[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

On Thu, Aug 28, 2003 at 12:35:25PM +0100, Karsten M. Self wrote:
> #2, Misplaced burden, is the reason for the 'grave' severity.

People have a right to ask that unkown people that e-mail them confirm the
e-mail.  I'm sorry you don't agree with this, but your opinion is hardly
justification for a grave bug.

>   - TMDA should carry a warning to the user about possible consequences
>     of activating the C-R mechanism, including sending spam, risking
>     blacklisting or registration in spam-reduction services such as
>     SpamCop, and a likelihood that some, and perhaps a majority of
>     challenges will not be responded to.  The warning should require the
>     user to assume full responsibility for doing so.

Sorry, but no.  I will not do this.  The user presumably knows what he is
installing.

>   - Configuration templates for C-R challenges _must_ incorporate virus
>     and spam filtering, _prior_ to issuing a C-R challenge.  Preferably,
>     tests against obvious header spoofing, if possible, should be
>     performed.  Debian tmda packages _must_ depend on corresponding spam
>     and virus filters, if this functionality isn't built into TMDA.
> 
>   - Additional strong validation mechanisms, including RFC 2015 PGP
>     signed mail and S/MIME signatures, _must_ be used to validate
>     sender, including use of web of trust to identify a reasonable
>     probability of trusted user status.
> 
>   - If possible, TMDA should be moved to SMTP-time filtering, so that
>     mail rejection occurs at SMTP time.  As SMTP doesn't offer a
>     protocol for challenge-response, this introduces interesting
>     challenges for TMDA's developers.
> 
>   - TMDA's performance _must_ be independently validated and the target
>     maximum of 2% challenges to spoofed addresses be confirmed.
> 
> 
> 
> I'm not going to pretend that these are easy fixes.  I'm not a user of
> this package.  I _am_ negatively impacted by it, however, and if it
> continues to display similarly poor consideration of security, abuse,
> and adverse side effects, I fear for Debian, SPI, and the generosity of
> our sponsors.  I do feel the remedies are necessary and advised.  They
> should be communicated upstream, naturally.

I suggest you take these suggestions to the TMDA worker's mailing list at 
tmda.net, and file wishlist bugs against TMDA for each desired feature.

--Adam

-- 
Adam McKenna  <adam@debian.org>  <adam@flounder.net>
Reply to: