[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tmda: Challenge-response is fundamentally broken

Mark Brown <broonie@sirena.org.uk> writes:

>> Why cannot the C-R system issue the challenge during the SMTP session
>> (respond with a reject containing the challenge)? With the latest
>> Sobig flood I've begun to consider all list software sending back
>
> The part where SMTP is completely unauthenticated means that this
> doesn't help - the SMTP envelope sender can be forged just as easily as
> the From: inside the message.

*You* don't generate a bounce in this case.  Others might do, but in
the case of Sobig.F and a sizeable chunk of spamming operations, no
bounces at all are sent.
Reply to: