[Mimedefang] Verifying that a server has seen a message (was Re: Unique identifier)

[WBrown at e1b.org]

DFS wrote on 02/20/2009 03:08:06 PM:

> > So, if I substitute a period for the "@" do a DNS query for
> > C71C5F34D3FD4A82861FD18EEF700959.peregrinehw.com, their nameserver
could
> > return a coded response that message did indeed originate from that
server.
> > The Message-ID values would need to be kept for some minimum time
period
> > before being flushed, perhaps seven to ten days.
>
> I'm not sure that Message-IDs can always be converted to legitimate
> DNS names with that transformation.  But anyway, that's a minor problem.

True, might have to insert a psuedo-sub-domain and query something like
C71C5F34D3FD4A82861FD18EEF700959.verify.peregrinehw.com
>
> > 1. Unlike Domain Keys and other crypto-signature systems, requires no
> > central authority.
>
> Yes, but it's also vulnerable to a trivial replay attack.  Fixing that
> is really hard.

OK, so I'm not going to get rich on my anti-spam inventions...  At least
I'm not claiming "Two years from now, spam will be solved."

But just watch, someone will try to market this in the near future and
patent it, and then someone else will implement it and get sued by the
patent holder.... :)

> I would be much more interested in a good way to determine that a DSN
> is in response to a message you've sent (rather than being backscatter
from
> someone faking your address.)  Unfortunately, the information preserved
> in a DSN is unreliable. :-(  You're at the whim of the MTA authors.
>
> (The only foolproof way to do this is to manipulate the envelope
> sender address, and that has all kinds of other down-sides.)

Yeah, tell me about it.  Try whitelisting a mailing list hosted on Lyris.
They use unique senders for each message.  I hate whitelisting domains if I
can avoid it.