mail-vet-discuss
[Top] [All Lists]

Re: [mail-vet-discuss] Discussion of auth-header draft (fwd)

2008-10-10 13:36:39
At 02:13 10-10-2008, Charles Lindsey wrote:
Which suggests a much simpler answer to the whole problem. The authserv-id
is chosen by the MTA. So you simply state that the authserv-id MUST NOT be
the domain name of the MTA as obtainable from the (any) MX record, or be
easily derivable from it. That is not to say it may not contain that
domain name, but it must also include some other "magic word" which could
not be guessed by the Bad Guys, but which could be hidden in the
documentation provided by that HTA to its end users.

The "Bad Guys" could easily find out the authserv-id as a person can 
set up an account on the receiving domain to figure it out.

Bear in mind that phishers are in the business or emailing their scams by
the million, addressed to random recipients culled from a variety of
sources, thus making it totally unprofitable to do the necessary research
to discover the "magic word" for other than a small proportion of them.

There's a new business opportunity to sell "magic words". :-)  Your 
suggestion of using "magic words"  might only be beneficial for 
domains with a small number of mailboxes.

Regards,
-sm 

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html 

<Prev in Thread] Current Thread [Next in Thread>