Follow-up Comment #2, sr #110907 (project administration): You currently send a notification email for comments on bugs with the reply address configured as some invalid address like invalid.nore...@gnu.org.
You could construct an email address like <hash>@savannah.nongnu.org where <hash> is a cryptographic checksum of a string like: sitesalt,usersalt,username,sr#110907,comment1 where usersalt is a number, incremented whenever spoofing is discovered (for example, if an email has been published including its addresses). There are various schemes you might want to use such as sitesalt,usersalt,referencesalt,username,srnum,comment1 where referencesalt is a salt for the service request which can be changed when spoofing is discovered, etc. You might want to validate the From address against addresses the user has nominated in their settings. You might prefer to allow users to load several public certificates used to sign their emails instead of or in addition to using salts and validated From addresses. You might be able to use standard headers used to reference messages in message board systems if email clients still follow the RFCs these days instead of relying on the reply-to address but I would expect a lot of email composers don't bother any more. I would expect this is a solved problem by now with well-known solutions. _______________________________________________________ Reply to this item at: <https://savannah.nongnu.org/support/?110907> _______________________________________________ Message sent via Savannah https://savannah.nongnu.org/