On Wed, Feb 18, 2004 at 10:20:39PM -0600, mw-list-spf-discuss(_at_)csi(_dot_)hu
wrote:
On Thu, Feb 19, 2004 at 12:17:37AM +0000, Brian Candler wrote:
On Wed, Feb 18, 2004 at 04:03:44PM -0600,
mw-list-spf-discuss(_at_)csi(_dot_)hu wrote:
In particular, how can one avoid Eve to use an SRS-ed
envelope sender address as a return address to send spam?
Because Eve doesn't know the secret value used to generate the hash.
Bounces with invalid hashes are discarded. This is the whole point of the
cryptographic component.
Alice sends message to Bob. The message arrives to Bob with the
envelope sender address
srs0=hkjhkjhk=5J=alice(_dot_)com=alice(_at_)forward
Eve gets hold of this address, and sends a message to it (say, with <>
as envelope sender). Is there anything that prevents her from doing
this? How is it prevented that Alice receives Eve's message?
It's not prevented.
(1) It's assumed that you don't send mails to spammers. If you do, you
suffer the consequences :-)
(2) Messages you send publicly (to mailing lists) would normally have the
Return-Path: replaced with the mailing list's own Return-Path:
(3) The signature expires after a few days, so even if such addresses could
be harvested, they would not be useful in the longer term, distributed on
CD-ROMs etc.
If a spammer is able to *intercept* your communication, then yes they will
be able to send messages to Alice, and also send spam where the bounces come
back to Alice. But if they are able to intercept your SMTP communication
then you have bigger problems to worry about.
SMTP STARTTLS gives reasonable protection against passive sniffing at least,
and seems to be getting deployed slowly. Same applies for the corresponding
POP3/IMAP mechanisms.
I meant to see a threat analysis. It is suggested that secrets are
changed on a monthly basis, that each user has his own secrets. What
threats are dealt with here?
I didn't make that suggestion, and I strongly agree that it's bad paranoia
(i.e. paranoia based on misunderstanding the real threat model)
Regards,
Brian.