return-path security

"D. J. Bernstein" <> Tue, 05 August 1997 20:43 UTC

Received: from cnri by id aa28535; 5 Aug 97 16:43 EDT
Received: from ( []) by (8.8.5/8.7.3) with ESMTPid QAA14248; Tue, 5 Aug 1997 16:41:59 -0400 (EDT)
Received: (from majordomo@localhost) by (8.8.5/8.7.3) id NAA11973 for ietf-822-bks; Tue, 5 Aug 1997 13:23:29 -0700 (PDT)
Received: from ( []) by (8.8.5/8.7.3) with SMTP id NAA11969 for <>; Tue, 5 Aug 1997 13:23:26 -0700 (PDT)
Received: (qmail 28695 invoked by uid 666); 5 Aug 1997 20:28:14 -0000
Date: Tue, 05 Aug 1997 20:28:14 -0000
Message-ID: <>
From: "D. J. Bernstein" <>
Subject: return-path security
Precedence: bulk

Correcting an error; no discussion of subaddresses.

> What is the purpose of restricting postings based on the envelope address?
> It's obviously *not* a security issue as anyone can generate email from
> any address trivially (own a copy of Netscape?).

On the contrary.

1. The return path is a very convenient place to put cookies.

With qmail, for example, a user can invoke ``cookie-check "$SENDER"''
before calling his usual mailing list manager.

The mailing list hides the return path, so the cookie isn't broadcasted
to the mailing list. Of course, it's available in mail logs, but logs
aren't public on well-run hosts. It's available to sniffers, but in any
case the number of possible attackers has been drastically reduced. This
is one of the most effective low-cost security mechanisms.

The main problem in practice is that, for many people, putting extra
information into the return path is not as trivial as you claim.

2. Another research security application of return paths is aimed at the
following problem: how do you protect subscribers from being flooded
with mail when lists are cross-subscribed? Suppose every mailing list is
subscribed to every other mailing list. What can the MLM do?

One answer is to set up Auto-Submitted on every mailing list. But this
is naive; it doesn't let people use sublists.

What I've implemented in ezmlm is the following combination of
techniques. Every mailing list sets the return path. Each sublist checks
that the incoming return path matches its parent list. Primary mailing
lists and MLMs generate Mailing-List fields, and reject messages with
existing Mailing-List fields. Sublists demand Mailing-List fields.

The result is that cross-subscriptions between ezmlm mailing lists are
eliminated. A primary mailing list won't accept messages that have
passed through any ezmlm mailing list, since all ezmlm mailing lists
have Mailing-List on all outgoing messages. A sublist won't accept
messages from any ezmlm mailing list other than its parent, since all
ezmlm mailing lists set the return path.

Set up a new mailing list in a single command.