yahoo to use public key technology for anti-spam
Sidney Markowitz
sidney at sidney.com
Sun Dec 7 15:33:18 EST 2003
Victor.Duchovni at morganstanley.com wrote:
> To avoid replay attacks one needs to
> sign a string that is tied to a
> specific message or time period
I agree. Even time period and message content aren't good enough: Let's
say that the outgoing SMTP mailer at example.com is trusted. Spammer
gets an account at example.com, sends themselves one message, then
immediately copies the signature into forged headers for their spam that
is sent out through whatever open relays or compromised machines they
are using. The only way that the mail can be trusted is if it is being
received directly from the example.com SMTP server. If there is any
relaying, there is nothing that remains true and constant to sign.
But that is the situation we have today: My ISP's server can choose to
refuse to accept connections from servers that are on a blacklist of
open relays and spammers, and can, in theory, have a list of known good
servers who authenticate their clients. If all the new header does is
verify the sending mail server, that is done just as well by verifying
the ip address at the time of connection.
-- sidney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list