[Mimedefang] Verifying that a server has seen a message (was Re: Unique identifier)
David F. Skoll
dfs at roaringpenguin.com
Fri Feb 20 15:08:06 EST 2009
xWBrown at e1b.org wrote:
> Message-ID: <C71C5F34D3FD4A82861FD18EEF700959 at peregrinehw.com>
> So, if I substitute a period for the "@" do a DNS query for
> C71C5F34D3FD4A82861FD18EEF700959.peregrinehw.com, their nameserver could
> return a coded response that message did indeed originate from that server.
> The Message-ID values would need to be kept for some minimum time period
> before being flushed, perhaps seven to ten days.
I'm not sure that Message-IDs can always be converted to legitimate
DNS names with that transformation. But anyway, that's a minor problem.
> 1. Unlike Domain Keys and other crypto-signature systems, requires no
> central authority.
Yes, but it's also vulnerable to a trivial replay attack. Fixing that
is really hard.
I would be much more interested in a good way to determine that a DSN
is in response to a message you've sent (rather than being backscatter from
someone faking your address.) Unfortunately, the information preserved
in a DSN is unreliable. :-( You're at the whim of the MTA authors.
(The only foolproof way to do this is to manipulate the envelope
sender address, and that has all kinds of other down-sides.)
More information about the MIMEDefang