List-Managers: Re: Fake-ID

List-Managers
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Fake-ID
From:	Chuq Von Rospach <chuqui @ plaidworks . com>
Date:	Tue, 24 Feb 1998 23:56:51 -0800
To:	Manar Hussain <manar @ ivision . co . uk>, "Siamak Farah" <sia @ infostreet . com>
Cc:	<list-managers @ GreatCircle . COM>, "siamak" <sia @ infostreet . com>
In-reply-to:	<3.0.5.32.19980225064249.008c4720@stingray.ivision.co.uk>
References:	<070701bd419e$a7de3dc0$1269f0cf@babylon.instantweb.com>


> >The only thing I could think of, was to have the authorized sender be a
> >secret email address and have all the email go out as XYZ@XYZ.COM. So, if
> >someone fakes, we would get a bounce message.

Hiding the actual posting address is a time honored strategy that
generally works pretty well. Watch out whether or not your MTA puts
accounts in your Received headers, so it doesn't disclose for you.

Or you can, with things like majordomo, set up a list with ZERO valid
posting addresses, and used the "Approved:" password routines to send
messages. Anything sent to the address without the password is bounced
to you. that's something that you might be able to use if you can't go
mucking with aliases and Received lines...

Or you can do something I've done on some lists -- front-end your
posting address with procmail, and have procmail sanity-check it for
you. One thing I do, for instance, is hard-wire in the appropriate
addresses the mail will go through in the Received lines, and then
verify that they actually go through those sites (and that they don't
go through sites they're not supposed to....). That way, they not only
have to forge an address, but forge a whole set of e-mail headers --
assuming they know what paths it goes through and that I'm looking for
them.

Or you can do whatever you want in a procmail front end -- require a
given X-foobar list header, and bounce anything without out, then
remove the header before forwarding to the list. That could simulate
the password stuff if your mail server doesn't support password
approvals directly. Never thought you'd be inventing secret hand shakes
with a computer program, right?


> The best way is to use pgp but alas is not well supported by mailing list
> systems.

Some day. We hope. At least SOME kind of decent signature.


--
Chuq Von Rospach (Hockey fan? <http://www.plaidworks.com/hockey/>)
Apple Mail List Gnome (mailto:chuq@apple.com)
Plaidworks Consulting (mailto:chuqui@plaidworks.com)
<http://www.plaidworks.com/> + <http://www.lists.apple.com/>

Follow-Ups:

Re: Fake-ID
From: Manar Hussain <manar@ivision.co.uk>

References:

Fake-ID
From: "Siamak Farah" <sia@infostreet.com>
Re: Fake-ID
From: Manar Hussain <manar@ivision.co.uk>

Indexed By Date	Previous:	Re: Fake-ID From: Manar Hussain <manar@ivision.co.uk>
Indexed By Date	Next:	Re: Sites with tips on list etiquette From: Chet Meek <cmeek@city.grande-prairie.ab.ca>
Indexed By Thread	Previous:	Re: Fake-ID From: Manar Hussain <manar@ivision.co.uk>
Indexed By Thread	Next:	Re: Fake-ID From: Manar Hussain <manar@ivision.co.uk>