-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of David
Woodhouse
Sent: woensdag 1 december 2004 20:08
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Ignoring rejected mail?
On Wed, 2004-12-01 at 18:43 +0000, Mark wrote:
As irony would have it, though, the SES added "digest of
the message, which fully prevents an attacker from being
able to re-use and existing reverse-path with a new message,"
introduces a type of 'redistribution' issue, not unlike the
'forwarding' problem the SES proponents so vocally decry.
Namely, where mailing lists/ISP's add their own little message
banner/Anti-Virus blurb.
When mailing lists do it they change the reverse-path so it's fine.
When mail servers do it, they need to do it before the signature is
generated, or after the signature is checked.
But, this way, does SES not require 'the cooperation of the entire world'
then, too? If sender A signs, using SES, and sends it to B, who runs it
over the infamous .forward file, adding a wee blurb, like "Thanks for
using this fine forwarding service!", or, more realistically, "This mail
was scanned with Anti-Virus product such-and-so," then B essentially needs
to do its own SES (re)writing, right? Because if he doesn't, then
recipient C will check SES signature of A, and decide that the message
is a forgery! Then B is faster off just doing a quick SRS rewrite. ;)
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx