At 05:03 PM 12/5/2006 -0500, Stuart D. Gathman wrote:
On Tue, 5 Dec 2006, David MacQuigg wrote:
> I don't understand the leakage worry. Do you mean bounces to a fake
Return
> Address? How would you discover my private mail storage address?
Unless you've modified sendmail/postfix/whatever, it will notify the sender
of a failure to deliver to private(_at_)company(_dot_)com via the SMTP reject
message.
OK I see that. Good point.
550 5.1.1 Test1 <private-mailstore-address(_at_)pobox(_dot_)com>... User unknown
We need to modify Sendmail's default behavior, so we don't automatically
generate a DSN with this private address in it.
Also, as Seth points out, pobox.com may send a DSN directly to the Return
Address. We do need SRS, so the DSN comes back to us, and we stop further
bounces until the recipient tells us what has happened to his forwarding
address, which was working at the time we added it to our database.
The forwarding address is exposed for the short time between when it goes
down and when we can remove it from our database. I'm not too worried
about this, but I will be more careful about letting our clients think
their mailstore addresses are really secure.
Private mailstore addresses can be changed very easily if one is
compromised. It's not likely any legitimate sender has it in their address
book. It's also not likely a spammer will make a huge effort trying
millions of addresses, hoping a few are down so he can discover a
forwarding address.
-- Dave
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735