> ...there is no BUG in IBM's SMTP software because it is not mandatory to
> perform the test in question. It is not a SECURITY HOLE because the
> standards demand that forged messages be taken at face value.
While I admit this is just semantics, I disagree. You may be leaving your
front door unlocked because you have to in order to allow your aged
grandmother admittance at all hours of the day or night, but leaving it
unlocked is still a security hole. :-)
I've been mulling the issue of mailing-list address verification for a while.
If it's important enough to people, we could certainly design some sort of
key-passing mechanism into the signup procedures for some mailing lists
-- for example:
Potential subscriber makes subscribe request;
List server replies with list charter and an arbitrary key built from
the potential subscriber's address, the time of day, and a special
password set by the list manager on the server end;
Potential subscriber must reply with this key within some arbitrary time
period in order to join the list.
When used, this assures that the subscriber is coming from a valid email
address. It may look like overkill now, but I'm willing to bet that it won't
look like overkill at this time next year . . .
::: Lazlo (firstname.lastname@example.org; http://www.swcp.com/lazlo)