On 2 Dec 1997, Charlie Comsec wrote:
As long as blocking requests are authenticated with some sort of "cookie" token scheme, that would be acceptable. That goes for INDIVIDUAL blocking requests.
I used to require that people reply to a confirmation message before I would block them, but it was really too much effort. I check the headers, and as long as it looks like the request came from them, I block them and send them a message that they are blocked, so at least if it's a spoofed request, they will know they have been spoofed.
Somewhat more discretion ought to be used for requests to block an entire domain. That should probably only be done upon request from the "postmaster" at that domain, and when an entire domain is blocked,
I do exactly that, or require a request from the internic-listed contact.
The problem with eliminating any feature that gets abused is that it's an open invitation for someone to deliberately abuse it just to get it eliminated. Whenever possible, a solution should be sought which eliminates abuse while still allowing legitimate use.
Agreed, and I think I've worked out a reasonable compromise, because even if you do try to forge somebody, it should scream, "Hey, you should be suspicious about where this really came from." Andy Dustman / Computational Center for Molecular Structure and Design For a great anti-spam procmail recipe, send me mail with subject "spam". Append "+spamsucks" to my username to ensure delivery. KeyID=0xC72F3F1D Encryption is too important to leave to the government. -- Bruce Schneier http://www.athens.net/~dustman mailto:andy@neptune.chem.uga.edu <}+++<