, all they would have to do is say "ID SPF=NO,YAHOO=NO,CVS=NO".

Hmm. Good point.  An attacker could conceivably intentionally *omit* listing
an auth method that would prove him a bogon.  There's a big difference between
'SPF authoritatively failed' and 'no SPF info available'.

Damn.  :)

Maybe allow/suggest that the server randomly attempt a given auth method some
small (2%? 5%?) amount of the time, and apply punitive scores for sources that
do that?  Probably need a DCC/Razor sort of distributed system to keep track
of people trying to do this while spreading it across enough 
so they aren't likely to be punitively scored by any single site?

Attachment: pgp87jos8lxzD.pgp
Description: PGP signature