Fred Viles wrote:
> On 19 Mar 2004 at 23:41, Bruce Richardson wrote about
> "Re: [Exim] SMTP Auth doesn't preven":
>
>> --
>> On Fri, Mar 19, 2004 at 01:14:44PM -0800, Fred Viles wrote:
>>> Depending on what you want to accomplish, another option is to
>>> simply add an X- header to the message with the authenticated ID.
>>
>> I don't trust headers for any kind of sensitive or crucial
>> information.
>
> Like I said, "depending on what you want to accomplish". It doesn't
> seem to me that the authenticated user ID is either sensitive or
> crucial in the OP's case, but that's for him to judge.
I agree on this point, but like it's been said, it can depend on what your
views are. From a large perspective, preventing your own users from being
untraceable in the event they spam (willingly or not) outweighs the need for
secrecy of certain information.
If you authenticate with just a username, well chances are that it wouldn't
take much for someone to guess at it anyways - and what would they do with
it once they have it? At most a dictionary attack, but when was the last
time you saw someone try that in reality (pertaining to email)? I would say
it doesn't happen often - spammers have other things to do rather than try
and hack a bunch of email accounts. If you authenticate with your full
email address or something, well chances are again that people would already
know it or could get it eventually, so again nothing really sensitive here
is being divulged.
>
>> In this case, since the information can be verified directly, I don't
>> see the point of using a header. If you want an arbitrary
>> placeholder to avoid redoing some calculations, use the ACL
>> variables.
>
> I'm not trying to talk anyone into anything, but I wonder if you've
> misinterpreted something. The point is not to avoid recalculations,
> the point is to make sure that user's can't hide their real identity
> when they send messages.
There's no point in storing it in an ACL variable when you have it available
to you in a variable already ;) The header is for the receiving recipient -
if the message is spam and they try to report it, without this information
tracking down the spammer may be a little bit more involved (such as
filtering through message logs for the message ID, then getting some info
there or something), or possibly no longer possible if you cleared out log
information that once held the answer. So far I have found having an X-
header store the auth ID very useful, and I only wish other mail servers did
the same to allow for a much easier abuse reporting system all around. When
you're dealing with 40k+ users, having something like this potentially saves
you hours of work tracking down a user :) Now if only all those prog.
languages like PHP, ASP, CF and such would allow for SMTP authentication in
their mail functions so that you could force formmail users to authenticate
all their email too :P
Eli.
