From: Andy Dustman <andy@neptune.chem.uga.edu>
Date: Wed, 3 Dec 1997 01:27:18 +0800
To: Charlie Comsec <comsec@nym.alias.net>
Subject: Re: Pasting in From:
In-Reply-To: <19971202170009.20761.qmail@nym.alias.net>
Message-ID: <Pine.LNX.3.94.971202120543.6085Z-100000@neptune.chem.uga.edu>
MIME-Version: 1.0
Content-Type: text/plain



On 2 Dec 1997, Charlie Comsec wrote:

> As long as blocking requests are authenticated with some sort of "cookie"
> token scheme, that would be acceptable.  That goes for INDIVIDUAL blocking
> requests.

I used to require that people reply to a confirmation message before I
would block them, but it was really too much effort. I check the headers,
and as long as it looks like the request came from them, I block them and
send them a message that they are blocked, so at least if it's a spoofed
request, they will know they have been spoofed.

>  Somewhat more discretion ought to be used for requests to block
> an entire domain. That should probably only be done upon request from the
> "postmaster" at that domain, and when an entire domain is blocked,

I do exactly that, or require a request from the internic-listed contact.

> The problem with eliminating any feature that gets abused is that it's an open
> invitation for someone to deliberately abuse it just to get it eliminated.
> Whenever possible, a solution should be sought which eliminates abuse while still
> allowing legitimate use.

Agreed, and I think I've worked out a reasonable compromise, because even
if you do try to forge somebody, it should scream, "Hey, you should be
suspicious about where this really came from."

Andy Dustman / Computational Center for Molecular Structure and Design
For a great anti-spam procmail recipe, send me mail with subject "spam".
Append "+spamsucks" to my username to ensure delivery.  KeyID=0xC72F3F1D
Encryption is too important to leave to the government. -- Bruce Schneier
http://www.athens.net/~dustman mailto:andy@neptune.chem.uga.edu   <}+++<