nanog mailing list archives
Re: Time to check the rate limits on your mail servers
From: "Edward B. Dreger" <eddy+public+spam () noc everquick net>
Date: Sat, 5 Feb 2005 17:48:14 +0000 (GMT)
TV> Date: Fri, 4 Feb 2005 09:53:07 -0500 (EST) TV> From: Todd Vierling TV> The only way to be sure is via cryptographic signature. Barring that level False. You imply that a crypto signature is a perfect guarantee, and that nothing else can provide equal assurance. TV> of immediate traceability, SPF provides a very useful data point to that TV> end (as its *only* purpose is curbing forgery). SPF says "mail from this domain should only come from these MXes". It doesn't stop someone from forging a random @domain.tld address from an SPF-blessed Everquick MX. Now, let's say it's known that Everquick MXes authenticate users and only allow whitelisted "From: " email addresses. Step 1: SPF [or similar/better] confirms that the MX is allowed to send email on behalf of the claimed sender address. Discard message if it comes from a bogus MX. Step 2: The MX confirms that the user was authorized to use the claimed sender address. The message would never have been transmitted had the user not authenticated with the trusted MX. Please explain how the "trust chain" does not verify the sending user. "Malware will steal username/password" is not a valid answer, as the same can apply equally to crypto keys. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc () brics com -*- jfconmaapaq () intc net -*- sam () everquick net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Current thread:
- Re: Time to check the rate limits on your mail servers, (continued)
- Re: Time to check the rate limits on your mail servers Edward B. Dreger (Feb 03)
- Re: Time to check the rate limits on your mail servers Todd Vierling (Feb 04)
- Re: Time to check the rate limits on your mail servers Douglas Otis (Feb 04)
- Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers) J.D. Falk (Feb 05)
- Re: Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers) Douglas Otis (Feb 05)
- Re: Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers) J.D. Falk (Feb 05)
- Re: Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers) Sean Donelan (Feb 05)
- Re: Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers) Douglas Otis (Feb 05)
- Re: Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers) J.D. Falk (Feb 06)
- Re: Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers) Douglas Otis (Feb 06)
- Re: Time to check the rate limits on your mail servers Edward B. Dreger (Feb 05)
- Re: Time to check the rate limits on your mail servers Adi Linden (Feb 05)
- Re: Time to check the rate limits on your mail servers Edward B. Dreger (Feb 05)
- Re: Time to check the rate limits on your mail servers Jørgen Hovland (Feb 05)
- Re: Time to check the rate limits on your mail servers Douglas Otis (Feb 05)
- Re: Time to check the rate limits on your mail servers Edward B. Dreger (Feb 05)
- Re: Time to check the rate limits on your mail servers Adi Linden (Feb 03)
- Re: Time to check the rate limits on your mail servers Niels Bakker (Feb 03)
- Re: Time to check the rate limits on your mail servers Adi Linden (Feb 05)
- Re: Time to check the rate limits on your mail servers Jason Frisvold (Feb 03)
- Re: Time to check the rate limits on your mail servers Adi Linden (Feb 03)