Re: tmda: Challenge-response is fundamentally broken
On Wed, Aug 27, 2003 at 01:35:12PM +0200, Tore Anderson wrote:
> with is that the C-R system in question ignores the fact that SMTP
> headers are trivially (and regulary) forged. I believe this is deliberate,
> and that TMDA does not attempt to verify that the recipient of the
> challenge truly was the sender of the original e-mail. (If it did, I
> would have no problem with it at all.)
You do realise that all parts of SMTP are generally completely
unauthenticated and can be trivially forged? A system like this has no
option but to work with unauthenticated data.
--
"You grabbed my hand and we fell into it, like a daydream - or a fever."
Reply to: