On Sat, 20 Mar 2004, Alain Knaff wrote:
What we can do about it:
------------------------
1. Do not apply SRS encoding for mails where we already do SRS
decoding.
2. Or, only apply encoding for From eaddresses whose domain publishes SPF
3. (or maybe easyer to implement): only apply SRS decoding if From is
<> or <postmaster@ ... >
4. Some throttling mechanism (limit number of SRS encoding /decoding
operations per minute that come from a same IP or IP range)
5. Apply tarpit to invalid cookies.
6. Use database backed SRS where the odds against guessing a valid
cookie are astronomical (120 - 160 bits for hash).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Very few of our customers are going to have a pure Unix
or pure Windows environment." - Dennis Oldroyd, Microsoft Corporation