Alun <auj@???> wrote:
>
>On outgoing mail, add a header containing a tag which changes every
>hour (e.g. MD5(secret . int(time/3600)))
>
>Keep a list of recent (say a month's worth?) tags that have been used.
>
>When a message from <> comes in, search it for any used tag and, if not
>present, drop the bounce.
>
>You could go further and make the tag cryptographically dependent on
>the message ID or something, but I think it would be best to keep the
>search simple.
That's what I'm planning to do, but I won't record the tags -- they
are hard to forge so the search merely needs to be for a valid tag
rather than one that has definitely been used. This is an important
simplification because it allows the bounce to come in to a different
machine from the one the original email left via, without the machines
needing to co-ordinate with each other.
The following adds the magic both to the message-ID (which allows you
to do identify legitimate replies) and to a separate header (so that
messages that already have a message-ID are not excluded). I also
include the authenticated user name, with an aim of making this part
of a q249 scheme. $acl_m0 remembers whether the sender is considered
to be friendly or not.
AUTHID = ${if def:authenticated_id {$authenticated_id} {-} }
MSGID_XTRA = ${if or{{ eq{$acl_m0}{true} } \
{ eq{$sender_host_address}{} }} \
{AUTHID.${hmac{sha1}{TmIDcftUoCCS} \
{E${message_id}.AUTHID@${primary_hostname}}}} \
{} }
MESSAGE_ID = <E${message_id}${if eq{MSGID_XTRA}{} {} \
{.MSGID_XTRA} }@${primary_hostname}>
message_id_header_text = MSGID_XTRA
# ...
warn condition = $acl_m0
message = X-Cam-MsgID: MESSAGE_ID
warn condition = $acl_m0
condition = ${if !def:h_Message-ID: {true} {false} }
message = Message-ID: MESSAGE_ID
I plan to make the bounce checking part of our SpamAssassin setup.
>I'm pretty sure I'm not the first person to think of this, so there must
>be a big flaw. Presumably the flaw lies in the previous paragraph. What do
>people think?
The main problem with it here is that there are many ways that messages
can be legitimately sent with a cam.ac.uk domain in the return path
without going through the central hub. This means there's a fair risk
of false positives, hence the use of SpamAssassin to make it a soft check.
Users that do always send email via the hub might be given a knob to make
the check stricter for them, I suppose.
Tony.
--
f.a.n.finch <dot@???>
http://dotat.at/
WHITBY TO THE WASH: SOUTHWEST 5 OR 6 LOCALLY 7. CLEAR OR SUNNY SPELLS, DRY,
FAIR. GOOD. MODERATE OR ROUGH.
