spf-discuss
[Top] [All Lists]

Re: Re: will resistant MTAs be fronted with commercial antispam gateways?

2004-02-11 12:13:44
In 
<16426(_dot_)30262(_dot_)531260(_dot_)789575(_at_)moriarty(_dot_)gnomon(_dot_)org(_dot_)uk>
 Roy Badami <roy(_at_)gnomon(_dot_)org(_dot_)uk> writes:

"Meng" == Meng Weng Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> 
writes:
    Meng> What do you think of the new Mail::SRS algorithm?

I'm uneasy about the 11-year wrap around of the timestamp, though.
Are we confident that these won't get archived anywhere?  I can't see
any reason why they should end up in list archives and the like, but
if they do then come 2015 spammers might start using old archives.

Spammers would only be able to use the SRS string for one day and only
if both the destination mailbox and the relaying host are still
around.

Actually, all that the system using SRS needs to do is change their
private key once every 11 years.


Hmmm...


What if as part of the SRS system, we added the current year as a salt
to the "private key"?  You would have to check both this year and last
year and, like all salts, it wouldn't add any more security to the
private key.  It would, however, prevent any replay attacks.


-wayne