In <MHEGIFHMACFNNIMMBACAMECCHMAA(_dot_)sethg(_at_)GoodmanAssociates(_dot_)com>
"Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com> writes:
On Fri, Apr 16, 2004 at 03:55:37PM -0500, Dustin D. Trammell wrote:
| http://www.techzoom.net/paper-mailbomb.asp
[SPF can't prevent this attack until high rates of adoption] On the
other hand, any one of the Signed Envelope Sender approaches that have been
mentioned on this list and SRS-discuss will stop all of it today, without
anyone else adopting anything.
This is true, although it assumes that the attacker can't grab even a
few correctly created SRS addresses. In many cases, with Fortune 500
companies, this could be easy to do.
It also assumes that the victim doesn't just stop acceptancing DSNs
until the attack disappears.
They also deliver all the other
functionality that SPF+SRS does.
We have been through this before and SES/SRS doesn't do everything
SPF+SRS does, and it is often far more expensive, requiring an SMTP
callback.
-wayne