--- begin forwarded text Date: Fri, 27 Dec 1996 15:46:18 -0800 From: Chuq Von Rospach <chuqui@plaidworks.com> Subject: Re: Forged addresses To: listmom-talk@skyweyr.com Mime-Version: 1.0 Precedence: Bulk Reply-To: listmom-talk@skyweyr.com At 2:20 AM -0800 12/27/96, Joshua D. Baer wrote:

What I was concerned about was when I was sending a message with a From adress of shaddar+@cmu.edu but a Sender of josh@grinch.res.cmu.edu and with an outgoing mail server of skyweyr.com. I think from your later comments that this would still be OK, wouldn't it?

Hmm. (rubbing forehead. God, it's been a long 24 hours...). Hmm. My gut feel is the answer is "maybe". If someone's attempting to post a message to a list, I'd have no trouble accepting it if either the From or Sender matches a known subscriber. That'd be reasonable. I'm not particularly worried about the mail server in that case. If we end up with someone forging mail in someone else's name, we deal with it when it happens and can probably backtrack or otherwise limit it. If they're trying to subscribe to a list, I have a problem with this, because the person admits they're subscribing an address not from who they say they are. I'd want validation of this in some way before trusting it. This is where the mailback subscription verifiction starts becoming moreimportant. Once a person has verified they want on the list, I can relax a lot more about hard-core validation. It's verifying the address being subscribed wants to be subscribed that's the nasty piece. I spent most of last night cleaning up after the spammers, and a good chunk of this morning. I also rewrote my cgi's to close a bunch of the loophole and add a few toys to see if they'd trip, and a couple of hours, the spammer did, so I now know where he's coming from and how they're doing it (he's spoofing through the ANONYMIZER on top of everything else...) -- and left a little reminder there, so he now knows I know. Heh. And I'm in process of closing the loopholes further. Not what I'd planned on doing, but obviously, it can't wait any longer. It's not that they can't be closed to a great degree, only that until this last round, it wasn't really needed. One idiot screwing it up for a lot of folks... -- Chuq Von Rospach (chuq@solutions.apple.com) Software Gnome Apple Server Marketing Webmaster <http://www.solutions.apple.com/> Plaidworks Consulting (chuqui@plaidworks.com) <http://www.plaidworks.com/> (<http://www.plaidworks.com/hockey/> +-+ The home for Hockey on the net) I got no name or number/ I just hand out the lumber. But if I get a chance to play/ I'm going to show 'em. -- Stick Boy (The Hanson Brothers, SUDDEN DEATH) --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox, e$, 44 Farquhar Street, Boston, MA 02131 USA "The cost of anything is the foregone alternative" -- Walter Johnson The e$ Home Page: http://www.vmeng.com/rah/