[Mailman-Developers] MTA load, custom messages, bounces
Peter C. Norton
spacey-mailman@lenin.nu
Fri, 7 Dec 2001 18:40:15 -0800
On Fri, Dec 07, 2001 at 02:36:39PM -0500, Peter W wrote:
> On Thu, Dec 06, 2001 at 10:14:35PM -0500, Barry A. Warsaw wrote:
>
> > I actually don't think that MTA-directed VERPing helps us out much.
> > Sure, it can give us an envelope sender that we can use for better
> > bounce detection[*]
>
> How robust is the bounce detection? Even with VERP and/or good MTAs,
> is there enough smarts in the system to prevent a black hat from connecting
> to the MTA on the mailman server and using fake bounce messages to
> knock someone off a list without their knowledge?
You can avoid this by is by sending a test message to them and use a cookie
in the envelope-from that is a hash of a saved secret value that you can
compare to on the bounce. If you get a bounce to the address that has the
proper hash, then you can pretty safely disable them (unless their
postmaster is out to get them. But you can't save them from that). If you
don't get the message bounced back then that email address isn't really (or
at least always) bouncing.
--
The 5 year plan:
In five years we'll make up another plan.
Or just re-use this one.