Author: Jan Ingvoldstad Date: To: exim users Subject: Re: [exim] EBL: blacklist for email addresses in Reply-To and
message bodies
On Wed, Jun 28, 2017 at 9:27 PM, Phil Pennock <pdp@???> wrote: > There could stand to be some privacy implications discussion too --
> you're sending out, over the wire in unencrypted DNS packets, a
> predictable derivation of the Reply-To: header received for every email
> from a given domain. Using a cryptographic checksum protects against
> casual snoopers knowing, but does not protect against those with a
> dictionary of email addresses generating a reverse map and using that
> for lookups, so undermines a chunk of the TLS-by-default work going on
> by leaking metadata. Usual RBLs only leak that there was communication
> from an IP, which a network traffic sniffer could see anyway.
Although SHA-1 is known to be weak, it's still a bit of work to brute
force it for a busy mailserver, but for a server that only sees
occasional traffic, there is legitimate concern.
SHA-256 would be nice.
Perhaps we (FSVO "we") should draft a proposal to the MSBL about using
SHA-256 instead?
