Alessandro Vesely wrote:
A C written program can easily scan the tag even without resorting to
regular expressions. Why would it want to do that? Two reasons:
1) Given that today is 019, the tag exemplified above exhibits an
expired day 234, thus a remote server can reject the message if it
adopts the policy of not accepting unbounceable messages, even if it
cannot verify the signature. (Possibly valid for batv1 only.)
Can it? Day 234 is after 019 isn't it? Given that the remote server has
no way of knowing how long the sending MTA has specified for allowing
bounces, this is an assumption that can't automatically be made.
Also, it would be easy for a spammer to just send a message from
batv1=1020bibble=user(_at_)example(_dot_)com
The receiving mail server can't check that 'bibble' isn't a valid
signature, so it would accept the message. In any case, a spammer would
just send it from user(_at_)example(_dot_)com, as the recipient has no way of
knowing that the sender address should be signed.
So, the remote server gains absolutely no benefit from BATV. That's
fine, as it doesn't seem that the remote server is supposed to gain any
benefit. It's the spoofed domain's MTAs which can gain the benefit.
--
Paul Smith
VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows