I'm a bit late in replying, but I wanted to take the time to say that I
really like RRS and I hope it gets fleshed out and eventually becomes
available for use by normal folks.
Perhaps it would make a good combination with SES - install both SES and
RRS for protection against both bogus bounces and replay-type use of your
per-forwarder incoming "bypass code"...
One question, which I'm not sure if you've already answered (thanks for
your patience, if so :)... In this RRS example:
MAIL FROM: <return(_at_)custhelp(_dot_)com>
RCPT TO: <RRS=IHBf67rW=blockbuster(_dot_)com=user(_at_)example(_dot_)com>
I understand that the RCPT contains instructions to "use blockbuster.com
instead of MAIL FROM domain for checking SPF".
What I am worried about is that some sender might send to my forwarding
address, and the forwarder relays the message on to my cookie-rcpt address,
but then a bounce is generated for some other reason (disk full, content
checks, etc). In this case, what if the forwarder sends a bounce back to
the sender showing my "secret" forwarding address? Does the hash part only
work if the text following it is =blockbuster.com=, or can the same hash be
used to request my SPF check to user "spammer.com"?
I would assume that the forwarding/spf-expected-to-pass domain such as
=blockbuster.com= would be part of the hash formula, so that the hash
string can only be used on replay by someone authorized by blockbuster.com.
In that case it's not really important that the address I give the
"forwarder" be kept a "secret". I am assuming that's how it's intended to
work but I wanted to check.
If someone learns my secret and can re-use the hash with his own =domain=
after, then keeping the hash a secret between forwarder and recipient
becomes important, and I would then have to be paranoid about whether the
forwarder ever generates a bounce containing my hashed rrs address.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com