[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tmda: Challenge-response is fundamentally broken

Mark Brown <broonie@sirena.org.uk> writes:
> You do realise that all parts of SMTP are generally completely
> unauthenticated and can be trivially forged?  A system like this has no
> option but to work with unauthenticated data.

Why cannot the C-R system issue the challenge during the SMTP session
(respond with a reject containing the challenge)? With the latest
Sobig flood I've begun to consider all list software sending back
"your message is waiting for moderation" messages broken, let alone a
software package designed to reduce SPAM (or virus checkers responding
to a completely wrong person warning about infected system). And yes,
I'm actually considering filing grave bugs against each such list
software package (I'm willing to live with such behaviour being
optional with the default being no response, if the documentation says
"beware SPAM worms if you enable autoresponse).

-- 
*  Outside of a dog, a book is man's best friend. Inside of a dog, it's   *
*                    too dark to read. (Groucho Marx)                     *
*           PGP public key available @ http://www.iki.fi/killer           *
Reply to: