ietf-smtp
[Top] [All Lists]

Re: BATV pseudo-Last Call

2008-05-20 03:09:12

Alessandro Vesely wrote:

A C written program can easily scan the tag even without resorting to regular expressions. Why would it want to do that? Two reasons:

1) Given that today is 019, the tag exemplified above exhibits an expired day 234, thus a remote server can reject the message if it adopts the policy of not accepting unbounceable messages, even if it cannot verify the signature. (Possibly valid for batv1 only.)
Can it? Day 234 is after 019 isn't it? Given that the remote server has no way of knowing how long the sending MTA has specified for allowing bounces, this is an assumption that can't automatically be made.

Also, it would be easy for a spammer to just send a message from
batv1=1020bibble=user(_at_)example(_dot_)com

The receiving mail server can't check that 'bibble' isn't a valid signature, so it would accept the message. In any case, a spammer would just send it from user(_at_)example(_dot_)com, as the recipient has no way of knowing that the sender address should be signed.

So, the remote server gains absolutely no benefit from BATV. That's fine, as it doesn't seem that the remote server is supposed to gain any benefit. It's the spoofed domain's MTAs which can gain the benefit.


--
Paul Smith

VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows

<Prev in Thread] Current Thread [Next in Thread>