On Sat, Apr 13, 2002 at 06:51:35AM +0200, Tony L. Svanstrom wrote: > Just to point out the blatantly obvious to most, nobody should use > this system-wide without changing the lines to include some simple > rudimentary per-user password... unless you want one user to be > able to cause another user's mail to be junked (at best... if you're > not using spamd, then a custom rule can be defined in a user prefs > turning this into a potential remote access hole[1]).
Absolutely. I meant to put in, and I don't know why I forgot: this is a proof-of-concept snippet, not what you'd want to roll out to all of your users. Sorry about that. I wrote this up right before going to bed last night. <G> I thought about what security one could put into the rules, but couldn't come up with anything I really liked: - Verify the "From:" header? Too easy to fake. - Specify a password on the subject line? Likely to have users with bad passwords, or reusing important passwords, or ... It would also be sent around in cleartext. - Use PGP/GPG to sign the messages. Secure, but hard to implement since most users don't use/have access to these programs. I think the version that I'm going to end up with will avoid email altogether. Probably some form of username/password/SSL protected website where one can deal with all the configuration stuff. The email version is a good idea if you're just a user and want to set something up for yourself, but there are better ways to do it. -- Randomly Generated Tagline: Linux: Because a PC is a terrible thing to waste. (By [EMAIL PROTECTED], Mark Komarinski) _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
