Waitman Gobble wrote:
SRS doesn't appear to me to be that exciting at the moment. It is an attempt to
encrypt the return path so that legit bounce-backs get passed through. The
problem is that it appears to me that the encrypted "return path" doesn't change.
So if you know the SRS header is
<[EMAIL PROTECTED]>
you can send me a whole bunch of "pretend" bounce backs. And basically this
header will definitely be available on every newsgroup and message board.
From what I understand, they realize this issue and are working it out.
I was wrong about that. I just read over the document regarding SRS. It includes the timestamp in the encrypted part, so bounces would only come in within a configured time frame. If you set you limit to 8 days, and a spammer gets ahold of you SRS address, they could send you fake bounce-backs for a maximum of 8 days.
I had mistakenly thought that only the source address was used to generate the encrypted part, and further misunderstood a reply I received this morning about it.
Waitman
