ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: OT Brainstorm: Email Validation among different systems

2007-05-02 08:26:23
from [David F. Skoll] [Permanent Link] 

Hector Santos wrote:


My point here is simply that a professional AVS email security service
bureau will most likely have and offer (if they want the business) a
"interface" specification such as http://www.virtualconnect.net which
allows the operator to update their list of valid users via an email
automated fashion.



Ponder the security risks of such an implementation.



Like what?


You see no security risks in allowing some random person to set your
valid recipient list using unauthenticated e-mail?  (X-Note: Password
is pretty weak authentication and easily sniffed.  At the very least,
the e-mail should be PGP-signed and possibly encrypted before being
accepted.)


Let me put it this way, speaking for myself, lets just say, I have a
very strong ethical philosophical engineering delima with the idea of
publicly exposing user information, especially in large database
amounts.


The fact that:   some_email_address(_at_)example(_dot_)com   exists or doesn't 
exist
is already exposed.  Exposing it via DNS makes no difference.

[...]


Lets see, why not use existing user validation LDAP? RADIUS?


Because DNS is widely-implemented, lightweight, scalable, cacheable
and has built-in facilities for replication.


Your server incorrectly claims an SPF failure for:



Correct. That was the goal of the example. The IP input was my address
using your address - SPF rejected it as expected.


No, check the URL in my original e-mail again.  I used my IP address.


Personally, I have a problem with exposing my user database or
suggesting to customers to expose their user database via DNS - I
prefer to do that in a very exclusive trust exchange environment -
not publicly, opening it up to MDx/SHaX security threat hacking
exploits.


You're not exposing your user database.  You're simply saying
whether or not an e-mail address will be accepted in a RCPT command;
such information is already publicly available!


But I will still love to see your DNS-VRFY I-D proposal! <g>


I've never done an I-D before.  If anyone on the list wants to help
out, please e-mail me off-list.

Regards,

David.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OT Brainstorm: Email Validation among different systems, Hector Santos
Next by Date:  Re: OT: Re: DNS VRFY, Alex van den Bogaerdt
Previous by Thread:  Re: OT Brainstorm: Email Validation among different systems, Hector Santos
Next by Thread:  Re: OT Brainstorm: Email Validation among different systems, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]