On Tue, Jul 05, 2005 at 06:36:44PM -0400, Stuart D. Gathman wrote:
The weakness with that solution is that it is subject to replay
attacks. One solution is to limit the number of validations for a
given sig in the server (requires only an in memory database of
successful validations and count).
If you're keeping a count anyway, after some number, say three
verifications, you could also cause increasing delays, up to maybe 15
seconds, but still resolve to a positive answer after that delay.
That would keep that mailfrom value from being useful for being
harvested by zombies.
You could also limit the number of successful validations you allow to
to be returned within any set time period, afterwards returning the
equivalent of a DNS temperror (I forget the name), for any subsequent
query-then-delay, until the timer restarts.
That makes the address even less useful for zombie use.
Making the timing stricter after an hour after generation tightens
things even further, without affecting legitimate users, but makes even
the easier look-through-mailing-list-archives-for-mailfroms trick less
useful.
(It would be cool if there were a way to transform the address that's
understood to be a validity check that only gets you the 15 second delay
and nothing else, so you could re-verify already-accepted mail and get
more detailed results. I'm not yet sure why this might be useful given
the previous limits, but I keep thinking it might be.)
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com