On Sat, Mar 20, 2004 at 01:39:05PM -0500, Eli said:
> Fred Viles wrote:
> > On 19 Mar 2004 at 23:41, Bruce Richardson wrote about
> > "Re: [Exim] SMTP Auth doesn't preven":
> >
> >> On Fri, Mar 19, 2004 at 01:14:44PM -0800, Fred Viles wrote:
> >>> Depending on what you want to accomplish, another option is to
> >>> simply add an X- header to the message with the authenticated ID.
> >>
> >> I don't trust headers for any kind of sensitive or crucial
> >> information.
> >
> > Like I said, "depending on what you want to accomplish". It doesn't
> > seem to me that the authenticated user ID is either sensitive or
> > crucial in the OP's case, but that's for him to judge.
>
> I agree on this point, but like it's been said, it can depend on what your
> views are. From a large perspective, preventing your own users from being
> untraceable in the event they spam (willingly or not) outweighs the need for
> secrecy of certain information.
Couldn't you just add a 3DES encrypted version of the autheticated ID in
an X- header? That way no privacy will be compromized, and you will
always know who sent a message. If that's too computationally expensive,
just do a DB lookup that has a hash of the ID.
