On Thu, Jul 30, 2009 at 12:33:17AM -0400 I heard the voice of Charles Sprickman, and lo! it spake thus: > > Is there any good way to block this crap without breaking things?
Well, I'd feel pretty safe in saying "absolutely not". You'll probably always break _something_. Just insisting peers actually speak correct SMTP breaks stuff :) Theoretically, a system like DKIM could be used. Even if you can't use it with assurance on random incoming mail, if you know that YOU always sign messages with it, you can use it to verify messages claiming to come from you. However, you still eat all the potential blows from it (see <http://en.wikipedia.org/wiki/DKIM#Weaknesses> for a few). Leaving aside off-the-shelf and wandering more into the theoretical, what you're actually trying to verify is that the incoming mail claiming to be from an address you [believe you] control actually does come from that address. Or, more likely, the slightly weaker assertion that incoming mail claiming to be from a domain you [believe] runs through this server actually came through this server. This is complicated slightly by the fact that there's no persistent reliable identifier for 'this email'. But that aside, there are two basic divisions on that; we can store state on the server describing things, or have the mail entirely self-describe. DKIM (and related systems) are an attempt at the latter, and so have some limitations (as mentioned above) that seem nearly inherent in that sort of attempt. Storing state on the server probably requires also sticking stuff in the message (since otherwise you don't have a reliable id), and requires a fair bit of engineering to handle questions of data retention and blah blah blah. And any system would require a good hunk of thought to avoid things like replay attacks. Or, you could skip to the end of this mail, where I say "It's kinda hard" 8-} -- Matthew Fuller (MF4839) | fulle...@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream.