[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#207300: tmda: Challenge-response is fundamentally broken

On Fri, Aug 29, 2003 at 03:48:13PM +1000, Craig Sanders wrote:
> the point that you keep on missing is that TMDA and similar programs send
> "confirmation" emails to innocent third-parties who did *NOT* send an email.
> TMDA and all C-R systems are broken-by-design, just as many stupid end-user
> "autoresponders" and AV-scanners that send notifications back to the forged
> sender address are broken-by-design.

You saying that any SMTP MTA that sends bounces to unauthenticated
E-Mail addresses is also broken?

That is the idea behind autorespoonders after all, to tell the sender
that his mail didn't get through because it didn't meet some required

The other option which many people seem to want is to discard the E-Mail
without giving either party any indication of what happened.

E-Mail that looks suspicious can be valid mail at times, for instance
somebody I knew tried to send a ZIP file that happened to be executable
via E-Mail.

Do you simply discard such E-Mails (which gives no indication that
something went wrong), or do you try to contact the sender to indicate
that something went wrong?

The problem is that I see no easy way to fix this problem to the large
scale required on the Internet while keeping store-and-forward "feature"
of SMTP.

One approach for instance would be to modify the SMTP standard, and say
if a host accepts the E-Mail then it is guaranteed to get it to the
destination (ie. it signal OK until the message has been delivered),
but that would break store-and-forward capabilities of secondary mail

Even encryption does not help here, or at least I have not seen any
proposals for any system that could scale to the Internet. GPG for
instance only verifies the sender to the receiver, it could not be used
to verify every sender to the MTAs involved.
Brian May <bam@debian.org>

Reply to: