Author: Kevin P. Fleming Date: To: exim-users Subject: Re: [Exim] SMTP Auth doesn't prevent users from sending as other
users
Eli wrote:
> Not a bad idea - I didn't think of this. However, depending on how long it
> takes people to report spam, there may always be the case that we
> catch/close an account before the reports come in, and if we clear out that
> users info from our dbs, then we'll pull up blanks on the spam reports,
> which could either mean to us that the account doesn't exist, or that the
> data somehow is wrong or was tampered with (but I could find a solution to
> the tamper issue).
Tamper-proofing is easy; take the raw data that you want put into the
header, compute a checksum/CRC/etc. of it, append it to the original
data then encrypt the whole thing. When you get it back and decrypt, if
the checksum doesn't match the remainder of the data it was tampered
with (or just plain damaged).
