[2848] in bugtraq
Re: Validating email sender
daemon@ATHENA.MIT.EDU (Squidge)
Sun Jun 30 14:09:37 1996
Date: Sun, 30 Jun 1996 18:37:10 +0100
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Squidge <trmatthe@comp.brad.ac.uk>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199606301038.MAA00268@hsdc1l.hallway.com>
On Sun, 30 Jun 1996, Brendan McKenna wrote:
> what is the best way to ensure that the id in the From:, Sender:, or
> Reply-To: is actually the one that sent the message?
Gday. Use a sendmail or smtpd that uses auth (port 113). This allows you
to be pretty certain of who connected to your machine to send the mail.
Of course, it is trivial to send a fake response to an auth query if you
have privileges on the foreign site. The data you get back is only as
valid as you make it.
Sounds like a good use for cryptography. Issue all the users with a
secret key, and get them to encrypt their messages. Use some digital
signature to ensure accountability, and you are sorted.
I'd write some more, but my tea's ready.
Squidge
"don't mess"
squidge - The Guild
trmatthe@comp.brad.ac.uk
