From: Robert Hettinga <rah@shipwright.com>
Date: Fri, 27 Dec 1996 18:28:32 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Forged addresses
Message-ID: <v03007874aeea318a8b0e@[139.167.130.248]>
MIME-Version: 1.0
Content-Type: text/plain



--- begin forwarded text


Date: Fri, 27 Dec 1996 15:46:18 -0800
From: Chuq Von Rospach <chuqui@plaidworks.com>
Subject: Re: Forged addresses
To: listmom-talk@skyweyr.com
Mime-Version: 1.0
Precedence: Bulk
Reply-To: listmom-talk@skyweyr.com

At 2:20 AM -0800 12/27/96, Joshua D. Baer wrote:

>What I was concerned about was when I was sending a message with a From
>adress of shaddar+@cmu.edu but a Sender of josh@grinch.res.cmu.edu and with
>an outgoing mail server of skyweyr.com.  I think from your later comments
>that this would still be OK, wouldn't it?

Hmm. (rubbing forehead. God, it's been a long 24 hours...). Hmm. My gut
feel is the answer is "maybe". If someone's attempting to post a
message to a list, I'd have no trouble accepting it if either the From
or Sender matches a known subscriber. That'd be reasonable. I'm not
particularly worried about the mail server in that case. If we end up
with someone forging mail in someone else's name, we deal with it when
it happens and can probably backtrack or otherwise limit it.

If they're trying to subscribe to a list, I have a problem with this,
because the person admits they're subscribing an address not from who
they say they are. I'd want validation of this in some way before
trusting it.

This is where the mailback subscription verifiction starts becoming
moreimportant. Once a person has verified they want on the list, I can
relax a lot more about hard-core validation. It's verifying the address
being subscribed wants to be subscribed that's the nasty piece.

I spent most of last night cleaning up after the spammers, and a good
chunk of this morning. I also rewrote my cgi's to close a bunch of the
loophole and add a few toys to see if they'd trip, and a couple of
hours, the spammer did, so I now know where he's coming from and how
they're doing it (he's spoofing through the ANONYMIZER on top of
everything else...) -- and left a little reminder there, so he now
knows I know. Heh.

And I'm in process of closing the loopholes further. Not what I'd
planned on doing, but obviously, it can't wait any longer. It's not
that they can't be closed to a great degree, only that until this last
round, it wasn't really needed. One idiot screwing it up for a lot of
folks...


--
           Chuq Von Rospach (chuq@solutions.apple.com) Software Gnome
       Apple Server Marketing Webmaster <http://www.solutions.apple.com/>

 Plaidworks Consulting (chuqui@plaidworks.com) <http://www.plaidworks.com/>
   (<http://www.plaidworks.com/hockey/> +-+ The home for Hockey on the net)

I got no name or number/ I just hand out the lumber.
But if I get a chance to play/ I'm going to show 'em.
		-- Stick Boy (The Hanson Brothers, SUDDEN DEATH)

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox,
e$, 44 Farquhar Street, Boston, MA 02131 USA
"The cost of anything is the foregone alternative" -- Walter Johnson
The e$ Home Page: http://www.vmeng.com/rah/