We should maybe move this thread to srs-discuss.
On Fri, Mar 19, 2004 at 07:30:55PM -0500, Stuart D. Gathman wrote:
|
| More interesting, I am getting a pile of attempted bounces to lowercase SRS
| signed users - each with a different combination in the hash. Someone is
| repeating a timestamp, and trying lots of combinations of hashes to try and
| find a good one - and counting on the case folding to reduce combinations I
| guess. I am using hashlength=8, so I don't think this will be very successful
| other than annoying my milter. The attempts are from AOL and YAHOO.
| The hash values seem to be random, rather than sequential. I am getting
| them on all of the mail servers and domains I manage.
|
| I guess this means spammers are taking notice of SRS, and seem to be
| planning on a brute force attack.
But even if they manage to brute one particular combination, that still
doesn't let them guess the key ...
But thanks, spammers, for helping us explore this avenue. Nothing like
real-world tests to strengthen a specification.