[Mimedefang] Verifying that a server has seen a message (was Re: Unique identifier)

WBrown at e1b.org WBrown at e1b.org
Fri Feb 20 15:33:33 EST 2009

DFS wrote on 02/20/2009 03:08:06 PM:

> > So, if I substitute a period for the "@" do a DNS query for
> > C71C5F34D3FD4A82861FD18EEF700959.peregrinehw.com, their nameserver
> > return a coded response that message did indeed originate from that
> > The Message-ID values would need to be kept for some minimum time
> > before being flushed, perhaps seven to ten days.
> I'm not sure that Message-IDs can always be converted to legitimate
> DNS names with that transformation.  But anyway, that's a minor problem.

True, might have to insert a psuedo-sub-domain and query something like
> > 1. Unlike Domain Keys and other crypto-signature systems, requires no
> > central authority.
> Yes, but it's also vulnerable to a trivial replay attack.  Fixing that
> is really hard.

OK, so I'm not going to get rich on my anti-spam inventions...  At least
I'm not claiming "Two years from now, spam will be solved."

But just watch, someone will try to market this in the near future and
patent it, and then someone else will implement it and get sued by the
patent holder.... :)

> I would be much more interested in a good way to determine that a DSN
> is in response to a message you've sent (rather than being backscatter
> someone faking your address.)  Unfortunately, the information preserved
> in a DSN is unreliable. :-(  You're at the whim of the MTA authors.
> (The only foolproof way to do this is to manipulate the envelope
> sender address, and that has all kinds of other down-sides.)

Yeah, tell me about it.  Try whitelisting a mailing list hosted on Lyris.
They use unique senders for each message.  I hate whitelisting domains if I
can avoid it.

More information about the MIMEDefang mailing list