Author: Eli Date: To: exim-users Subject: RE: [Exim] SMTP Auth doesn't prevent users from sending as other users
Walt Reed wrote: > Couldn't you just add a 3DES encrypted version of the autheticated ID
> in an X- header? That way no privacy will be compromized, and you will
> always know who sent a message. If that's too computationally
> expensive, just do a DB lookup that has a hash of the ID.
Not a bad idea - I didn't think of this. However, depending on how long it
takes people to report spam, there may always be the case that we
catch/close an account before the reports come in, and if we clear out that
users info from our dbs, then we'll pull up blanks on the spam reports,
which could either mean to us that the account doesn't exist, or that the
data somehow is wrong or was tampered with (but I could find a solution to
the tamper issue).
Either way though - in my situation the auth ID is their "official" email
address with us, which I don't consider sensitive data at all. The only
reason I merely store a header and don't enforce any checks to restrict what
they can send as is because some of our clients may want to send as
different email addresses - however thinking about that it may be in my best
interest to actually do domain level restrictions (so they can only send as
any domain name they have with us).
