Ian Eiloart wrote: > >--On 8 June 2006 13:40:03 -0500 Brad Knowles <brad at stop.mail-abuse.org> >wrote: >> >> Using a per-sender password for the same mechanism will prevent the >> spoofing, > >Only if you ensure that the entire email transmission chain is encrypted. >That's only possible if you know the sender is on-site (on your campus, in >your company, whatever). If that's true, then you can rely on authenticated >SMTP anyway.
This thread has probably been flogged to death already, and my initial deletion of this post was probably the correct decision rather than now resurrecting it from the archive for this reply, but I just want to add from the point of view of an interested observer, that I think we all know that sending the list password in a header of an unencrypted message is not very secure, and neither will this be secure against some kinds of attacks, but at least this proposal potentially exposes a less powerful password. David is only trying to address a very limited kind of attack. He has multiple lists each with multiple authorized posters (but still a tiny fraction of the list membership - these are basically announcement lists). He is trying to protect the list from a list member's determining by observation who the authorized posters are and spoofing one of those addresses to mail to the list. This is a situation that has occurred for him (at least twice, I think he said). If this were one list with one or two authorized posters, he could moderate everyone, and the authorized poster could use the Approved: header to post, but this is too cumbersome in his environment unless he made all the list passwords the same which is neither practical nor wise. So, he wants to extend the existing method to one which allows the authorized posters to post with a personal password. We all know that this is not secure against all attacks, but David feels that it will be good enough for his situation. -- Mark Sapiro <[EMAIL PROTECTED]> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
