return-path security
"D. J. Bernstein" <djb@koobera.math.uic.edu> Tue, 05 August 1997 20:43 UTC
Received: from cnri by ietf.org id aa28535; 5 Aug 97 16:43 EDT
Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by cnri.reston.va.us (8.8.5/8.7.3) with ESMTPid QAA14248; Tue, 5 Aug 1997 16:41:59 -0400 (EDT)
Received: (from majordomo@localhost) by mail.proper.com (8.8.5/8.7.3) id NAA11973 for ietf-822-bks; Tue, 5 Aug 1997 13:23:29 -0700 (PDT)
Received: from koobera.math.uic.edu (qmailr@koobera.math.uic.edu [131.193.178.247]) by mail.proper.com (8.8.5/8.7.3) with SMTP id NAA11969 for <ietf-822@imc.org>; Tue, 5 Aug 1997 13:23:26 -0700 (PDT)
Received: (qmail 28695 invoked by uid 666); 5 Aug 1997 20:28:14 -0000
Date: Tue, 05 Aug 1997 20:28:14 -0000
Message-ID: <19970805202814.28694.qmail@koobera.math.uic.edu>
From: "D. J. Bernstein" <djb@koobera.math.uic.edu>
To: ietf-822@imc.org
Subject: return-path security
Sender: owner-ietf-822@imc.org
Precedence: bulk
Correcting an error; no discussion of subaddresses. > What is the purpose of restricting postings based on the envelope address? > It's obviously *not* a security issue as anyone can generate email from > any address trivially (own a copy of Netscape?). On the contrary. 1. The return path is a very convenient place to put cookies. With qmail, for example, a user can invoke ``cookie-check "$SENDER"'' before calling his usual mailing list manager. The mailing list hides the return path, so the cookie isn't broadcasted to the mailing list. Of course, it's available in mail logs, but logs aren't public on well-run hosts. It's available to sniffers, but in any case the number of possible attackers has been drastically reduced. This is one of the most effective low-cost security mechanisms. The main problem in practice is that, for many people, putting extra information into the return path is not as trivial as you claim. 2. Another research security application of return paths is aimed at the following problem: how do you protect subscribers from being flooded with mail when lists are cross-subscribed? Suppose every mailing list is subscribed to every other mailing list. What can the MLM do? One answer is to set up Auto-Submitted on every mailing list. But this is naive; it doesn't let people use sublists. What I've implemented in ezmlm is the following combination of techniques. Every mailing list sets the return path. Each sublist checks that the incoming return path matches its parent list. Primary mailing lists and MLMs generate Mailing-List fields, and reject messages with existing Mailing-List fields. Sublists demand Mailing-List fields. The result is that cross-subscriptions between ezmlm mailing lists are eliminated. A primary mailing list won't accept messages that have passed through any ezmlm mailing list, since all ezmlm mailing lists have Mailing-List on all outgoing messages. A sublist won't accept messages from any ezmlm mailing list other than its parent, since all ezmlm mailing lists set the return path. ---Dan Set up a new mailing list in a single command. http://pobox.com/~djb/ezmlm.html
- return-path security D. J. Bernstein
- Re: return-path security Chris Newman