[Mimedefang] Verifying that a server has seen a message (was Re: Unique identifier)

David F. Skoll dfs at roaringpenguin.com
Fri Feb 20 15:08:06 EST 2009

xWBrown at e1b.org wrote:

> Message-ID: <C71C5F34D3FD4A82861FD18EEF700959 at peregrinehw.com>

> So, if I substitute a period for the "@" do a DNS query for
> C71C5F34D3FD4A82861FD18EEF700959.peregrinehw.com, their nameserver could
> return a coded response that message did indeed originate from that server.
> The Message-ID values would need to be kept for some minimum time period
> before being flushed, perhaps seven to ten days.

I'm not sure that Message-IDs can always be converted to legitimate
DNS names with that transformation.  But anyway, that's a minor problem.

> 1. Unlike Domain Keys and other crypto-signature systems, requires no
> central authority.

Yes, but it's also vulnerable to a trivial replay attack.  Fixing that
is really hard.

I would be much more interested in a good way to determine that a DSN
is in response to a message you've sent (rather than being backscatter from
someone faking your address.)  Unfortunately, the information preserved
in a DSN is unreliable. :-(  You're at the whim of the MTA authors.

(The only foolproof way to do this is to manipulate the envelope
sender address, and that has all kinds of other down-sides.)



More information about the MIMEDefang mailing list