[Top] [All Lists]

Re: "Header Reordering", yet again

2005-05-28 14:49:00
On Sat, 28 May 2005 13:05:20 PDT, David MacQuigg said:

I would establish three levels of compliance for servers wanting to be 
listed as Public Mail Servers:

1) Servers that will declare their ID, and provide a DNS record to 
authorize the use of that ID.

2) Servers that will capture the IP address and any ID declared by the 
previous sender, and prepend that information in a standard authentication 

3) Servers that will perform an authentication check on the declared ID, 
using any widely-accepted method, and prepend the result of that check.

4) Servers that will prepend text that appears that they have performed one
or more of the previous tests, with a claimed result.

Moral: Never trust a check not performed by yourself unless you are able to
validate the results yourself.  There's two interesting cases here:

A) Spammers/miscreants who append a bogus "Check XYZ Passed" to get it through
your filters.

B) Spammers/miscreants who intentionally append a bogus 'Check XYZ Failed" while
claiming some origin point, for the intention of poisoning any collaborative
reputation schemes and making people not trust them....

Attachment: pgpisLxVY25Zp.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>