-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Woodhouse wrote:
On Mon, 2006-03-27 at 18:24 -0800, Tom Lahti wrote:
And in answer to your third question -- of _course_ misdirected
bounces are a problem, and you know my solution.
Actually, we don't. Is it the same as Johann's laughable "solution";
the equivalent of running SpamAssassin?
http://www.infradead.org/rpr.html
Essentially the same principle as BATV, the original 'SES' before it
went off into the weeds, or self-signed SRS.
Basically I sign the reverse-path on any genuine outgoing mail so it
looks like an SRS address. Then I never accept bounces to the 'raw'
address 'dwmw2(_at_)infradead(_dot_)org'. So anyone doing sender verification
callouts gets to reject faked mail, but _certainly_ I don't get bounces.
As far as I could see from reviewing your webpage, your solution suffers
from the replay problem (apart from a weak datestamp verification). Did I
overlook anything?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEKX/TwL7PKlBZWjsRAouyAKDEt5/ZYJMMRPzM6RvL/XjgHJ3uOgCg/iX1
4N3kjAnpSLWJGHGxT7EXlQQ=
=2oWC
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com