On 17 Feb 2018, at 12:55 (-0500), Al Iverson wrote:
On Sat, Feb 17, 2018 at 12:43 PM, John Levine <jo...@taugh.com> wrote:
In article
<caaqnkjcbexdxv0kf4tkrmum8gq-ohhltjzg8pn1b1behryi...@mail.gmail.com>
you write:
I am saying that I think it's unwise to put what amounts to
subscriber-level PII or basically clear identifiers in the Return
Path/MFROM, if mail back to that address is interpreted as an
indication that an action should be taken (like logging a bounce and
potentially stopping future mail to that recipient). It's an open
slot
where an external actor could insert something to cause actions
beyond
the expected ones. That counts as a security concern in my book.
Given that pretty much every message from an ESP has the recipient's
address on the To: line of the message, I'd put that particular risk
on the last page of my book. If you want to fake a bounce from
someone
you certainly don't need VERP to do it.
Missing the point there. It has nothing to do with knowing the To:
address for a given recipient. If the VERP string fields are just
simple numeric identifiers,
Straw man. Amateurs use sequential numbers. Incompetents use decimal
numbers. Competent professionals use uniformly distributed keyed
hashes.
a bad actor could send ones with
incremented or otherwise changed numbers to make the bounce handling
system log bounces to the wrong recipient address. They could falsify
bounces for recipients without knowing those recipients' email
addresses.
Shall we do a bit of math on that?
We've got 64 characters available for a local-part. Sacrifice one to
escape one-off errors. At 6 bits/character (conservative mail-safe
base64 or binhex charset) that's 378 bits, literally enough to give each
lepton and hadron in the visible universe its own ID, with an IPv4 space
left over FOR EACH PARTICLE, plus another for each of those particle's
IoT devices...
The point is: this is a monstrously sparse space for an ESP to scatter
their VERP identities across. It's larger than anyone needs to hide a
set of identifier tokens. Suppose you want the local-part to include
identifiers for customer ID, campaign ID, and target address. Give each
of those 10 Base64 characters and you have a quintillion (10^18)
possible values for each one. Use a suitable algorithm to generate those
IDs and bad actors have no chance of generating credible fake bounces.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
