Follow-up Comment #2, sr #110907 (project administration):
You currently send a notification email for comments on bugs with the reply
address configured as some invalid address like invalid.nore...@gnu.org.
You could construct an email address like <hash>@savannah.nongnu.org where
<hash> is a cryptographic checksum of a string like:
sitesalt,usersalt,username,sr#110907,comment1
where usersalt is a number, incremented whenever spoofing is discovered (for
example, if an email has been published including its addresses). There are
various schemes you might want to use such as
sitesalt,usersalt,referencesalt,username,srnum,comment1 where referencesalt is
a salt for the service request which can be changed when spoofing is
discovered, etc.
You might want to validate the From address against addresses the user has
nominated in their settings. You might prefer to allow users to load several
public certificates used to sign their emails instead of or in addition to
using salts and validated From addresses.
You might be able to use standard headers used to reference messages in
message board systems if email clients still follow the RFCs these days
instead of relying on the reply-to address but I would expect a lot of email
composers don't bother any more.
I would expect this is a solved problem by now with well-known solutions.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/support/?110907>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
